[stable] Patch "RAMOOPS: Don't overflow over non-allocated regions" has been added to the 2.6.36-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    RAMOOPS: Don't overflow over non-allocated regions

to the 2.6.36-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ramoops-don-t-overflow-over-non-allocated-regions.patch
and it can be found in the queue-2.6.36 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@kernel.org> know about it.


>From 1873bb8115e678ad9fd0aac9dbbc68383bc36e06 Mon Sep 17 00:00:00 2001
From: Ahmed S. Darwish <darwish...@gmail.com>
Date: Sat, 25 Dec 2010 11:57:09 +0200
Subject: RAMOOPS: Don't overflow over non-allocated regions

From: Ahmed S. Darwish <darwish...@gmail.com>

commit 1873bb8115e678ad9fd0aac9dbbc68383bc36e06 upstream.

The current code mis-calculates the ramoops header size, leading to an
overflow over the next record at best, or over a non-allocated region at
worst.  Fix that calculation.

Signed-off-by: Ahmed S. Darwish <darwish...@gmail.com>
Acked-by: Marco Stornelli <marco.storne...@gmail.com>
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 drivers/char/ramoops.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/char/ramoops.c
+++ b/drivers/char/ramoops.c
@@ -27,7 +27,6 @@
 #include <linux/ioport.h>
 
 #define RAMOOPS_KERNMSG_HDR "===="
-#define RAMOOPS_HEADER_SIZE   (5 + sizeof(struct timeval))
 
 #define RECORD_SIZE 4096
 
@@ -63,8 +62,8 @@ static void ramoops_do_dump(struct kmsg_
                        struct ramoops_context, dump);
        unsigned long s1_start, s2_start;
        unsigned long l1_cpy, l2_cpy;
-       int res;
-       char *buf;
+       int res, hdr_size;
+       char *buf, *buf_orig;
        struct timeval timestamp;
 
        /* Only dump oopses if dump_oops is set */
@@ -72,6 +71,8 @@ static void ramoops_do_dump(struct kmsg_
                return;
 
        buf = (char *)(cxt->virt_addr + (cxt->count * RECORD_SIZE));
+       buf_orig = buf;
+
        memset(buf, '\0', RECORD_SIZE);
        res = sprintf(buf, "%s", RAMOOPS_KERNMSG_HDR);
        buf += res;
@@ -79,8 +80,9 @@ static void ramoops_do_dump(struct kmsg_
        res = sprintf(buf, "%lu.%lu\n", (long)timestamp.tv_sec, 
(long)timestamp.tv_usec);
        buf += res;
 
-       l2_cpy = min(l2, (unsigned long)(RECORD_SIZE - RAMOOPS_HEADER_SIZE));
-       l1_cpy = min(l1, (unsigned long)(RECORD_SIZE - RAMOOPS_HEADER_SIZE) - 
l2_cpy);
+       hdr_size = buf - buf_orig;
+       l2_cpy = min(l2, (unsigned long)(RECORD_SIZE - hdr_size));
+       l1_cpy = min(l1, (unsigned long)(RECORD_SIZE - hdr_size) - l2_cpy);
 
        s2_start = l2 - l2_cpy;
        s1_start = l1 - l1_cpy;


Patches currently in stable-queue which might be from darwish...@gmail.com are

queue-2.6.36/ramoops-don-t-overflow-over-non-allocated-regions.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable