• T
    block: fix buffer overflow when printing partition UUIDs · 05c69d29
    Tejun Heo 提交于
    6d1d8050 "block, partition: add partition_meta_info to hd_struct"
    added part_unpack_uuid() which assumes that the passed in buffer has
    enough space for sprintfing "%pU" - 37 characters including '\0'.
    
    Unfortunately, b5af921e "init: add support for root devices
    specified by partition UUID" supplied 33 bytes buffer to the function
    leading to the following panic with stackprotector enabled.
    
      Kernel panic - not syncing: stack-protector: Kernel stack corrupted in: ffffffff81b14c7e
    
      [<ffffffff815e226b>] panic+0xba/0x1c6
      [<ffffffff81b14c7e>] ? printk_all_partitions+0x259/0x26xb
      [<ffffffff810566bb>] __stack_chk_fail+0x1b/0x20
      [<ffffffff81b15c7e>] printk_all_paritions+0x259/0x26xb
      [<ffffffff81aedfe0>] mount_block_root+0x1bc/0x27f
      [<ffffffff81aee0fa>] mount_root+0x57/0x5b
      [<ffffffff81aee23b>] prepare_namespace+0x13d/0x176
      [<ffffffff8107eec0>] ? release_tgcred.isra.4+0x330/0x30
      [<ffffffff81aedd60>] kernel_init+0x155/0x15a
      [<ffffffff81087b97>] ? schedule_tail+0x27/0xb0
      [<ffffffff815f4d24>] kernel_thread_helper+0x5/0x10
      [<ffffffff81aedc0b>] ? start_kernel+0x3c5/0x3c5
      [<ffffffff815f4d20>] ? gs_change+0x13/0x13
    
    Increase the buffer size, remove the dangerous part_unpack_uuid() and
    use snprintf() directly from printk_all_partitions().
    Signed-off-by: NTejun Heo <tj@kernel.org>
    Reported-by: NSzymon Gruszczynski <sz.gruszczynski@googlemail.com>
    Cc: Will Drewry <wad@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: NJens Axboe <axboe@kernel.dk>
    05c69d29
genhd.h 19.9 KB