* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Wednesday 27 April 2005 16:32, Chris Wright wrote:
> NULL terminating the buffer doesn't look safe.
It should be. Surely we know how long the buffer is. Admittedly, there's
another bug that's in printk's handling of %*.* stuff. But even with that
fixed, it would be more efficient (timewise) to terminate the string so
printk doesn't have to interpret the *.* stuff.
We know how long the buffer is, but the NULL byte is not in the buffer.
So we either overwrite the last byte of the buffer, or the first byte of
the next thing in memory. Most of the time, this will happen to work
out fine because the skb payload is padded with some alignment, etc, but
on the rare case that there is no extra space, this is silent data
corruption of data that the kernel uses. I _think_ we could add the
NULL byte, but my concern is that something else in the buffer lenght
accounting is broken. In the worst case, that brokeness will copy
random kernel data to userspace as part of audit messages.
thanks,
-chris
--
Linux Security Modules
http://lsm.immunix.org http://lsm.bkbits.net