Merge tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux

torvalds · torvalds · commit 007ad27d7baf · 2021-01-25T10:19:40.000-08:00
Pull printk fix from Petr Mladek:
 "The fix of a potential buffer overflow in 5.11-rc5 introduced another
  one. The trailing '\0' might be written up to the message "len" past
  the buffer. Fortunately, it is not that easy to hit.

  Most readers use 1kB buffers for a single message. Typical messages
  fit into the temporary buffer with enough reserve.

  Also readers do not rely on the '\0'. It is related to the previous
  fix. Some readers required the space for the trailing '\0'. We decided
  to write it there to avoid such regressions in the future.

  The most realistic victims are dumpers using kmsg_dump_get_buffer().
  They are filling the entire buffer with as many messages as possible.
  They are typically used when handling panic()"

* tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux:
  printk: fix string termination for record_print_text()
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
@@ -1398,7 +1398,7 @@ static size_t record_print_text(struct printk_record *r, bool syslog,
 	 * not counted in the return value.
 	 */
 	if (buf_size > 0)
-		text[len] = 0;
+		r->text_buf[len] = 0;
 
 	return len;
 }

Original file line number	Diff line number	Diff line change
`@@ -1398,7 +1398,7 @@ static size_t record_print_text(struct printk_record *r, bool syslog,`
`1398`	`1398`	`* not counted in the return value.`
`1399`	`1399`	`*/`
`1400`	`1400`	`if (buf_size > 0)`
`1401`		`- text[len] = 0;`
	`1401`	`+ r->text_buf[len] = 0;`
`1402`	`1402`
`1403`	`1403`	`return len;`
`1404`	`1404`	`}`