kernel: crashlog: Avoid out-of-bounds write

vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.

Fix this by using vscnprintf which returns the actually written number
of chars.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>

SVN-Revision: 37820

target/linux/generic/patches-3.10/930-crashlog.patch

@@ -166,7 +166,7 @@
 +		return;
 +
 +	va_start(args, fmt);
-+	crashlog_buf->len += vsnprintf(
++	crashlog_buf->len += vscnprintf(
 +		&crashlog_buf->data[crashlog_buf->len],
 +		len, fmt, args);
 +	va_end(args);

target/linux/generic/patches-3.3/930-crashlog.patch

@@ -166,7 +166,7 @@
 +		return;
 +
 +	va_start(args, fmt);
-+	crashlog_buf->len += vsnprintf(
++	crashlog_buf->len += vscnprintf(
 +		&crashlog_buf->data[crashlog_buf->len],
 +		len, fmt, args);
 +	va_end(args);

target/linux/generic/patches-3.6/930-crashlog.patch

@@ -166,7 +166,7 @@
 +		return;
 +
 +	va_start(args, fmt);
-+	crashlog_buf->len += vsnprintf(
++	crashlog_buf->len += vscnprintf(
 +		&crashlog_buf->data[crashlog_buf->len],
 +		len, fmt, args);
 +	va_end(args);

target/linux/generic/patches-3.8/930-crashlog.patch

@@ -166,7 +166,7 @@
 +		return;
 +
 +	va_start(args, fmt);
-+	crashlog_buf->len += vsnprintf(
++	crashlog_buf->len += vscnprintf(
 +		&crashlog_buf->data[crashlog_buf->len],
 +		len, fmt, args);
 +	va_end(args);

target/linux/generic/patches-3.9/930-crashlog.patch

@@ -166,7 +166,7 @@
 +		return;
 +
 +	va_start(args, fmt);
-+	crashlog_buf->len += vsnprintf(
++	crashlog_buf->len += vscnprintf(
 +		&crashlog_buf->data[crashlog_buf->len],
 +		len, fmt, args);
 +	va_end(args);