mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-05 08:26:59 +00:00
staging: dgap: fix overflows and format strings
The boot message buffer could potentially overflow the stack and the heap. Additionally make sure format strings could not leak into printk() calls. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
e72b9da083
commit
1ea12fef83
1 changed files with 10 additions and 7 deletions
|
@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd)
|
||||||
|
|
||||||
DGAP_LOCK(dgap_global_lock, flags);
|
DGAP_LOCK(dgap_global_lock, flags);
|
||||||
brd->msgbuf = NULL;
|
brd->msgbuf = NULL;
|
||||||
printk(brd->msgbuf_head);
|
printk("%s", brd->msgbuf_head);
|
||||||
kfree(brd->msgbuf_head);
|
kfree(brd->msgbuf_head);
|
||||||
brd->msgbuf_head = NULL;
|
brd->msgbuf_head = NULL;
|
||||||
DGAP_UNLOCK(dgap_global_lock, flags);
|
DGAP_UNLOCK(dgap_global_lock, flags);
|
||||||
|
@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id)
|
||||||
DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
|
DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
|
||||||
DGAP_LOCK(dgap_global_lock, flags);
|
DGAP_LOCK(dgap_global_lock, flags);
|
||||||
brd->msgbuf = NULL;
|
brd->msgbuf = NULL;
|
||||||
printk(brd->msgbuf_head);
|
printk("%s", brd->msgbuf_head);
|
||||||
kfree(brd->msgbuf_head);
|
kfree(brd->msgbuf_head);
|
||||||
brd->msgbuf_head = NULL;
|
brd->msgbuf_head = NULL;
|
||||||
DGAP_UNLOCK(dgap_global_lock, flags);
|
DGAP_UNLOCK(dgap_global_lock, flags);
|
||||||
|
@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t *brd, const char *fmt, ...) {
|
||||||
char buf[1024];
|
char buf[1024];
|
||||||
int i;
|
int i;
|
||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
|
size_t length;
|
||||||
|
|
||||||
DGAP_LOCK(dgap_global_lock, flags);
|
DGAP_LOCK(dgap_global_lock, flags);
|
||||||
|
|
||||||
/* Format buf using fmt and arguments contained in ap. */
|
/* Format buf using fmt and arguments contained in ap. */
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
i = vsprintf(buf, fmt, ap);
|
i = vsnprintf(buf, sizeof(buf), fmt, ap);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
|
|
||||||
DPR((buf));
|
DPR((buf));
|
||||||
|
|
||||||
if (!brd || !brd->msgbuf) {
|
if (!brd || !brd->msgbuf) {
|
||||||
printk(buf);
|
printk("%s", buf);
|
||||||
DGAP_UNLOCK(dgap_global_lock, flags);
|
DGAP_UNLOCK(dgap_global_lock, flags);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(brd->msgbuf, buf, strlen(buf));
|
length = strlen(buf) + 1;
|
||||||
brd->msgbuf += strlen(buf);
|
if (brd->msgbuf - brd->msgbuf_head < length)
|
||||||
*brd->msgbuf = 0;
|
length = brd->msgbuf - brd->msgbuf_head;
|
||||||
|
memcpy(brd->msgbuf, buf, length);
|
||||||
|
brd->msgbuf += length;
|
||||||
|
|
||||||
DGAP_UNLOCK(dgap_global_lock, flags);
|
DGAP_UNLOCK(dgap_global_lock, flags);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue