NULL terminate over-long /proc/kallsyms symbols

NULL terminate over-long /proc/kallsyms symbols

[Andreas Gruenbacher]

Got a customer bug report (https://bugzilla.novell.com/190296)
about kernel symbols longer than 127 characters which end up in
a string buffer that is not NULL terminated, leading to garbage 
in /proc/kallsyms. Using strlcpy prevents this from happening,
even though such symbols still won't come out right.

A better fix would be to not use a fixed-size buffer, but it's
probably not worth the trouble. (Modversion'ed symbols even have
a length limit of 60.)

(This patch has been ested on a 2.6.16 kernel.)

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

Index: linux-2.6.17/kernel/module.c
===================================================================
--- linux-2.6.17.orig/kernel/module.c
+++ linux-2.6.17/kernel/module.c
@@ -1935,7 +1935,7 @@ struct module *module_get_kallsym(unsign
 		if (symnum < mod->num_symtab) {
 			*value = mod->symtab[symnum].st_value;
 			*type = mod->symtab[symnum].st_info;
-			strncpy(namebuf,
+			strlcpy(namebuf,
 				mod->strtab + mod->symtab[symnum].st_name,
 				127);
 			mutex_unlock(&module_mutex);

Re: NULL terminate over-long /proc/kallsyms symbols

[Daniel Bonekeeper]

Got a " You are not authorized to access bug #190296. To see this bug,
you must first log in to an account with the appropriate permissions."
on the referred bugzilla page.

What kind of symbol uses more than 127 characters, anyways ?

Daniel


-- 
What this world needs is a good five-dollar plasma weapon.

Re: NULL terminate over-long /proc/kallsyms symbols

[Christoph Hellwig]

On Wed, Jul 05, 2006 at 01:03:14PM -0400, Daniel Bonekeeper wrote:
> Got a " You are not authorized to access bug #190296. To see this bug,
> you must first log in to an account with the appropriate permissions."
> on the referred bugzilla page.
> 
> What kind of symbol uses more than 127 characters, anyways ?

Yes, good question.  Maybe we should just put an upper limit on symbol
length in the module postprocessing so people don't do such stupid things.

Re: NULL terminate over-long /proc/kallsyms symbols

[Avi Kivity]

Daniel Bonekeeper wrote:
>
> Got a " You are not authorized to access bug #190296. To see this bug,
> you must first log in to an account with the appropriate permissions."
> on the referred bugzilla page.
>
> What kind of symbol uses more than 127 characters, anyways ?
>

Maybe C++ mangled names.

I've seen names longer than early machines' main memory.

-- 
Do not meddle in the internals of kernels, for they are subtle and quick to panic.

Re: NULL terminate over-long /proc/kallsyms symbols

[Andreas Schwab]

Andreas Gruenbacher <agruen@suse.de> writes:

> Index: linux-2.6.17/kernel/module.c
> ===================================================================
> --- linux-2.6.17.orig/kernel/module.c
> +++ linux-2.6.17/kernel/module.c
> @@ -1935,7 +1935,7 @@ struct module *module_get_kallsym(unsign
>  		if (symnum < mod->num_symtab) {
>  			*value = mod->symtab[symnum].st_value;
>  			*type = mod->symtab[symnum].st_info;
> -			strncpy(namebuf,
> +			strlcpy(namebuf,
>  				mod->strtab + mod->symtab[symnum].st_name,
>  				127);

Just a minor point: you probably also want to change 127 to 128.
Unfortunately sizeof does not work here, despite the declaration.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: NULL terminate over-long /proc/kallsyms symbols

[Andrew Morton]

Andreas Gruenbacher <agruen@suse.de> wrote:
>
> Got a customer bug report (https://bugzilla.novell.com/190296)
> about kernel symbols longer than 127 characters which end up in
> a string buffer that is not NULL terminated, leading to garbage 
> in /proc/kallsyms. Using strlcpy prevents this from happening,
> even though such symbols still won't come out right.
> 
> A better fix would be to not use a fixed-size buffer, but it's
> probably not worth the trouble. (Modversion'ed symbols even have
> a length limit of 60.)
> 
> (This patch has been ested on a 2.6.16 kernel.)
> 
> Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
> 
> Index: linux-2.6.17/kernel/module.c
> ===================================================================
> --- linux-2.6.17.orig/kernel/module.c
> +++ linux-2.6.17/kernel/module.c
> @@ -1935,7 +1935,7 @@ struct module *module_get_kallsym(unsign
>  		if (symnum < mod->num_symtab) {
>  			*value = mod->symtab[symnum].st_value;
>  			*type = mod->symtab[symnum].st_info;
> -			strncpy(namebuf,
> +			strlcpy(namebuf,
>  				mod->strtab + mod->symtab[symnum].st_name,
>  				127);
>  			mutex_unlock(&module_mutex);

Yeah, that assume-the-caller-gave-us-a-128-byte-buffer is a bit rude.  How
about this?

 include/linux/module.h |    6 ++----
 kernel/kallsyms.c      |    4 ++--
 kernel/module.c        |   11 ++++-------
 3 files changed, 8 insertions(+), 13 deletions(-)

diff -puN kernel/module.c~null-terminate-over-long-proc-kallsyms-symbols kernel/module.c
--- a/kernel/module.c~null-terminate-over-long-proc-kallsyms-symbols
+++ a/kernel/module.c
@@ -2019,10 +2019,8 @@ const char *module_address_lookup(unsign
 	return NULL;
 }
 
-struct module *module_get_kallsym(unsigned int symnum,
-				  unsigned long *value,
-				  char *type,
-				  char namebuf[128])
+struct module *module_get_kallsym(unsigned int symnum, unsigned long *value,
+				char *type, char *name, size_t namelen)
 {
 	struct module *mod;
 
@@ -2031,9 +2029,8 @@ struct module *module_get_kallsym(unsign
 		if (symnum < mod->num_symtab) {
 			*value = mod->symtab[symnum].st_value;
 			*type = mod->symtab[symnum].st_info;
-			strncpy(namebuf,
-				mod->strtab + mod->symtab[symnum].st_name,
-				127);
+			strlcpy(name, mod->strtab + mod->symtab[symnum].st_name,
+				namelen);
 			mutex_unlock(&module_mutex);
 			return mod;
 		}
diff -puN include/linux/module.h~null-terminate-over-long-proc-kallsyms-symbols include/linux/module.h
--- a/include/linux/module.h~null-terminate-over-long-proc-kallsyms-symbols
+++ a/include/linux/module.h
@@ -362,10 +362,8 @@ int is_module_address(unsigned long addr
 
 /* Returns module and fills in value, defined and namebuf, or NULL if
    symnum out of range. */
-struct module *module_get_kallsym(unsigned int symnum,
-				  unsigned long *value,
-				  char *type,
-				  char namebuf[128]);
+struct module *module_get_kallsym(unsigned int symnum, unsigned long *value,
+				char *type, char *name, size_t namelen);
 
 /* Look for this name: can be of form module:name. */
 unsigned long module_kallsyms_lookup_name(const char *name);
diff -puN kernel/kallsyms.c~null-terminate-over-long-proc-kallsyms-symbols kernel/kallsyms.c
--- a/kernel/kallsyms.c~null-terminate-over-long-proc-kallsyms-symbols
+++ a/kernel/kallsyms.c
@@ -275,8 +275,8 @@ static void upcase_if_global(struct kall
 static int get_ksymbol_mod(struct kallsym_iter *iter)
 {
 	iter->owner = module_get_kallsym(iter->pos - kallsyms_num_syms,
-					 &iter->value,
-					 &iter->type, iter->name);
+					 &iter->value, &iter->type,
+					 iter->name, sizeof(iter->name));
 	if (iter->owner == NULL)
 		return 0;
 
_

Re: NULL terminate over-long /proc/kallsyms symbols

[Andreas Gruenbacher]

On Wednesday, 5. July 2006 21:34, Andrew Morton wrote:
> Yeah, that assume-the-caller-gave-us-a-128-byte-buffer is a bit rude.  How
> about this?

That's better, thanks.

Andreas