From: "Kumar, Kaushlendra" <kaushlendra.kumar@intel.com>
To: Harry Yoo <harry.yoo@oracle.com>
Cc: "akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"vbabka@suse.cz" <vbabka@suse.cz>, "cl@linux.com" <cl@linux.com>,
"rientjes@google.com" <rientjes@google.com>,
"roman.gushchin@linux.dev" <roman.gushchin@linux.dev>
Subject: Re: [PATCH] tools/mm/slabinfo: fix buffer overflows in fread operations
Date: Fri, 29 Aug 2025 13:12:16 +0000 [thread overview]
Message-ID: <LV3PR11MB876815B8AF0B65C417B77343F53AA@LV3PR11MB8768.namprd11.prod.outlook.com> (raw)
In-Reply-To: <aLGUNRIKgRNkgY0v@hyeyoo>
[-- Attachment #1: Type: text/plain, Size: 4492 bytes --]
On Fri, Aug 29, 2025 at 03:29:47PM +0530, Kaushlendra Kumar wrote:
> The fread() calls in read_slab_obj() and read_debug_slab_obj() can
> read up to sizeof(buffer) bytes, but then unconditionally write a null
> terminator at buffer[l]. If fread() returns sizeof(buffer), this
> writes beyond the allocated buffer boundaries.
>
> Fix by limiting reads to sizeof(buffer) - 1 bytes in both functions,
> ensuring space is always reserved for null termination. This prevents
> buffer overflows while maintaining proper string handling.
>
> Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
> ---
> Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
>
> A side question, did you observe this while using the tool?
> Perhaps that means we need to make the buffer bigger.
Thanks for the review!
I discovered this issue while testing some local modifications to the code.
For now, let's keep the current buffer size and address the overflow with this fix.
> tools/mm/slabinfo.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/tools/mm/slabinfo.c b/tools/mm/slabinfo.c index
> 1433eff99feb..1a7f2874c625 100644
> --- a/tools/mm/slabinfo.c
> +++ b/tools/mm/slabinfo.c
> @@ -228,7 +228,7 @@ static unsigned long read_slab_obj(struct slabinfo *s, const char *name)
> buffer[0] = 0;
> l = 0;
> } else {
> - l = fread(buffer, 1, sizeof(buffer), f);
> + l = fread(buffer, 1, sizeof(buffer) - 1, f);
> buffer[l] = 0;
> fclose(f);
> }
> @@ -247,7 +247,7 @@ static unsigned long read_debug_slab_obj(struct slabinfo *s, const char *name)
> buffer[0] = 0;
> l = 0;
> } else {
> - l = fread(buffer, 1, sizeof(buffer), f);
> + l = fread(buffer, 1, sizeof(buffer) - 1, f);
> buffer[l] = 0;
> fclose(f);
> }
> --
> 2.34.1
________________________________
From: Harry Yoo <harry.yoo@oracle.com>
Sent: Friday, August 29, 2025 5:21 PM
To: Kumar, Kaushlendra <kaushlendra.kumar@intel.com>
Cc: akpm@linux-foundation.org <akpm@linux-foundation.org>; linux-mm@kvack.org <linux-mm@kvack.org>; vbabka@suse.cz <vbabka@suse.cz>; cl@linux.com <cl@linux.com>; rientjes@google.com <rientjes@google.com>; roman.gushchin@linux.dev <roman.gushchin@linux.dev>
Subject: Re: [PATCH] tools/mm/slabinfo: fix buffer overflows in fread operations
On Fri, Aug 29, 2025 at 03:29:47PM +0530, Kaushlendra Kumar wrote:
> The fread() calls in read_slab_obj() and read_debug_slab_obj() can read
> up to sizeof(buffer) bytes, but then unconditionally write a null
> terminator at buffer[l]. If fread() returns sizeof(buffer), this writes
> beyond the allocated buffer boundaries.
>
> Fix by limiting reads to sizeof(buffer) - 1 bytes in both functions,
> ensuring space is always reserved for null termination. This prevents
> buffer overflows while maintaining proper string handling.
>
> Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
> ---
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
A side question, did you observe this while using the tool?
Perhaps that means we need to make the buffer bigger.
> tools/mm/slabinfo.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/tools/mm/slabinfo.c b/tools/mm/slabinfo.c
> index 1433eff99feb..1a7f2874c625 100644
> --- a/tools/mm/slabinfo.c
> +++ b/tools/mm/slabinfo.c
> @@ -228,7 +228,7 @@ static unsigned long read_slab_obj(struct slabinfo *s, const char *name)
> buffer[0] = 0;
> l = 0;
> } else {
> - l = fread(buffer, 1, sizeof(buffer), f);
> + l = fread(buffer, 1, sizeof(buffer) - 1, f);
> buffer[l] = 0;
> fclose(f);
> }
> @@ -247,7 +247,7 @@ static unsigned long read_debug_slab_obj(struct slabinfo *s, const char *name)
> buffer[0] = 0;
> l = 0;
> } else {
> - l = fread(buffer, 1, sizeof(buffer), f);
> + l = fread(buffer, 1, sizeof(buffer) - 1, f);
> buffer[l] = 0;
> fclose(f);
> }
> --
> 2.34.1
--
Cheers,
Harry / Hyeonggon
[-- Attachment #2: Type: text/html, Size: 15737 bytes --]
next prev parent reply other threads:[~2025-08-29 13:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 9:59 [PATCH] tools/mm/slabinfo: fix buffer overflows in fread operations Kaushlendra Kumar
2025-08-29 11:51 ` Harry Yoo
2025-08-29 13:12 ` Kumar, Kaushlendra [this message]
2025-08-29 15:30 ` Kumar, Kaushlendra
2025-08-29 18:52 ` SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=LV3PR11MB876815B8AF0B65C417B77343F53AA@LV3PR11MB8768.namprd11.prod.outlook.com \
--to=kaushlendra.kumar@intel.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=harry.yoo@oracle.com \
--cc=linux-mm@kvack.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).