block: fix buffer overflow when printing partition UUIDs
commit
05c69d298c96703741cac9a5cbbf6c53bd55a6e2 upstream.
6d1d8050b4bc8 "block, partition: add partition_meta_info to hd_struct"
added part_unpack_uuid() which assumes that the passed in buffer has
enough space for sprintfing "%pU" - 37 characters including '\0'.
Unfortunately,
b5af921ec0233 "init: add support for root devices
specified by partition UUID" supplied 33 bytes buffer to the function
leading to the following panic with stackprotector enabled.
Kernel panic - not syncing: stack-protector: Kernel stack corrupted in:
ffffffff81b14c7e
[<
ffffffff815e226b>] panic+0xba/0x1c6
[<
ffffffff81b14c7e>] ? printk_all_partitions+0x259/0x26xb
[<
ffffffff810566bb>] __stack_chk_fail+0x1b/0x20
[<
ffffffff81b15c7e>] printk_all_paritions+0x259/0x26xb
[<
ffffffff81aedfe0>] mount_block_root+0x1bc/0x27f
[<
ffffffff81aee0fa>] mount_root+0x57/0x5b
[<
ffffffff81aee23b>] prepare_namespace+0x13d/0x176
[<
ffffffff8107eec0>] ? release_tgcred.isra.4+0x330/0x30
[<
ffffffff81aedd60>] kernel_init+0x155/0x15a
[<
ffffffff81087b97>] ? schedule_tail+0x27/0xb0
[<
ffffffff815f4d24>] kernel_thread_helper+0x5/0x10
[<
ffffffff81aedc0b>] ? start_kernel+0x3c5/0x3c5
[<
ffffffff815f4d20>] ? gs_change+0x13/0x13
Increase the buffer size, remove the dangerous part_unpack_uuid() and
use snprintf() directly from printk_all_partitions().
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Szymon Gruszczynski <sz.gruszczynski@googlemail.com>
Cc: Will Drewry <wad@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>