diff --git a/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch b/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch new file mode 100644 index 0000000..044cb61 --- /dev/null +++ b/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch @@ -0,0 +1,43 @@ +From 401e037e5e9527134c594b8923342a69ff38b7cb Mon Sep 17 00:00:00 2001 +From: Arthur Zou +Date: Wed, 12 Mar 2014 13:05:18 +0800 +Subject: [PATCH] vmcore-dmesg stack smashing happend in extreme case + +Description +in dump_dmesg_structured() the out_buf size is 4096, and if the +length is less than 4080( 4096-16 ) it won't really write out. +Normally, after writing one or four chars to the out_buf, it will +check the length of out_buf. But in extreme cases, 19 chars was +written to the out_buf before checking the length. This may cause +the stack corruption. If the length was 4079 (won't realy write out), +and then write 19 chars to it. the out_buf will overflow. + +Solution +Change 16 to 64 thus can make sure that always have 64bytes before +moving to next records. why using 64 is that a long long int can take +20 bytes. so the length of timestamp can be 44 ('[','.',']',' ') in +extreme case. + +Signed-off-by: Arthur Zou +Acked-by: Vivek Goyal +Signed-off-by: Simon Horman +--- + vmcore-dmesg/vmcore-dmesg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vmcore-dmesg/vmcore-dmesg.c b/vmcore-dmesg/vmcore-dmesg.c +index 0345660..e15cd91 100644 +--- a/vmcore-dmesg/vmcore-dmesg.c ++++ b/vmcore-dmesg/vmcore-dmesg.c +@@ -674,7 +674,7 @@ static void dump_dmesg_structured(int fd) + else + out_buf[len++] = c; + +- if (len >= OUT_BUF_SIZE - 16) { ++ if (len >= OUT_BUF_SIZE - 64) { + write_to_stdout(out_buf, len); + len = 0; + } +-- +1.8.4.2 + diff --git a/kexec-tools.spec b/kexec-tools.spec index 8c75d21..0c850e4 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -81,6 +81,7 @@ Patch001: kexec-tools-2.0.5-i386-fix-redefinition-error-for-e820entry.patch Patch601: kexec-tools-2.0.3-disable-kexec-test.patch Patch604: kexec-tools-2.0.3-build-makedumpfile-eppic-shared-object.patch Patch618: kexec-tools-2.0.4-makedumpfile-memset-in-cyclic-bitmap-initialization-introdu.patch +Patch619: kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch %description kexec-tools provides /sbin/kexec binary that facilitates a new @@ -114,6 +115,7 @@ tar -z -x -v -f %{SOURCE19} %patch618 -p1 %patch000 -p1 %patch001 -p1 +%patch619 -p1 tar -z -x -v -f %{SOURCE13}