From 6fd9636dc32ee59c03434a3c6044b41621d806e8 Mon Sep 17 00:00:00 2001 From: Jeff Mahoney Date: Fri, 10 Aug 2012 15:07:09 -0400 Subject: [PATCH] printk: Fix calculation of length used to discard records commit e3756477aec028427fec767957c0d4b6cfb87208 upstream. While tracking down a weird buffer overflow issue in a program that looked to be sane, I started double checking the length returned by syslog(SYSLOG_ACTION_READ_ALL, ...) to make sure it wasn't overflowing the buffer. Sure enough, it was. I saw this in strace: 11339 syslog(SYSLOG_ACTION_READ_ALL, "<5>[244017.708129] REISERFS (dev"..., 8192) = 8279 It turns out that the loops that calculate how much space the entries will take when they're copied don't include the newlines and prefixes that will be included in the final output since prev flags is passed as zero. This patch properly accounts for it and fixes the overflow. Signed-off-by: Jeff Mahoney Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- kernel/printk.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/printk.c b/kernel/printk.c index 21bea76a9fff5..146827f81a063 100644 --- a/kernel/printk.c +++ b/kernel/printk.c @@ -999,6 +999,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear) struct log *msg = log_from_idx(idx); len += msg_print_text(msg, prev, true, NULL, 0); + prev = msg->flags; idx = log_next(idx); seq++; } @@ -1011,6 +1012,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear) struct log *msg = log_from_idx(idx); len -= msg_print_text(msg, prev, true, NULL, 0); + prev = msg->flags; idx = log_next(idx); seq++; } -- 2.47.2