From: Namhyung Kim <namhyung@kernel.org>
To: Rui Qi <qirui.001@bytedance.com>
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com,
james.clark@linaro.org, linux-perf-users@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] perf: Fix off-by-one stack buffer overflow in kallsyms__parse()
Date: Wed, 27 May 2026 10:35:29 -0700 [thread overview]
Message-ID: <ahcrYd2xj1gWvl0m@google.com> (raw)
In-Reply-To: <20260527075716.1642712-1-qirui.001@bytedance.com>
On Wed, May 27, 2026 at 03:57:16PM +0800, Rui Qi wrote:
> In kallsyms__parse(), the loop reading symbol names iterates with
> i < sizeof(symbol_name), which allows i to reach sizeof(symbol_name)
> upon loop exit. The subsequent symbol_name[i] = '\0' then writes one
> byte past the end of the stack-allocated symbol_name[] array.
>
> Fix this by changing the loop bound to sizeof(symbol_name) - 1, so
> the null terminator always lands within the array. The overflow is
> triggerable by a kallsyms entry with a symbol name of KSYM_NAME_LEN+1
> or more characters (e.g., long Rust mangled names or a malicious
> /proc/kallsyms).
>
> Fixes: 53df2b934412 ("libsymbols kallsyms: Parse using io api")
> Signed-off-by: Rui Qi <qirui.001@bytedance.com>
>
> ---
>
> Changes in v3:
> - Use KSYM_NAME_LEN instead of sizeof(symbol_name) - 1 for the
> overflow check, as suggested by Namhyung.
>
> Changes in v2:
> - Added read_to_eol(&io) when a symbol name exceeds the buffer size,
> preventing remaining characters from being parsed as the next symbol entry.
> - Added Fixes tag.
> ---
> tools/lib/symbol/kallsyms.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/tools/lib/symbol/kallsyms.c b/tools/lib/symbol/kallsyms.c
> index e335ac2b9e19..198bfc7c1f63 100644
> --- a/tools/lib/symbol/kallsyms.c
> +++ b/tools/lib/symbol/kallsyms.c
> @@ -60,7 +60,7 @@ int kallsyms__parse(const char *filename, void *arg,
> read_to_eol(&io);
> continue;
> }
> - for (i = 0; i < sizeof(symbol_name); i++) {
> + for (i = 0; i < sizeof(symbol_name) - 1; i++) {
Oh. I meant here as well.
Thanks,
Namhyung
> ch = io__get_char(&io);
> if (ch < 0 || ch == '\n')
> break;
> @@ -68,6 +68,9 @@ int kallsyms__parse(const char *filename, void *arg,
> }
> symbol_name[i] = '\0';
>
> + if (i == KSYM_NAME_LEN)
> + read_to_eol(&io);
> +
> err = process_symbol(arg, symbol_name, symbol_type, start);
> if (err)
> break;
> --
> 2.20.1
prev parent reply other threads:[~2026-05-27 17:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 7:07 [PATCH v2] perf: Fix off-by-one stack buffer overflow in kallsyms__parse() Rui Qi
2026-05-26 2:09 ` Namhyung Kim
2026-05-27 7:57 ` [PATCH v3] " Rui Qi
2026-05-27 17:35 ` Namhyung Kim [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahcrYd2xj1gWvl0m@google.com \
--to=namhyung@kernel.org \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=qirui.001@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox