From: Namhyung Kim <namhyung@kernel.org>
To: Rui Qi <qirui.001@bytedance.com>
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com,
james.clark@linaro.org, linux-perf-users@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] perf: Fix off-by-one stack buffer overflow in kallsyms__parse()
Date: Wed, 27 May 2026 10:35:29 -0700 [thread overview]
Message-ID: <ahcrYd2xj1gWvl0m@google.com> (raw)
In-Reply-To: <20260527075716.1642712-1-qirui.001@bytedance.com>
On Wed, May 27, 2026 at 03:57:16PM +0800, Rui Qi wrote:
> In kallsyms__parse(), the loop reading symbol names iterates with
> i < sizeof(symbol_name), which allows i to reach sizeof(symbol_name)
> upon loop exit. The subsequent symbol_name[i] = '\0' then writes one
> byte past the end of the stack-allocated symbol_name[] array.
>
> Fix this by changing the loop bound to sizeof(symbol_name) - 1, so
> the null terminator always lands within the array. The overflow is
> triggerable by a kallsyms entry with a symbol name of KSYM_NAME_LEN+1
> or more characters (e.g., long Rust mangled names or a malicious
> /proc/kallsyms).
>
> Fixes: 53df2b934412 ("libsymbols kallsyms: Parse using io api")
> Signed-off-by: Rui Qi <qirui.001@bytedance.com>
>
> ---
>
> Changes in v3:
> - Use KSYM_NAME_LEN instead of sizeof(symbol_name) - 1 for the
> overflow check, as suggested by Namhyung.
>
> Changes in v2:
> - Added read_to_eol(&io) when a symbol name exceeds the buffer size,
> preventing remaining characters from being parsed as the next symbol entry.
> - Added Fixes tag.
> ---
> tools/lib/symbol/kallsyms.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/tools/lib/symbol/kallsyms.c b/tools/lib/symbol/kallsyms.c
> index e335ac2b9e19..198bfc7c1f63 100644
> --- a/tools/lib/symbol/kallsyms.c
> +++ b/tools/lib/symbol/kallsyms.c
> @@ -60,7 +60,7 @@ int kallsyms__parse(const char *filename, void *arg,
> read_to_eol(&io);
> continue;
> }
> - for (i = 0; i < sizeof(symbol_name); i++) {
> + for (i = 0; i < sizeof(symbol_name) - 1; i++) {
Oh. I meant here as well.
Thanks,
Namhyung
> ch = io__get_char(&io);
> if (ch < 0 || ch == '\n')
> break;
> @@ -68,6 +68,9 @@ int kallsyms__parse(const char *filename, void *arg,
> }
> symbol_name[i] = '\0';
>
> + if (i == KSYM_NAME_LEN)
> + read_to_eol(&io);
> +
> err = process_symbol(arg, symbol_name, symbol_type, start);
> if (err)
> break;
> --
> 2.20.1
next prev parent reply other threads:[~2026-05-27 17:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 7:07 [PATCH v2] perf: Fix off-by-one stack buffer overflow in kallsyms__parse() Rui Qi
2026-05-26 2:09 ` Namhyung Kim
2026-05-27 7:57 ` [PATCH v3] " Rui Qi
2026-05-27 17:35 ` Namhyung Kim [this message]
2026-05-28 6:23 ` [PATCH v4] " Rui Qi
2026-05-28 17:34 ` Namhyung Kim
2026-06-04 13:55 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahcrYd2xj1gWvl0m@google.com \
--to=namhyung@kernel.org \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=qirui.001@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.