[PATCH 2/6] perf map: Fix off by one in strncpy() size argument

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Ingo Molnar <mingo@kernel.org>, Thomas Gleixner <tglx@linutronix.de>
Cc: Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
	Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
	disconnect3d <dominik.b.czarnota@gmail.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Changbin Du <changbin.du@intel.com>, Jiri Olsa <jolsa@redhat.com>,
	John Keeping <john@metanate.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Michael Lentine <mlentine@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Song Liu <songliubraving@fb.com>,
	Stephane Eranian <eranian@google.com>,
	Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: [PATCH 2/6] perf map: Fix off by one in strncpy() size argument
Date: Mon,  9 Mar 2020 15:53:19 -0300	[thread overview]
Message-ID: <20200309185323.22583-3-acme@kernel.org> (raw)
In-Reply-To: <20200309185323.22583-1-acme@kernel.org>

From: disconnect3d <dominik.b.czarnota@gmail.com>

This patch fixes an off-by-one error in strncpy size argument in
tools/perf/util/map.c. The issue is that in:

        strncmp(filename, "/system/lib/", 11)

the passed string literal: "/system/lib/" has 12 bytes (without the NULL
byte) and the passed size argument is 11. As a result, the logic won't
match the ending "/" byte and will pass filepaths that are stored in
other directories e.g. "/system/libmalicious/bin" or just
"/system/libmalicious".

This functionality seems to be present only on Android. I assume the
/system/ directory is only writable by the root user, so I don't think
this bug has much (or any) security impact.

Fixes: eca818369996 ("perf tools: Add automatic remapping of Android libraries")
Signed-off-by: disconnect3d <dominik.b.czarnota@gmail.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Changbin Du <changbin.du@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: John Keeping <john@metanate.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Michael Lentine <mlentine@google.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lore.kernel.org/lkml/20200309104855.3775-1-dominik.b.czarnota@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
index 95428511300d..b342f744b1fc 100644
--- a/tools/perf/util/map.c
+++ b/tools/perf/util/map.c
@@ -89,7 +89,7 @@ static inline bool replace_android_lib(const char *filename, char *newfilename)
 		return true;
 	}
 
-	if (!strncmp(filename, "/system/lib/", 11)) {
+	if (!strncmp(filename, "/system/lib/", 12)) {
 		char *ndk, *app;
 		const char *arch;
 		size_t ndk_length;
-- 
2.21.1

next prev parent reply	other threads:[~2020-03-09 18:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-09 18:53 [GIT PULL] perf/urgent fixes Arnaldo Carvalho de Melo
2020-03-09 18:53 ` [PATCH 1/6] tools: Let O= makes handle a relative path with -C option Arnaldo Carvalho de Melo
2020-03-09 18:53 ` Arnaldo Carvalho de Melo [this message]
2020-03-09 18:53 ` [PATCH 3/6] perf python: Fix clang detection when using CC=clang-version Arnaldo Carvalho de Melo
2020-03-09 18:58   ` Nick Desaulniers
2020-03-09 19:23     ` Arnaldo Carvalho de Melo
2020-03-09 18:53 ` [PATCH 4/6] perf parse-events: Fix reading of invalid memory in event parsing Arnaldo Carvalho de Melo
2020-03-09 18:53 ` [PATCH 5/6] perf probe: Fix to delete multiple probe event Arnaldo Carvalho de Melo
2020-03-09 18:53 ` [PATCH 6/6] perf probe: Do not depend on dwfl_module_addrsym() Arnaldo Carvalho de Melo
2020-03-19 14:00 ` [GIT PULL] perf/urgent fixes Ingo Molnar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:95428511300 dfblob:b342f744b1f )
 OR (
bs:"[PATCH 2/6] perf map: Fix off by one in strncpy() size argument" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200309185323.22583-3-acme@kernel.org \
    --to=acme@kernel.org \
    --cc=acme@redhat.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=changbin.du@intel.com \
    --cc=dominik.b.czarnota@gmail.com \
    --cc=eranian@google.com \
    --cc=john@metanate.com \
    --cc=jolsa@kernel.org \
    --cc=jolsa@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@kernel.org \
    --cc=mlentine@google.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=songliubraving@fb.com \
    --cc=tglx@linutronix.de \
    --cc=williams@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.