[PATCH openEuler-1.0-LTS 1/3] printk: Convert a use of sprintf to snprintf in console_unlock
From: Nathan Chancellor natechancellor@gmail.com
mainline inclusion from mainline-v5.8-rc1 commit 5661dd95a2958634485bb1a53f90a6ab621d4b0c category: bugfix bugzilla: 91291 CVE: N/A
--------------------------------
When CONFIG_PRINTK is disabled (e.g. when building allnoconfig), clang warns:
../kernel/printk/printk.c:2416:10: warning: 'sprintf' will always overflow; destination buffer has size 0, but format string expands to at least 33 [-Wfortify-source] len = sprintf(text, ^ 1 warning generated.
It is not wrong; text has a zero size when CONFIG_PRINTK is disabled because LOG_LINE_MAX and PREFIX_MAX are both zero. Change to snprintf so that this case is explicitly handled without any risk of overflow.
Link: https://github.com/ClangBuiltLinux/linux/issues/846 Link: https://github.com/llvm/llvm-project/commit/6d485ff455ea2b37fef9e06e426dae6c... Link: http://lkml.kernel.org/r/20200130221644.2273-1-natechancellor@gmail.com Cc: Steven Rostedt rostedt@goodmis.org Cc: linux-kernel@vger.kernel.org Cc: clang-built-linux@googlegroups.com Signed-off-by: Nathan Chancellor natechancellor@gmail.com Reviewed-by: Sergey Senozhatsky sergey.senozhatsky@gmail.com Signed-off-by: Petr Mladek pmladek@suse.com Signed-off-by: Yi Yang yiyang13@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Laibin Qiu qiulaibin@huawei.com --- kernel/printk/printk.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index 0fe45941b5c7..c645a7221d0b 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -2423,9 +2423,9 @@ void console_unlock(void) printk_safe_enter_irqsave(flags); raw_spin_lock(&logbuf_lock); if (console_seq < log_first_seq) { - len = sprintf(text, - "** %llu printk messages dropped **\n", - log_first_seq - console_seq); + len = snprintf(text, sizeof(text), + "** %llu printk messages dropped **\n", + log_first_seq - console_seq);
/* messages are gone, move to first one */ console_seq = log_first_seq;
From: Jiri Slaby jslaby@suse.cz
mainline inclusion from mainline-v5.5-rc1 commit 2ae0b31e0faced43c011ce3221f2535721cb6a66 category: bugfix bugzilla: 82118 CVE: N/A
--------------------------------
We currently warn the user when tty->port is not set in tty_init_dev yet. The warning says that the kernel will crash later. And it really will only few lines below at: tty->port->itty = tty;
So be nice and avoid the crash -- return an error instead. And update the warning.
Signed-off-by: Jiri Slaby jslaby@suse.cz Cc: Sudip Mukherjee sudipm.mukherjee@gmail.com Link: https://lore.kernel.org/r/20191122101721.7222-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yi Yang yiyang13@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Laibin Qiu qiulaibin@huawei.com --- drivers/tty/tty_io.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 3025c39ba6b1..dc522e994e80 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -1343,9 +1343,12 @@ struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx) if (!tty->port) tty->port = driver->ports[idx];
- WARN_RATELIMIT(!tty->port, - "%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n", - __func__, tty->driver->name); + if (WARN_RATELIMIT(!tty->port, + "%s: %s driver does not set tty->port. This would crash the kernel. Fix the driver!\n", + __func__, tty->driver->name)) { + retval = -EINVAL; + goto err_release_lock; + }
retval = tty_ldisc_lock(tty, 5 * HZ); if (retval)
From: Matthias Reichl hias@horus.com
mainline inclusion from mainline-v5.10-rc3 commit 4466d6d2f80c1193e0845d110277c56da77a6418 category: bugfix bugzilla: 82118 CVE: N/A
--------------------------------
Commit 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing tty_port") didn't fully prevent the crash as the cleanup path in tty_init_dev() calls release_tty() which dereferences tty->port without checking it for non-null.
Add tty->port checks to release_tty to avoid the kernel crash.
Fixes: 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing tty_port") Signed-off-by: Matthias Reichl hias@horus.com Link: https://lore.kernel.org/r/20201105123432.4448-1-hias@horus.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yi Yang yiyang13@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Laibin Qiu qiulaibin@huawei.com --- drivers/tty/tty_io.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index dc522e994e80..708be6258609 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -1512,10 +1512,12 @@ static void release_tty(struct tty_struct *tty, int idx) tty->ops->shutdown(tty); tty_save_termios(tty); tty_driver_remove_tty(tty->driver, tty); - tty->port->itty = NULL; + if (tty->port) + tty->port->itty = NULL; if (tty->link) tty->link->port->itty = NULL; - tty_buffer_cancel_work(tty->port); + if (tty->port) + tty_buffer_cancel_work(tty->port); if (tty->link) tty_buffer_cancel_work(tty->link->port);
-
Laibin Qiu