iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Eric Dumazet 404ca80eb5 coredump: fix va_list corruption 
A va_list needs to be copied in case it needs to be used twice.

Thanks to Hugh for debugging this issue, leading to various panics.

Tested:

  lpq84:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern

'produce_core' is simply : main() { *(int *)0 = 1;}

  lpq84:~# ./produce_core
  Segmentation fault (core dumped)
  lpq84:~# dmesg | tail -1
  [  614.352947] Core dump to |/foobar12345 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 (null) pipe failed

Notice the last argument was replaced by a NULL (we were lucky enough to
not crash, but do not try this on your production machine !)

After fix :

  lpq83:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern
  lpq83:~# ./produce_core
  Segmentation fault
  lpq83:~# dmesg | tail -1
  [  740.800441] Core dump to |/foobar12345 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 pipe failed

Fixes: 5fe9d8ca21cc ("coredump: cn_vprintf() has no reason to call vsnprintf() twice")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Diagnosed-by: Hugh Dickins <hughd@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # 3.11+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-19 13:23:31 -07:00
..
9p
mm: implement ->map_pages for page cache
2014-04-07 16:35:53 -07:00
adfs
fs/adfs/super.c: add __init to init_inodecache()
2014-04-07 16:36:08 -07:00
affs
affs: add mount option to avoid filename truncates
2014-04-07 16:36:08 -07:00
afs
mm + fs: store shadow entries in page cache
2014-04-03 16:21:01 -07:00
autofs4
autofs4: check dev ioctl size before allocating
2014-04-08 16:48:51 -07:00
befs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
bfs
fs/bfs/inode.c: add __init to init_inodecache()
2014-04-07 16:36:08 -07:00
btrfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
cachefiles
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
ceph
ceph: fix pr_fmt() redefinition
2014-04-12 15:39:53 -07:00
cifs
cif: fix dead code
2014-04-16 23:08:57 -05:00
coda
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
configfs
configfs: fix race between dentry put and lookup
2013-11-21 16:42:27 -08:00
cramfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
debugfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
devpts
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
dlm
net: Fix use after free by removing length arg from sk_data_ready callbacks.
2014-04-11 16:15:36 -04:00
ecryptfs
Merge branch 'cross-rename' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
2014-04-04 14:03:05 -07:00
efivarfs
efivarfs: 'efivarfs_file_write' function reorganization
2014-03-04 16:16:16 +00:00
efs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
exofs
Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd
2014-04-10 14:33:02 -07:00
exportfs
exportfs: fix quadratic behavior in filehandle lookup
2013-11-09 00:16:38 -05:00
ext2
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2014-04-07 17:59:17 -07:00
ext3
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2014-04-07 17:59:17 -07:00
ext4
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
f2fs
Merge branch 'akpm' (incoming from Andrew)
2014-04-07 16:38:06 -07:00
fat
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
freevxfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
fscache
FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree
2014-02-17 13:47:35 -08:00
fuse
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
gfs2
mm: implement ->map_pages for page cache
2014-04-07 16:35:53 -07:00
hfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
hfsplus
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
hostfs
mm + fs: store shadow entries in page cache
2014-04-03 16:21:01 -07:00
hpfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
hppfs
hugetlbfs
mm, hugetlb: unify region structure handling
2014-04-03 16:20:59 -07:00
isofs
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2014-04-07 17:59:17 -07:00
jbd
jbd: Revise KERN_EMERG error messages
2013-12-04 12:27:46 +01:00
jbd2
jbd2: improve error messages for inconsistent journal heads
2014-03-12 16:38:03 -04:00
jffs2
MTD updates for 3.15:
2014-04-07 10:17:30 -07:00
jfs
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
kernfs
kernfs: protect lazy kernfs_iattrs allocation with mutex
2014-04-16 11:54:40 -07:00
lockd
lockd: ensure we tear down any live sockets when socket creation fails during lockd_up
2014-03-28 10:43:08 -04:00
logfs
mm + fs: store shadow entries in page cache
2014-04-03 16:21:01 -07:00
minix
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
ncpfs
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-04-12 17:31:22 -07:00
nfs
mm: implement ->map_pages for page cache
2014-04-07 16:35:53 -07:00
nfs_common
nfsd
Merge branch 'for-3.15' of git://linux-nfs.org/~bfields/linux
2014-04-08 18:28:14 -07:00
nilfs2
mm: implement ->map_pages for page cache
2014-04-07 16:35:53 -07:00
nls
nls: have register_nls() set ->owner
2014-01-25 03:14:05 -05:00
notify
fanotify: move unrelated handling from copy_event_to_user()
2014-04-03 16:20:51 -07:00
ntfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
ocfs2
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-04-12 17:31:22 -07:00
omfs
mm + fs: store shadow entries in page cache
2014-04-03 16:21:01 -07:00
openpromfs
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
proc
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
pstore
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
qnx4
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
qnx6
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
quota
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2014-04-07 17:59:17 -07:00
ramfs
fs/ramfs: move ramfs_aops to inode.c
2014-01-23 16:36:58 -08:00
reiserfs
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2014-04-07 17:59:17 -07:00
romfs
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
squashfs
fs: push sync_filesystem() down to the file system's remount_fs()
2014-03-13 10:14:33 -04:00
sysfs
sysfs, driver-core: remove unused {sysfs|device}_schedule_callback_owner()
2014-04-16 11:56:33 -07:00
sysv
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
ubifs
mm: implement ->map_pages for page cache
2014-04-07 16:35:53 -07:00
udf
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
ufs
fs/ufs: remove unused ufs_super_block_third pointer
2014-04-07 16:36:16 -07:00
xfs
xfs: fix tmpfile/selinux deadlock and initialize security
2014-04-17 08:15:30 +10:00
aio.c
aio: v4 ensure access to ctx->ring_pages is correctly serialised for migration
2014-03-28 10:14:45 -04:00
anon_inodes.c
vfs: Allocate anon_inode_inode in anon_inode_init()
2014-03-27 09:52:54 -07:00
attr.c
fs: fix iversion handling
2013-12-05 16:36:21 -06:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c
exec: kill the unnecessary mm->def_flags setting in load_elf_binary()
2014-04-07 16:35:52 -07:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_misc: add missing 'break' statement
2014-04-03 16:21:16 -07:00
binfmt_script.c
binfmt_som.c
bio-integrity.c
block: Ensure we only enable integrity metadata for reads and writes
2014-04-09 08:00:06 -06:00
bio.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
block_dev.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
buffer.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
char_dev.c
Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block
2013-11-14 12:08:14 +09:00
compat_binfmt_elf.c
binfmt_elf: add ELF_HWCAP2 to compat auxv entries
2014-03-04 08:05:21 +00:00
compat_ioctl.c
fs/compat: convert to COMPAT_SYSCALL_DEFINE with changing parameter types
2014-03-06 16:30:44 +01:00
compat.c
Merge branch 'locks-3.15' of git://git.samba.org/jlayton/linux
2014-04-04 14:21:20 -07:00
coredump.c
coredump: fix va_list corruption
2014-04-19 13:23:31 -07:00
dcache.c
Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux
2014-04-08 09:52:16 -07:00
dcookies.c
fs/compat: fix lookup_dcookie() parameter handling
2014-01-29 16:22:40 -08:00
direct-io.c
xfs: update for 3.15-rc1
2014-04-04 15:50:08 -07:00
drop_caches.c
drop_caches: add some documentation and info message
2014-04-03 16:21:04 -07:00
eventfd.c
eventfd_ctx_fdget(): use fdget() instead of fget()
2014-01-25 03:13:04 -05:00
eventpoll.c
epoll: do not take the nested ep->mtx on EPOLL_CTL_DEL
2014-01-02 14:40:30 -08:00
exec.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
fcntl.c
locks: add new fcntl cmd values for handling file private locks
2014-03-31 08:24:43 -04:00
fhandle.c
file_table.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
file.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
filesystems.c
sys_sysfs: Add CONFIG_SYSFS_SYSCALL
2014-04-03 16:21:05 -07:00
fs_struct.c
fs-writeback.c
One of the main highlights this time, is not the patches themselves
2014-04-04 14:49:16 -07:00
inode.c
Major changes for 3.14 include support for the newly added ZERO_RANGE
2014-04-04 15:39:39 -07:00
internal.h
ioctl.c
ioprio.c
Kconfig
kernfs: add CONFIG_KERNFS
2014-02-07 16:08:57 -08:00
Kconfig.binfmt
libfs.c
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
locks.c
locks: make locks_mandatory_area check for file-private locks
2014-03-31 08:24:43 -04:00
Makefile
kernfs: add CONFIG_KERNFS
2014-02-07 16:08:57 -08:00
mbcache.c
ext4: each filesystem creates and uses its own mb_cache
2014-03-18 19:24:49 -04:00
mount.h
reduce m_start() cost...
2014-04-01 23:19:09 -04:00
mpage.c
block: Abstract out bvec iterator
2013-11-23 22:33:47 -08:00
namei.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
namespace.c
VFS: Make delayed_free() call free_vfsmnt()
2014-04-01 23:19:18 -04:00
no-block.c
open.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-04-12 14:49:50 -07:00
pipe.c
switch pipe_read() to copy_page_to_iter()
2014-04-01 23:19:22 -04:00
pnode.c
smarter propagate_mnt()
2014-04-01 23:19:08 -04:00
pnode.h
smarter propagate_mnt()
2014-04-01 23:19:08 -04:00
posix_acl.c
One of the main highlights this time, is not the patches themselves
2014-04-04 14:49:16 -07:00
proc_namespace.c
reduce m_start() cost...
2014-04-01 23:19:09 -04:00
read_write.c
Merge branch 'compat' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
2014-03-31 14:32:17 -07:00
readdir.c
select.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
seq_file.c
seq_file: always clear m->count when we free m->buf
2013-11-18 19:07:53 -08:00
signalfd.c
splice.c
switch vmsplice_to_user() to copy_page_to_iter()
2014-04-01 23:19:23 -04:00
stack.c
stat.c
statfs.c
super.c
fs: Don't return 0 from get_anon_bdev
2014-04-16 11:53:08 -07:00
sync.c
Revert "writeback: do not sync data dirtied after sync start"
2014-02-22 02:02:28 +01:00
timerfd.c
timerfd: support CLOCK_BOOTTIME clock
2014-01-23 16:57:40 -08:00
utimes.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
xattr.c