scripts/kallsyms: fix memory corruption caused by write over-run
diff mbox series

Message ID 20200210161852.842-1-masahiroy@kernel.org
State New
Headers show
Series
  • scripts/kallsyms: fix memory corruption caused by write over-run
Related show

Commit Message

Masahiro Yamada Feb. 10, 2020, 4:18 p.m. UTC
scripts/kallsyms crashes because memcpy() writes one more byte than
allocated.

Fixes: 8d60526999aa ("scripts/kallsyms: change table to store (strcut sym_entry *)")
Reported-by: youling257 <youling257@gmail.com>
Reported-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---

 scripts/kallsyms.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Pavel Machek Feb. 10, 2020, 6:58 p.m. UTC | #1
On Tue 2020-02-11 01:18:52, Masahiro Yamada wrote:
> scripts/kallsyms crashes because memcpy() writes one more byte than
> allocated.
> 
> Fixes: 8d60526999aa ("scripts/kallsyms: change table to store (strcut sym_entry *)")
> Reported-by: youling257 <youling257@gmail.com>
> Reported-by: Pavel Machek <pavel@ucw.cz>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>


Tested-by: Pavel Machek <pavel@ucw.cz>

Thanks!
								Pavel
Justin Capella Feb. 11, 2020, 2:36 a.m. UTC | #2
Looks like len is already +1, maybe it shouldn't be?

>         len = strlen(name) + 1;
>
> -       sym = malloc(sizeof(*sym) + len);
> +       sym = malloc(sizeof(*sym) + len + 1);


Maybe strlcpy or if len wasn't incremented?

>
> -       memcpy(sym_name(sym), name, len);
> +       strcpy(sym_name(sym), name);
>
Masahiro Yamada Feb. 11, 2020, 2:46 p.m. UTC | #3
Hi.

On Tue, Feb 11, 2020 at 11:36 AM Justin Capella <justincapella@gmail.com> wrote:
>
> Looks like len is already +1, maybe it shouldn't be?

This increment is for storing one more character, 'type'.

        sym->sym[0] = type;



> >         len = strlen(name) + 1;
> >
> > -       sym = malloc(sizeof(*sym) + len);
> > +       sym = malloc(sizeof(*sym) + len + 1);


This increment is for the '\0' termination.



So, malloc() needs to allocate:
sizeof(*sym) + strlen(name) + 2.





>
>
> Maybe strlcpy or if len wasn't incremented?
>
> >
> > -       memcpy(sym_name(sym), name, len);
> > +       strcpy(sym_name(sym), name);
> >
Masahiro Yamada Feb. 12, 2020, 9:20 a.m. UTC | #4
On Tue, Feb 11, 2020 at 1:19 AM Masahiro Yamada <masahiroy@kernel.org> wrote:
>
> scripts/kallsyms crashes because memcpy() writes one more byte than
> allocated.
>
> Fixes: 8d60526999aa ("scripts/kallsyms: change table to store (strcut sym_entry *)")
> Reported-by: youling257 <youling257@gmail.com>
> Reported-by: Pavel Machek <pavel@ucw.cz>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> ---

Applied.
I will send a pull request shortly
because many people are tripping over this bug.




>  scripts/kallsyms.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
> index a566d8201b56..0133dfaaf352 100644
> --- a/scripts/kallsyms.c
> +++ b/scripts/kallsyms.c
> @@ -210,7 +210,7 @@ static struct sym_entry *read_symbol(FILE *in)
>
>         len = strlen(name) + 1;
>
> -       sym = malloc(sizeof(*sym) + len);
> +       sym = malloc(sizeof(*sym) + len + 1);
>         if (!sym) {
>                 fprintf(stderr, "kallsyms failure: "
>                         "unable to allocate required amount of memory\n");
> @@ -219,7 +219,7 @@ static struct sym_entry *read_symbol(FILE *in)
>         sym->addr = addr;
>         sym->len = len;
>         sym->sym[0] = type;
> -       memcpy(sym_name(sym), name, len);
> +       strcpy(sym_name(sym), name);
>         sym->percpu_absolute = 0;
>
>         return sym;
> --
> 2.17.1
>

Patch
diff mbox series

diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c
index a566d8201b56..0133dfaaf352 100644
--- a/scripts/kallsyms.c
+++ b/scripts/kallsyms.c
@@ -210,7 +210,7 @@  static struct sym_entry *read_symbol(FILE *in)
 
 	len = strlen(name) + 1;
 
-	sym = malloc(sizeof(*sym) + len);
+	sym = malloc(sizeof(*sym) + len + 1);
 	if (!sym) {
 		fprintf(stderr, "kallsyms failure: "
 			"unable to allocate required amount of memory\n");
@@ -219,7 +219,7 @@  static struct sym_entry *read_symbol(FILE *in)
 	sym->addr = addr;
 	sym->len = len;
 	sym->sym[0] = type;
-	memcpy(sym_name(sym), name, len);
+	strcpy(sym_name(sym), name);
 	sym->percpu_absolute = 0;
 
 	return sym;