Re: [PATCH] scripts/kallsyms.c: fix potential segfault

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michal Marek <mmarek@suse.cz>
To: Xiaochen Wang <wangxiaochen0@gmail.com>
Cc: Jean Sacren <sakiwit@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scripts/kallsyms.c: fix potential segfault
Date: Thu, 12 May 2011 17:24:37 +0200	[thread overview]
Message-ID: <20110512152437.GL13293@sepie.suse.cz> (raw)
In-Reply-To: <20110501034141.GA13473@chii>

On Sun, May 01, 2011 at 11:41:41AM +0800, Xiaochen Wang wrote:
> Description:
> This bug hardly appears during real kernel compiling,
>  because the vmlinux symbols table is huge.
> 
> But we can still catch it under strict condition , as follows.
>    $ echo "c101b97b T do_fork" | ./scripts/kallsyms --all-symbols
>    #include <asm/types.h>
>    ......
>    ......
>    .globl kallsyms_token_table
>            ALGN
>    kallsyms_token_table:
>    Segmentation fault (core dumped)
>    $
> 
> If symbols table is small, all entries in token_profit[0x10000] may
> decrease to 0 after several calls of compress_symbols() in optimize_result().
> In that case, find_best_token() always return 0 and
> best_table[i] is set to "\0\0" and best_table_len[i] is set to 2.
> 
> As a result, expand_symbol(best_table[0]="\0\0", best_table_len[0]=2, buf)
> in write_src() will run in infinite recursion until stack overflows,
> causing segfault.
> 
> This patch checks the find_best_token() return value. If all entries in
> token_profit[0x10000] become 0 according to return value, it breaks the loop
> in optimize_result().
> And expand_symbol() works well when best_table_len[i] is 0.
> 
> 
> Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
> ---
>  scripts/kallsyms.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

Pushed to kbuild-2.6.git#kbuild, thanks.

Michal

     prev parent reply	other threads:[~2011-05-12 15:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-01  3:41 [PATCH] scripts/kallsyms.c: fix potential segfault Xiaochen Wang
2011-05-03 11:56 ` Paulo Marques
2011-05-12 15:24 ` Michal Marek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110512152437.GL13293@sepie.suse.cz \
    --to=mmarek@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sakiwit@gmail.com \
    --cc=wangxiaochen0@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.