forked from Minki/linux
Printk urgent fixup for 5.11-rc6
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEESH4wyp42V4tXvYsjUqAMR0iAlPIFAmAOyaUACgkQUqAMR0iA lPJmKw//cBHluHINQnKgGMfbdjyJilIm2Atd5jm95ysmblXjgAzbB8AJqnKFqhmH hC+YiTCa7t84tw2Vh2NpTnosRFjdq8jtjjFpGlqLuLoREprSSRRmKyOob15XIm5d 5aio1Vh9ks+VoWwHUFfc6zyJuTNGfwRPWgIxA9KdQvt4C8+M3IiQjT3UcdXYzWOB Of74rBLZzlImRasL9SFW06oLxZN02CSsA3I49D37WezHFRJ0LlptVPAOVbmTsPXa WnX7Q8xOe70WsFH23so7+4H4mieSpkBqNz/+WHFBAekohae0BW5nnK84Nl9+uuUh 3FF28fXZW3xyGd5JmmBD70tVCV/nUKTSOrkc6Eo0dcrwpwxq+R1wPAojgSUgru8L 1em015/kRC1DRejCr1mdT3muySQF9gQ7/nEa+7cpo4bqmUb36TNN1pS9OjJMg4/7 4ZgoKB2lQ1UfueDqiPMgDz/JJ91jRcUCkB86MotyaOGO7FI8oaRSuSp8rvorQ13n 5LEHV8sX1ENIcu9jTcqN4oxEBg8dXVkxHwLFqWB283Rugk21L0f1IYbUbRPH4RF1 L5AVoaWBxA6ftXDI/OywszrWtr93sDqcmdebmqT0CTXOiHtTqt2cad8InjWHDh4h wtIdV22ak7glMLR0DdMAPKjggjzHsXJLMy9SsowEKVzDN52jVcs= =pBad -----END PGP SIGNATURE----- Merge tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux Pull printk fix from Petr Mladek: "The fix of a potential buffer overflow in 5.11-rc5 introduced another one. The trailing '\0' might be written up to the message "len" past the buffer. Fortunately, it is not that easy to hit. Most readers use 1kB buffers for a single message. Typical messages fit into the temporary buffer with enough reserve. Also readers do not rely on the '\0'. It is related to the previous fix. Some readers required the space for the trailing '\0'. We decided to write it there to avoid such regressions in the future. The most realistic victims are dumpers using kmsg_dump_get_buffer(). They are filling the entire buffer with as many messages as possible. They are typically used when handling panic()" * tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux: printk: fix string termination for record_print_text()
This commit is contained in:
commit
007ad27d7b
@ -1398,7 +1398,7 @@ static size_t record_print_text(struct printk_record *r, bool syslog,
|
||||
* not counted in the return value.
|
||||
*/
|
||||
if (buf_size > 0)
|
||||
text[len] = 0;
|
||||
r->text_buf[len] = 0;
|
||||
|
||||
return len;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user