]>
Commit | Line | Data |
---|---|---|
07361938 GKH |
1 | From 05c69d298c96703741cac9a5cbbf6c53bd55a6e2 Mon Sep 17 00:00:00 2001 |
2 | From: Tejun Heo <tj@kernel.org> | |
3 | Date: Tue, 15 May 2012 08:22:04 +0200 | |
4 | Subject: block: fix buffer overflow when printing partition UUIDs | |
5 | ||
6 | From: Tejun Heo <tj@kernel.org> | |
7 | ||
8 | commit 05c69d298c96703741cac9a5cbbf6c53bd55a6e2 upstream. | |
9 | ||
10 | 6d1d8050b4bc8 "block, partition: add partition_meta_info to hd_struct" | |
11 | added part_unpack_uuid() which assumes that the passed in buffer has | |
12 | enough space for sprintfing "%pU" - 37 characters including '\0'. | |
13 | ||
14 | Unfortunately, b5af921ec0233 "init: add support for root devices | |
15 | specified by partition UUID" supplied 33 bytes buffer to the function | |
16 | leading to the following panic with stackprotector enabled. | |
17 | ||
18 | Kernel panic - not syncing: stack-protector: Kernel stack corrupted in: ffffffff81b14c7e | |
19 | ||
20 | [<ffffffff815e226b>] panic+0xba/0x1c6 | |
21 | [<ffffffff81b14c7e>] ? printk_all_partitions+0x259/0x26xb | |
22 | [<ffffffff810566bb>] __stack_chk_fail+0x1b/0x20 | |
23 | [<ffffffff81b15c7e>] printk_all_paritions+0x259/0x26xb | |
24 | [<ffffffff81aedfe0>] mount_block_root+0x1bc/0x27f | |
25 | [<ffffffff81aee0fa>] mount_root+0x57/0x5b | |
26 | [<ffffffff81aee23b>] prepare_namespace+0x13d/0x176 | |
27 | [<ffffffff8107eec0>] ? release_tgcred.isra.4+0x330/0x30 | |
28 | [<ffffffff81aedd60>] kernel_init+0x155/0x15a | |
29 | [<ffffffff81087b97>] ? schedule_tail+0x27/0xb0 | |
30 | [<ffffffff815f4d24>] kernel_thread_helper+0x5/0x10 | |
31 | [<ffffffff81aedc0b>] ? start_kernel+0x3c5/0x3c5 | |
32 | [<ffffffff815f4d20>] ? gs_change+0x13/0x13 | |
33 | ||
34 | Increase the buffer size, remove the dangerous part_unpack_uuid() and | |
35 | use snprintf() directly from printk_all_partitions(). | |
36 | ||
37 | Signed-off-by: Tejun Heo <tj@kernel.org> | |
38 | Reported-by: Szymon Gruszczynski <sz.gruszczynski@googlemail.com> | |
39 | Cc: Will Drewry <wad@chromium.org> | |
40 | Signed-off-by: Jens Axboe <axboe@kernel.dk> | |
41 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
42 | ||
43 | --- | |
44 | block/genhd.c | 10 ++++++---- | |
45 | include/linux/genhd.h | 6 ------ | |
46 | 2 files changed, 6 insertions(+), 10 deletions(-) | |
47 | ||
48 | --- a/block/genhd.c | |
49 | +++ b/block/genhd.c | |
50 | @@ -744,7 +744,7 @@ void __init printk_all_partitions(void) | |
51 | struct hd_struct *part; | |
52 | char name_buf[BDEVNAME_SIZE]; | |
53 | char devt_buf[BDEVT_SIZE]; | |
54 | - u8 uuid[PARTITION_META_INFO_UUIDLTH * 2 + 1]; | |
55 | + char uuid_buf[PARTITION_META_INFO_UUIDLTH * 2 + 5]; | |
56 | ||
57 | /* | |
58 | * Don't show empty devices or things that have been | |
59 | @@ -763,14 +763,16 @@ void __init printk_all_partitions(void) | |
60 | while ((part = disk_part_iter_next(&piter))) { | |
61 | bool is_part0 = part == &disk->part0; | |
62 | ||
63 | - uuid[0] = 0; | |
64 | + uuid_buf[0] = '\0'; | |
65 | if (part->info) | |
66 | - part_unpack_uuid(part->info->uuid, uuid); | |
67 | + snprintf(uuid_buf, sizeof(uuid_buf), "%pU", | |
68 | + part->info->uuid); | |
69 | ||
70 | printk("%s%s %10llu %s %s", is_part0 ? "" : " ", | |
71 | bdevt_str(part_devt(part), devt_buf), | |
72 | (unsigned long long)part->nr_sects >> 1, | |
73 | - disk_name(disk, part->partno, name_buf), uuid); | |
74 | + disk_name(disk, part->partno, name_buf), | |
75 | + uuid_buf); | |
76 | if (is_part0) { | |
77 | if (disk->driverfs_dev != NULL && | |
78 | disk->driverfs_dev->driver != NULL) | |
79 | --- a/include/linux/genhd.h | |
80 | +++ b/include/linux/genhd.h | |
81 | @@ -221,12 +221,6 @@ static inline void part_pack_uuid(const | |
82 | } | |
83 | } | |
84 | ||
85 | -static inline char *part_unpack_uuid(const u8 *uuid, char *out) | |
86 | -{ | |
87 | - sprintf(out, "%pU", uuid); | |
88 | - return out; | |
89 | -} | |
90 | - | |
91 | static inline int disk_max_parts(struct gendisk *disk) | |
92 | { | |
93 | if (disk->flags & GENHD_FL_EXT_DEVT) |