Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'pstore-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull pstore updates from Kees Cook:
- Catch unlikely NULL return from vmap() (Ruipeng Qi)
- Handle corner case of past incomplete buffer fills causing heap
overflow (Sai Ritvik Tanksalkar)
* tag 'pstore-v7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
pstore/ram: fix buffer overflow in persistent_ram_save_old()
pstore: ram_core: fix incorrect success return when vmap() fails
+18
+18
fs/pstore/ram_core.c
+18
fs/pstore/ram_core.c
···
298
298
if (!size)
299
299
return;
300
300
301
+
/*
302
+
* If the existing buffer is differently sized, free it so a new
303
+
* one is allocated. This can happen when persistent_ram_save_old()
304
+
* is called early in boot and later for a timer-triggered
305
+
* survivable crash when the crash dumps don't match in size
306
+
* (which would be extremely unlikely given kmsg buffers usually
307
+
* exceed prz buffer sizes).
308
+
*/
309
+
if (prz->old_log && prz->old_log_size != size)
310
+
persistent_ram_free_old(prz);
311
+
301
312
if (!prz->old_log) {
302
313
persistent_ram_ecc_old(prz);
303
314
prz->old_log = kvzalloc(size, GFP_KERNEL);
···
456
445
*/
457
446
vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot);
458
447
kfree(pages);
448
+
449
+
/*
450
+
* vmap() may fail and return NULL. Do not add the offset in this
451
+
* case, otherwise a NULL mapping would appear successful.
452
+
*/
453
+
if (!vaddr)
454
+
return NULL;
459
455
460
456
/*
461
457
* Since vmap() uses page granularity, we must add the offset