mako: debug: Fix the buffer overflow on dumping logs

Possible buffer overflow when the crash log is stored in crash_dump_log->buffer. You should check the buffer size before storing the crash log. Change-Id: Icfe8010d9825f2db1165de8dd3683cd7b53749b3
2013-02-08 07:05:03 -08:00
parent 1d36299b6a
commit fe2246c68d
1 changed files with 13 additions and 3 deletions
--- a/arch/arm/mach-msm/lge/lge_panic_handler.c
+++ b/arch/arm/mach-msm/lge/lge_panic_handler.c
@@ -174,10 +174,15 @@ void set_crash_store_disable(void)

 void store_crash_log(char *p)
 {
+	if (!crash_dump_log)
+		return;
+
 	if (!crash_store_flag)
 		return;
+
 	if (crash_dump_log->size == crash_buf_size)
 		return;
+
 	for ( ; *p; p++) {
 		if (*p == '[') {
 			for ( ; *p != ']'; p++)
@@ -191,8 +196,12 @@ void store_crash_log(char *p)
 				;
 			p++;
 		}
-		crash_dump_log->buffer[crash_dump_log->size] = *p;
-		crash_dump_log->size++;
+
+		crash_dump_log->buffer[crash_dump_log->size++] = *p;
+
+		/* check the buffer size */
+		if (crash_dump_log->size == crash_buf_size)
+			break;
 	}
 	crash_dump_log->buffer[crash_dump_log->size] = 0;

@@ -265,7 +274,8 @@ static int __init panic_handler_probe(struct platform_device *pdev)
 	memset(crash_dump_log, 0, buffer_size);
 	crash_dump_log->magic_key = NORMAL_MAGIC_KEY;
 	crash_dump_log->size = 0;
-	crash_buf_size = buffer_size - offsetof(struct crash_log_dump, buffer);
+	crash_buf_size =
+		buffer_size - offsetof(struct crash_log_dump, buffer) - 1;
 #ifdef CONFIG_CPU_CP15_MMU
 	ctx_buf = (void *)(buffer + buffer_size);
 	cpu_crash_ctx = (unsigned long *)ctx_buf;