From owner-svn-src-all@FreeBSD.ORG Tue Jun 7 05:04:38 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0722E106564A; Tue, 7 Jun 2011 05:04:38 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id EA4ED8FC0A; Tue, 7 Jun 2011 05:04:37 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p5754bdU066433; Tue, 7 Jun 2011 05:04:37 GMT (envelope-from ken@svn.freebsd.org) Received: (from ken@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p5754bsm066431; Tue, 7 Jun 2011 05:04:37 GMT (envelope-from ken@svn.freebsd.org) Message-Id: <201106070504.p5754bsm066431@svn.freebsd.org> From: "Kenneth D. Merry" Date: Tue, 7 Jun 2011 05:04:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r222804 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2011 05:04:38 -0000 Author: ken Date: Tue Jun 7 05:04:37 2011 New Revision: 222804 URL: http://svn.freebsd.org/changeset/base/222804 Log: Set pca.p_bufr to NULL when we haven't allocated a buffer. Otherwise, p_bufr is set to garbage on the stack, and if that garbage happens to be non-NULL, and the TOLOG or TOCONS flag is set, putbuf() will get called and attempt to fill the non-existent buffer. This is really only relevant for tprintf() (and only when the priority is not -1), but set it in uprintf() and ttyprintf() for completeness. The next step, to avoid log buffer scrambling, would be to add the PRINTF_BUFR_SIZE code to tprintf(), but this should prevent panics. Submitted by: rmacklem Found by: pho Modified: head/sys/kern/subr_prf.c Modified: head/sys/kern/subr_prf.c ============================================================================== --- head/sys/kern/subr_prf.c Tue Jun 7 04:38:33 2011 (r222803) +++ head/sys/kern/subr_prf.c Tue Jun 7 05:04:37 2011 (r222804) @@ -163,6 +163,7 @@ uprintf(const char *fmt, ...) goto out; } pca.flags = TOTTY; + pca.p_bufr = NULL; va_start(ap, fmt); tty_lock(pca.tty); retval = kvprintf(fmt, putchar, &pca, 10, ap); @@ -206,6 +207,7 @@ tprintf(struct proc *p, int pri, const c pca.pri = pri; pca.tty = tp; pca.flags = flags; + pca.p_bufr = NULL; va_start(ap, fmt); if (pca.tty != NULL) tty_lock(pca.tty); @@ -234,6 +236,7 @@ ttyprintf(struct tty *tp, const char *fm va_start(ap, fmt); pca.tty = tp; pca.flags = TOTTY; + pca.p_bufr = NULL; retval = kvprintf(fmt, putchar, &pca, 10, ap); va_end(ap); return (retval);