1
From: Ben Hutchings <ben@decadent.org.uk>
2
Subject: Linux error logging fixes
4
The Linux implementation of oss_cmn_err() uses a fixed-size temporary
5
buffer and does not protect against overflow. Although this is not
6
obviously exploitable, it could well become exploitable in future.
8
The argument counting and copying is also unportable and generally
12
- If we are not going to edit the log line in any way, just call
13
vprintk() and don't bother with the temporary buffer.
14
- If we need to edit the log line or call panic() instead of printk(),
15
use vsnprintf() instead of printf().
18
--- a/setup/Linux/oss/build/osscore.c
19
+++ b/setup/Linux/oss/build/osscore.c
20
@@ -633,43 +633,24 @@ oss_create_uio (uio_t * uio, char *buf,
22
oss_cmn_err (int level, const char *s, ...)
24
- char tmp[1024], *a[6];
31
- for (i = 0; i < strlen (s); i++)
35
- for (i = 0; i < n && i < 6; i++)
36
- a[i] = va_arg (ap, char *);
38
- for (i = n; i < 6; i++)
43
- sprintf (tmp, s, a[0], a[1], a[2], a[3], a[4], a[5], NULL,
50
strcpy (tmp, "osscore: ");
51
- sprintf (tmp + strlen (tmp), s, a[0], a[1], a[2], a[3], a[4], a[5],
52
- NULL, NULL, NULL, NULL);
53
+ vsnprintf (tmp + strlen (tmp), sizeof(tmp) - strlen(tmp), s, ap);
54
if (level == CE_PANIC)
57
printk (KERN_ALERT "%s", tmp);
60
- /* This may cause a crash under SMP */