diff options
| author | Tetsuo Handa <[email protected]> | 2018-12-04 19:00:01 +0900 |
|---|---|---|
| committer | Petr Mladek <[email protected]> | 2018-12-10 10:45:59 +0100 |
| commit | e80c1a9d5f514ce5134c6c4263a11607341466c9 (patch) | |
| tree | 9809c5253e849d33edd885322a2a925ae25e1937 /security/selinux/hooks.c | |
| parent | 9adcfaffc34d53e498637237fb3701560359d50b (diff) | |
printk: fix printk_time race.
Since printk_time can be toggled via /sys/module/printk/parameters/time ,
it is not safe to assume that output length does not change across
multiple msg_print_text() calls. If we hit this race, we can observe
failures such as SYSLOG_ACTION_READ_ALL writes more bytes than userspace
has supplied, SYSLOG_ACTION_SIZE_UNREAD returns -EFAULT when succeeded,
SYSLOG_ACTION_READ reads garbage memory or even triggers an kernel oops
at _copy_to_user() due to integer overflow.
To close this race, get a snapshot value of printk_time and pass it to
SYSLOG_ACTION_READ, SYSLOG_ACTION_READ_ALL, SYSLOG_ACTION_SIZE_UNREAD and
kmsg_dump_get_buffer().
Link: http://lkml.kernel.org/r/[email protected]
To: Sergey Senozhatsky <[email protected]>
Cc: [email protected]
Signed-off-by: Tetsuo Handa <[email protected]>
Reviewed-by: Sergey Senozhatsky <[email protected]>
Signed-off-by: Petr Mladek <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions