From owner-freebsd-i386@FreeBSD.ORG  Tue Feb 12 08:40:00 2013
Return-Path: <owner-freebsd-i386@FreeBSD.ORG>
Delivered-To: freebsd-i386@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 9AA7C2C2
 for <freebsd-i386@smarthost.ysv.freebsd.org>;
 Tue, 12 Feb 2013 08:40:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 7EFF8D7A;
 Tue, 12 Feb 2013 08:40:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1C8e0nq031473;
 Tue, 12 Feb 2013 08:40:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1C8e0d7031472;
 Tue, 12 Feb 2013 08:40:00 GMT (envelope-from gnats)
Resent-Date: Tue, 12 Feb 2013 08:40:00 GMT
Resent-Message-Id: <201302120840.r1C8e0d7031472@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-i386@FreeBSD.org
Resent-Cc: Kip Macy <kmacy@FreeBSD.org>
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Christoph Mallon <christoph.mallon@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id F0BEDF34
 for <freebsd-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 08:34:40 +0000 (UTC)
 (envelope-from christoph.mallon@gmx.de)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
 by mx1.freebsd.org (Postfix) with ESMTP id 7A61CD41
 for <freebsd-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 08:34:39 +0000 (UTC)
Received: from mailout-de.gmx.net ([10.1.76.12]) by mrigmx.server.lan
 (mrigmx002) with ESMTP (Nemesis) id 0ME0gb-1U8gtc0059-00HKrL for
 <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Feb 2013 09:34:39 +0100
Received: (qmail invoked by alias); 12 Feb 2013 08:34:38 -0000
Received: from p5B13243E.dip.t-dialin.net (EHLO rotluchs.lokal) [91.19.36.62]
 by mail.gmx.net (mp012) with SMTP; 12 Feb 2013 09:34:38 +0100
Received: from tron by rotluchs.lokal with local (Exim 4.80.1 (FreeBSD))
 (envelope-from <christoph.mallon@gmx.de>) id 1U5BK1-0006ui-CR
 for FreeBSD-gnats-submit@freebsd.org; Tue, 12 Feb 2013 09:34:37 +0100
Message-Id: <E1U5BK1-0006ui-CR@rotluchs.lokal>
Date: Tue, 12 Feb 2013 09:34:37 +0100
From: Christoph Mallon <christoph.mallon@gmx.de>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.114
X-GNATS-Notify: Kip Macy <kmacy@FreeBSD.org>
Subject: i386/176053: [PATCH] i386: Correct wrong usage of vsnprintf()
X-BeenThere: freebsd-i386@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Christoph Mallon <christoph.mallon@gmx.de>
List-Id: I386-specific issues for FreeBSD <freebsd-i386.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-i386>,
 <mailto:freebsd-i386-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-i386>
List-Post: <mailto:freebsd-i386@freebsd.org>
List-Help: <mailto:freebsd-i386-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
 <mailto:freebsd-i386-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2013 08:40:00 -0000


>Number:         176053
>Category:       i386
>Synopsis:       [PATCH] i386: Correct wrong usage of vsnprintf()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 12 08:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Christoph Mallon
>Release:        
>Organization:
>Environment:


	
>Description:
printk() uses snprintf() wrong, which may lead to a buffer overrun.
retval might be larger than the size of buf.
In this case buf[retval] = 0; will write beyond the end of buf.
>How-To-Repeat:
	
>Fix:
Please apply the patch.

--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch begins here ---
>From 1fdbba2f44e3e2782c044d5b6a91beb701d10072 Mon Sep 17 00:00:00 2001
From: Christoph Mallon <christoph.mallon@gmx.de>
Date: Sat, 12 Jan 2013 09:36:40 +0100
Subject: [PATCH] i386: Correct wrong usage of vsnprintf().

- vsnprintf() always NUL terminates the string.
- retval might be larger than the size of buf.
---
 sys/i386/xen/xen_machdep.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/i386/xen/xen_machdep.c b/sys/i386/xen/xen_machdep.c
index 3b3da6f..32352bc 100644
--- a/sys/i386/xen/xen_machdep.c
+++ b/sys/i386/xen/xen_machdep.c
@@ -177,18 +177,17 @@ xen_boothowto(char *envp)
 	return howto;
 }
 
-#define PRINTK_BUFSIZE 1024
 void
 printk(const char *fmt, ...)
 {
         __va_list ap;
         int retval;
-        static char buf[PRINTK_BUFSIZE];
+	static char buf[1024];
 
         va_start(ap, fmt);
-        retval = vsnprintf(buf, PRINTK_BUFSIZE - 1, fmt, ap);
+	retval = vsnprintf(buf, sizeof(buf), fmt, ap);
         va_end(ap);
-        buf[retval] = 0;
+	retval = min(retval, (int)sizeof(buf) - 1);
         (void)HYPERVISOR_console_write(buf, retval);
 }
 
-- 
1.8.1.3
--- 0001-i386-Correct-wrong-usage-of-vsnprintf.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: