hurricos/openwrt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
256d49be3c
openwrt/target/linux/generic/patches-3.10/930-crashlog.patch
Felix Fietkau 3848e6a246 kernel: crashlog: Avoid out-of-bounds write 
vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.

Fix this by using vscnprintf which returns the actually written number
of chars.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>

SVN-Revision: 37820
2013-08-21 20:59:25 +00:00

277 lines
6.9 KiB
Diff
Raw Blame History

--- /dev/null
+++ b/include/linux/crashlog.h
@@ -0,0 +1,17 @@
+#ifndef __CRASHLOG_H
+#define __CRASHLOG_H
+
+#ifdef CONFIG_CRASHLOG
+void crashlog_init_bootmem(struct bootmem_data *bdata);
+void crashlog_init_memblock(phys_addr_t addr, phys_addr_t size);
+#else
+static inline void crashlog_init_bootmem(struct bootmem_data *bdata)
+{
+}
+
+static inline void crashlog_init_memblock(phys_addr_t addr, phys_addr_t size)
+{
+}
+#endif
+
+#endif
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1186,6 +1186,10 @@ config RELAY
If unsure, say N.
+config CRASHLOG
+ bool "Crash logging"
+ depends on (!NO_BOOTMEM || HAVE_MEMBLOCK) && !(ARM || SPARC || PPC)
+
config BLK_DEV_INITRD
bool "Initial RAM filesystem and RAM disk (initramfs/initrd) support"
depends on BROKEN || !FRV
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -110,6 +110,7 @@ obj-$(CONFIG_PADATA) += padata.o
obj-$(CONFIG_CRASH_DUMP) += crash_dump.o
obj-$(CONFIG_JUMP_LABEL) += jump_label.o
obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o
+obj-$(CONFIG_CRASHLOG) += crashlog.o
$(obj)/configs.o: $(obj)/config_data.h
--- /dev/null
+++ b/kernel/crashlog.c
@@ -0,0 +1,181 @@
+/*
+ * Crash information logger
+ * Copyright (C) 2010 Felix Fietkau <nbd@openwrt.org>
+ *
+ * Based on ramoops.c
+ * Copyright (C) 2010 Marco Stornelli <marco.stornelli@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/bootmem.h>
+#include <linux/memblock.h>
+#include <linux/debugfs.h>
+#include <linux/crashlog.h>
+#include <linux/kmsg_dump.h>
+#include <linux/module.h>
+#include <linux/pfn.h>
+#include <asm/io.h>
+
+#define CRASHLOG_PAGES 4
+#define CRASHLOG_SIZE (CRASHLOG_PAGES * PAGE_SIZE)
+#define CRASHLOG_MAGIC 0xa1eedead
+
+/*
+ * Start the log at 1M before the end of RAM, as some boot loaders like
+ * to use the end of the RAM for stack usage and other things
+ * If this fails, fall back to using the last part.
+ */
+#define CRASHLOG_OFFSET (1024 * 1024)
+
+struct crashlog_data {
+ u32 magic;
+ u32 len;
+ u8 data[];
+};
+
+static struct debugfs_blob_wrapper crashlog_blob;
+static unsigned long crashlog_addr = 0;
+static struct crashlog_data *crashlog_buf;
+static struct kmsg_dumper dump;
+static bool first = true;
+
+extern struct list_head *crashlog_modules;
+
+#ifndef CONFIG_NO_BOOTMEM
+void __init crashlog_init_bootmem(bootmem_data_t *bdata)
+{
+ unsigned long addr;
+
+ if (crashlog_addr)
+ return;
+
+ addr = PFN_PHYS(bdata->node_low_pfn) - CRASHLOG_OFFSET;
+ if (reserve_bootmem(addr, CRASHLOG_SIZE, BOOTMEM_EXCLUSIVE) < 0) {
+ printk("Crashlog failed to allocate RAM at address 0x%lx\n", addr);
+ bdata->node_low_pfn -= CRASHLOG_PAGES;
+ addr = PFN_PHYS(bdata->node_low_pfn);
+ }
+ crashlog_addr = addr;
+}
+#endif
+
+#ifdef CONFIG_HAVE_MEMBLOCK
+void __meminit crashlog_init_memblock(phys_addr_t addr, phys_addr_t size)
+{
+ if (crashlog_addr)
+ return;
+
+ addr += size - CRASHLOG_OFFSET;
+ if (memblock_reserve(addr, CRASHLOG_SIZE)) {
+ printk("Crashlog failed to allocate RAM at address 0x%lx\n", (unsigned long) addr);
+ return;
+ }
+
+ crashlog_addr = addr;
+}
+#endif
+
+static void __init crashlog_copy(void)
+{
+ if (crashlog_buf->magic != CRASHLOG_MAGIC)
+ return;
+
+ if (!crashlog_buf->len || crashlog_buf->len >
+ CRASHLOG_SIZE - sizeof(*crashlog_buf))
+ return;
+
+ crashlog_blob.size = crashlog_buf->len;
+ crashlog_blob.data = kmemdup(crashlog_buf->data,
+ crashlog_buf->len, GFP_KERNEL);
+
+ debugfs_create_blob("crashlog", 0700, NULL, &crashlog_blob);
+}
+
+static int get_maxlen(void)
+{
+ return CRASHLOG_SIZE - sizeof(*crashlog_buf) - crashlog_buf->len;
+}
+
+static void crashlog_printf(const char *fmt, ...)
+{
+ va_list args;
+ int len = get_maxlen();
+
+ if (!len)
+ return;
+
+ va_start(args, fmt);
+ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);
+}
+
+static void crashlog_do_dump(struct kmsg_dumper *dumper,
+ enum kmsg_dump_reason reason)
+{
+ struct timeval tv;
+ struct module *m;
+ char *buf;
+ size_t len;
+
+ if (!first)
+ crashlog_printf("\n===================================\n");
+
+ do_gettimeofday(&tv);
+ crashlog_printf("Time: %lu.%lu\n",
+ (long)tv.tv_sec, (long)tv.tv_usec);
+
+ if (first) {
+ crashlog_printf("Modules:");
+ list_for_each_entry(m, crashlog_modules, list) {
+ crashlog_printf("\t%s@%p+%x", m->name,
+ m->module_core, m->core_size,
+ m->module_init, m->init_size);
+ }
+ crashlog_printf("\n");
+ first = false;
+ }
+
+ buf = (char *)&crashlog_buf->data[crashlog_buf->len];
+
+ kmsg_dump_get_buffer(dumper, true, buf, get_maxlen(), &len);
+
+ crashlog_buf->len += len;
+}
+
+
+int __init crashlog_init_fs(void)
+{
+ if (!crashlog_addr)
+ return -ENOMEM;
+
+ crashlog_buf = ioremap(crashlog_addr, CRASHLOG_SIZE);
+
+ crashlog_copy();
+
+ crashlog_buf->magic = CRASHLOG_MAGIC;
+ crashlog_buf->len = 0;
+
+ dump.max_reason = KMSG_DUMP_OOPS;
+ dump.dump = crashlog_do_dump;
+ kmsg_dump_register(&dump);
+
+ return 0;
+}
+module_init(crashlog_init_fs);
--- a/mm/bootmem.c
+++ b/mm/bootmem.c
@@ -15,6 +15,7 @@
#include <linux/export.h>
#include <linux/kmemleak.h>
#include <linux/range.h>
+#include <linux/crashlog.h>
#include <linux/memblock.h>
#include <asm/bug.h>
@@ -177,6 +178,7 @@ static unsigned long __init free_all_boo
if (!bdata->node_bootmem_map)
return 0;
+ crashlog_init_bootmem(bdata);
start = bdata->node_min_pfn;
end = bdata->node_low_pfn;
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -106,6 +106,9 @@ static LIST_HEAD(modules);
#ifdef CONFIG_KGDB_KDB
struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
#endif /* CONFIG_KGDB_KDB */
+#ifdef CONFIG_CRASHLOG
+struct list_head *crashlog_modules = &modules;
+#endif
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -19,6 +19,7 @@
#include <linux/debugfs.h>
#include <linux/seq_file.h>
#include <linux/memblock.h>
+#include <linux/crashlog.h>
static struct memblock_region memblock_memory_init_regions[INIT_MEMBLOCK_REGIONS] __initdata_memblock;
static struct memblock_region memblock_reserved_init_regions[INIT_MEMBLOCK_REGIONS] __initdata_memblock;
@@ -344,6 +345,8 @@ static void __init_memblock memblock_ins
memblock_set_region_node(rgn, nid);
type->cnt++;
type->total_size += size;
+ if (type == &memblock.memory && idx == 0)
+ crashlog_init_memblock(base, size);
}
/**
Reference in New Issue View Git Blame Copy Permalink