[PATCH REPOST] printk: fix possible printk buffer overrun introduced with recursion check

[PATCH REPOST] printk: fix possible printk buffer overrun introduced with recursion check

[Tejun Heo]

printk recursion detection prepends message to printk_buf and offsets
printk_buf when actual message is printed but it forgets to trim
buffer length accordingly.  This can result in buffer overrun in
extreme cases.

While at it, make printk_recursion_bug_msg static and move static
variables for recursion check into vprintk().

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
---
Eeeek, forgot to cc lkml last time.  Re-sending.  Sorry about the
noise.

 kernel/printk.c |   14 ++++++--------
 1 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/kernel/printk.c b/kernel/printk.c
index bee3610..074a3ea 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -613,15 +613,13 @@ asmlinkage int printk(const char *fmt, ...)
 	return r;
 }
 
-/* cpu currently holding logbuf_lock */
-static volatile unsigned int printk_cpu = UINT_MAX;
-
-const char printk_recursion_bug_msg [] =
-			KERN_CRIT "BUG: recent printk recursion!\n";
-static int printk_recursion_bug;
-
 asmlinkage int vprintk(const char *fmt, va_list args)
 {
+	/* cpu currently holding logbuf_lock */
+	static volatile unsigned int printk_cpu = UINT_MAX;
+	static const char printk_recursion_bug_msg [] =
+		KERN_CRIT "BUG: recent printk recursion!\n";
+	static int printk_recursion_bug;
 	static int log_level_unknown = 1;
 	static char printk_buf[1024];
 
@@ -666,7 +664,7 @@ asmlinkage int vprintk(const char *fmt, va_list args)
 	}
 	/* Emit the output into the temporary buffer */
 	printed_len += vscnprintf(printk_buf + printed_len,
-				  sizeof(printk_buf), fmt, args);
+				  sizeof(printk_buf) - printed_len, fmt, args);
 
 	/*
 	 * Copy the output into log_buf.  If the caller didn't provide
-- 
1.5.2.4

Re: [PATCH REPOST] printk: fix possible printk buffer overrun introduced with recursion check

[Ingo Molnar]

* Tejun Heo <htejun@gmail.com> wrote:

> printk recursion detection prepends message to printk_buf and offsets 
> printk_buf when actual message is printed but it forgets to trim 
> buffer length accordingly.  This can result in buffer overrun in 
> extreme cases.
> 
> While at it, make printk_recursion_bug_msg static and move static 
> variables for recursion check into vprintk().

> @@ -666,7 +664,7 @@ asmlinkage int vprintk(const char *fmt, va_list args)
>  	}
>  	/* Emit the output into the temporary buffer */
>  	printed_len += vscnprintf(printk_buf + printed_len,
> -				  sizeof(printk_buf), fmt, args);
> +				  sizeof(printk_buf) - printed_len, fmt, args);
>  
>  	/*

nice one! I missed that.

Acked-by: Ingo Molnar <mingo@elte.hu>

but i'm not sure i agree with the moving of these variables inside 
vprintk:

> -/* cpu currently holding logbuf_lock */
> -static volatile unsigned int printk_cpu = UINT_MAX;
> -
> -const char printk_recursion_bug_msg [] =
> -			KERN_CRIT "BUG: recent printk recursion!\n";
> -static int printk_recursion_bug;
> -
>  asmlinkage int vprintk(const char *fmt, va_list args)
>  {
> +	/* cpu currently holding logbuf_lock */
> +	static volatile unsigned int printk_cpu = UINT_MAX;
> +	static const char printk_recursion_bug_msg [] =
> +		KERN_CRIT "BUG: recent printk recursion!\n";
> +	static int printk_recursion_bug;
>  	static int log_level_unknown = 1;
>  	static char printk_buf[1024];

it's easy to miss a static variable inside a function local variables 
block. It would b ebetter to move log_level_unknown and printk_buf 
_outside_ the function, to the other ones. [and to mark 
printk_recursion_bug_msg static]

	Ingo

Re: [PATCH REPOST] printk: fix possible printk buffer overrun introduced with recursion check

[Tejun Heo]

Hello, Ingo.

Ingo Molnar wrote:
> but i'm not sure i agree with the moving of these variables inside 
> vprintk:
> 
>> -/* cpu currently holding logbuf_lock */
>> -static volatile unsigned int printk_cpu = UINT_MAX;
>> -
>> -const char printk_recursion_bug_msg [] =
>> -			KERN_CRIT "BUG: recent printk recursion!\n";
>> -static int printk_recursion_bug;
>> -
>>  asmlinkage int vprintk(const char *fmt, va_list args)
>>  {
>> +	/* cpu currently holding logbuf_lock */
>> +	static volatile unsigned int printk_cpu = UINT_MAX;
>> +	static const char printk_recursion_bug_msg [] =
>> +		KERN_CRIT "BUG: recent printk recursion!\n";
>> +	static int printk_recursion_bug;
>>  	static int log_level_unknown = 1;
>>  	static char printk_buf[1024];
> 
> it's easy to miss a static variable inside a function local variables 

I find that difficult to agree.  As long as static ones are put above
all local ones, they are visually distinctive enough.  static variables
used by a single function are usually declared in the function all
through the source tree.

> block. It would b ebetter to move log_level_unknown and printk_buf 
> _outside_ the function, to the other ones. [and to mark 
> printk_recursion_bug_msg static]

Well, I thought it was an obvious clean up.  Time to split this patch
up, I guess.

Thanks.

-- 
tejun

[PATCH UPDATED] printk: fix possible printk buffer overrun introduced with recursion check

[Tejun Heo]

printk recursion detection prepends message to printk_buf and offsets
printk_buf when actual message is printed but it forgets to trim
buffer length accordingly.  This can result in buffer overrun in
extreme cases.  Fix it.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
---
Splitted out fix portion.

 kernel/printk.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/printk.c b/kernel/printk.c
index bee3610..9adc2a4 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -666,7 +666,7 @@ asmlinkage int vprintk(const char *fmt, va_list args)
 	}
 	/* Emit the output into the temporary buffer */
 	printed_len += vscnprintf(printk_buf + printed_len,
-				  sizeof(printk_buf), fmt, args);
+				  sizeof(printk_buf) - printed_len, fmt, args);
 
 	/*
 	 * Copy the output into log_buf.  If the caller didn't provide

[PATCH] printk: clean up recursion check related static variables

[Tejun Heo]

Make printk_recursion_bug_msg static, drop printk prefix from recurson
variables and move them into vprintk().

Signed-off-by: Tejun Heo <htejun@gmail.com>
---
This is slightly modified version of the clean up part.  I don't think
it's wise to pull out all static variables out of functions.  Thanks.

 kernel/printk.c |   22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

Index: work/kernel/printk.c
===================================================================
--- work.orig/kernel/printk.c
+++ work/kernel/printk.c
@@ -613,15 +613,13 @@ asmlinkage int printk(const char *fmt, .
 	return r;
 }
 
-/* cpu currently holding logbuf_lock */
-static volatile unsigned int printk_cpu = UINT_MAX;
-
-const char printk_recursion_bug_msg [] =
-			KERN_CRIT "BUG: recent printk recursion!\n";
-static int printk_recursion_bug;
-
 asmlinkage int vprintk(const char *fmt, va_list args)
 {
+	/* cpu currently holding logbuf_lock */
+	static volatile unsigned int printk_cpu = UINT_MAX;
+	static const char recursion_bug_msg [] =
+		KERN_CRIT "BUG: recent printk recursion!\n";
+	static int recursion_bug;
 	static int log_level_unknown = 1;
 	static char printk_buf[1024];
 
@@ -649,7 +647,7 @@ asmlinkage int vprintk(const char *fmt, 
 		 * it can be printed at the next appropriate moment:
 		 */
 		if (!oops_in_progress) {
-			printk_recursion_bug = 1;
+			recursion_bug = 1;
 			goto out_restore_irqs;
 		}
 		zap_locks();
@@ -659,10 +657,10 @@ asmlinkage int vprintk(const char *fmt, 
 	spin_lock(&logbuf_lock);
 	printk_cpu = this_cpu;
 
-	if (printk_recursion_bug) {
-		printk_recursion_bug = 0;
-		strcpy(printk_buf, printk_recursion_bug_msg);
-		printed_len = sizeof(printk_recursion_bug_msg);
+	if (recursion_bug) {
+		recursion_bug = 0;
+		strcpy(printk_buf, recursion_bug_msg);
+		printed_len = sizeof(recursion_bug_msg);
 	}
 	/* Emit the output into the temporary buffer */
 	printed_len += vscnprintf(printk_buf + printed_len,