From christoph.mallon@gmx.de  Tue Feb 12 08:34:40 2013
Return-Path: <christoph.mallon@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id F0BEDF34
	for <freebsd-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 08:34:40 +0000 (UTC)
	(envelope-from christoph.mallon@gmx.de)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A61CD41
	for <freebsd-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 08:34:39 +0000 (UTC)
Received: from mailout-de.gmx.net ([10.1.76.12]) by mrigmx.server.lan
 (mrigmx002) with ESMTP (Nemesis) id 0ME0gb-1U8gtc0059-00HKrL for
 <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 09:34:39 +0100
Received: (qmail invoked by alias); 12 Feb 2013 08:34:38 -0000
Received: from p5B13243E.dip.t-dialin.net (EHLO rotluchs.lokal) [91.19.36.62]
  by mail.gmx.net (mp012) with SMTP; 12 Feb 2013 09:34:38 +0100
Received: from tron by rotluchs.lokal with local (Exim 4.80.1 (FreeBSD))
	(envelope-from <christoph.mallon@gmx.de>)
	id 1U5BK1-0006ui-CR
	for FreeBSD-gnats-submit@freebsd.org; Tue, 12 Feb 2013 09:34:37 +0100
Message-Id: <E1U5BK1-0006ui-CR@rotluchs.lokal>
Date: Tue, 12 Feb 2013 09:34:37 +0100
From: Christoph Mallon <christoph.mallon@gmx.de>
Reply-To: Christoph Mallon <christoph.mallon@gmx.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] i386: Correct wrong usage of vsnprintf()
X-Send-Pr-Version: 3.114
X-GNATS-Notify: Kip Macy <kmacy@FreeBSD.org>

>Number:         176053
>Category:       kern
>Synopsis:       [xen] [patch] i386: Correct wrong usage of vsnprintf()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-xen
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 12 08:40:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Sun Feb 17 22:39:51 UTC 2013
>Originator:     Christoph Mallon
>Release:        
>Organization:
>Environment:


	
>Description:
printk() uses snprintf() wrong, which may lead to a buffer overrun.
retval might be larger than the size of buf.
In this case buf[retval] = 0; will write beyond the end of buf.
>How-To-Repeat:
	
>Fix:
Please apply the patch.

--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch begins here ---
From 1fdbba2f44e3e2782c044d5b6a91beb701d10072 Mon Sep 17 00:00:00 2001
From: Christoph Mallon <christoph.mallon@gmx.de>
Date: Sat, 12 Jan 2013 09:36:40 +0100
Subject: [PATCH] i386: Correct wrong usage of vsnprintf().

- vsnprintf() always NUL terminates the string.
- retval might be larger than the size of buf.
---
 sys/i386/xen/xen_machdep.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/i386/xen/xen_machdep.c b/sys/i386/xen/xen_machdep.c
index 3b3da6f..32352bc 100644
--- a/sys/i386/xen/xen_machdep.c
+++ b/sys/i386/xen/xen_machdep.c
@@ -177,18 +177,17 @@ xen_boothowto(char *envp)
 	return howto;
 }
 
-#define PRINTK_BUFSIZE 1024
 void
 printk(const char *fmt, ...)
 {
         __va_list ap;
         int retval;
-        static char buf[PRINTK_BUFSIZE];
+	static char buf[1024];
 
         va_start(ap, fmt);
-        retval = vsnprintf(buf, PRINTK_BUFSIZE - 1, fmt, ap);
+	retval = vsnprintf(buf, sizeof(buf), fmt, ap);
         va_end(ap);
-        buf[retval] = 0;
+	retval = min(retval, (int)sizeof(buf) - 1);
         (void)HYPERVISOR_console_write(buf, retval);
 }
 
-- 
1.8.1.3
--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-xen 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Feb 17 22:39:23 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176053 
>Unformatted:
