7230df2ed5
- Added the following patches for bsc#1165978. zpcictl --reset only issues a SCLP reset and leaves the PCI function in an error state. Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover after the SCLP reset. * s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch * s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch * s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch - The zipl boot loader may crash during boot. The solution is to implement vsnprintf and make use of it. (bsc#1165317) * s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch * s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch * s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch * s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch OBS-URL: https://build.opensuse.org/request/show/783519 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=90
64 lines
2.5 KiB
Diff
64 lines
2.5 KiB
Diff
Subject: [PATCH] [BZ 184060] zipl/libc: Fix potential buffer overflow in printf
|
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
|
|
|
Description: zipl/libc: Fix potential buffer overflow in printf
|
|
Symptom: Crash of the zipl boot loader during boot.
|
|
Problem: The zipl boot loaders have their own minimalistic libc
|
|
implementation. In it printf and sprintf use vsprintf for string
|
|
formatting. Per definition vsprintf assumes that the buffer it
|
|
writes to is large enough to contain the formatted string and
|
|
performs no size checks. This is problematic for the boot
|
|
loaders because the buffer they use are often allocated on the
|
|
stack. Thus even small changes to the string format can
|
|
potentially cause buffer overflows on the stack.
|
|
Solution: Implement vsnprintf and make use of it.
|
|
Reproduction: Use printf to print a string with >81 characters (exact number
|
|
depends on the stack layout/compiler used).
|
|
Upstream-ID: 8874b908254c47c8a6fd7a1aca2c7371c11035c4
|
|
Problem-ID: 184060
|
|
|
|
Upstream-Description:
|
|
|
|
zipl/libc: Fix potential buffer overflow in printf
|
|
|
|
Per definition vsprint assumes that the provided buffer it writes to is
|
|
large enough to contain the formatted string. As printf uses a fixed
|
|
sized buffer (81 bytes) and has no size checks the use of vsprintf can
|
|
easily cause buffer overflows. Protect against these buffer overflows by
|
|
using vsnprintf instead.
|
|
|
|
While at it fix a typo in the comment.
|
|
|
|
Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
|
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
|
|
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
|
|
|
|
|
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
|
---
|
|
zipl/boot/libc.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
--- a/zipl/boot/libc.c
|
|
+++ b/zipl/boot/libc.c
|
|
@@ -530,7 +530,7 @@ void sprintf(char *str, const char *fmt,
|
|
}
|
|
|
|
/*
|
|
- * Print formated string
|
|
+ * Print formatted string to console
|
|
*/
|
|
void printf(const char *fmt, ...)
|
|
{
|
|
@@ -538,7 +538,7 @@ void printf(const char *fmt, ...)
|
|
va_list va;
|
|
|
|
va_start(va, fmt);
|
|
- vsprintf(buf, fmt, va);
|
|
+ vsnprintf(buf, sizeof(buf), fmt, va);
|
|
sclp_print(buf);
|
|
va_end(va);
|
|
}
|