| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ipc_log_string() the return value from vsnprintf(), data_size,
is used to increment ectxt.offset. However, this length could
actually be much larger than that of ectxt.buff itself. This is a
typical mistake of [v]snprintf() usage [1], in that it returns
not the number of characters written but how many characters
*would* have been written regardless of whether it was truncated.
The result is that even though ectxt.buff itself is not overrun,
the incorrect size in ectxt.offset will be later used as the length
parameter when memcpy()'ing to the ipc_log_page's data, overflowing
that memory and beyond. The write_page's write_offset would also
indicate an out-of-bounds (greater than PAGE_SIZE) length.
The fix is simple: use vscnprintf() instead of vsnprintf().
[1] https://lwn.net/Articles/69419/
Change-Id: I2e9d44e74f5f30a009732e31a554d82e31946999
Signed-off-by: Jack Pham <jackp@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
IPC Logging currently creates debugfs directories for each of its
logging contexts, but does not remove them when destroying the contexts.
If a user attempts to access a directory associated with a destroyed
context, a crash will result.
Destroy debugfs directories when the logging context is destroyed.
Change-Id: I5a3b1cbf2fb5d9d0ede3d9da0fccd605b9fdf619
Signed-off-by: Steven Cahail <scahail@codeaurora.org>
|
| |
|
|
|
|
|
| |
Using the physical counter leads to a kernel BUG_ON(). Update the
IPC Logging Driver to use virtual counter.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
|
|
|
This snapshot is taken as of msm-3.18 commit e70ad0cd (Promotion of
kernel.lnx.3.18-151201.)
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
|
