summaryrefslogtreecommitdiff
path: root/kernel
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2021-01-25 10:19:40 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2021-01-25 10:19:40 -0800
commit007ad27d7bafc6df36e1d6ad4a13f6d602376193 (patch)
tree4d95ddea5ee549821b274295ed8038af1c341bdb /kernel
parent6ee1d745b7c9fd573fba142a2efdad76a9f1cb04 (diff)
parent61bb17da44a0b6d079e68872e3569bb3eda17656 (diff)
Merge tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux
Pull printk fix from Petr Mladek: "The fix of a potential buffer overflow in 5.11-rc5 introduced another one. The trailing '\0' might be written up to the message "len" past the buffer. Fortunately, it is not that easy to hit. Most readers use 1kB buffers for a single message. Typical messages fit into the temporary buffer with enough reserve. Also readers do not rely on the '\0'. It is related to the previous fix. Some readers required the space for the trailing '\0'. We decided to write it there to avoid such regressions in the future. The most realistic victims are dumpers using kmsg_dump_get_buffer(). They are filling the entire buffer with as many messages as possible. They are typically used when handling panic()" * tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux: printk: fix string termination for record_print_text()
Diffstat (limited to 'kernel')
-rw-r--r--kernel/printk/printk.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 6639a0cfe0ac..5a95c688621f 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1398,7 +1398,7 @@ static size_t record_print_text(struct printk_record *r, bool syslog,
* not counted in the return value.
*/
if (buf_size > 0)
- text[len] = 0;
+ r->text_buf[len] = 0;
return len;
}