From: Rusty Russell <rusty@rustcorp.com.au>
To: Chen Gang <gang.chen@asianux.com>, Stephen Boyd <sboyd@codeaurora.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] kernel: kallsyms: memory override issue, need check destination buffer length
Date: Thu, 11 Apr 2013 13:38:15 +0930 [thread overview]
Message-ID: <87eheh4sls.fsf@rustcorp.com.au> (raw)
In-Reply-To: <51662AC7.1090004@asianux.com>
Chen Gang <gang.chen@asianux.com> writes:
> We don't export any symbols > 128 characters, but if we did then
> kallsyms_expand_symbol() would overflow the buffer handed to it.
> So we need check destination buffer length when copying.
>
> the related test:
> if we define an EXPORT function which name more than 128.
> will panic when call kallsyms_lookup_name by init_kprobes on booting.
> after check the length (provide this patch), it is ok.
>
> Implementaion:
> add additional destination buffer length parameter (maxlen)
> if uncompressed string is too long (>= maxlen), it will be truncated.
> not check the parameters whether valid, since it is a static function.
>
>
> Signed-off-by: Chen Gang <gang.chen@asianux.com>
> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
??!!! I never signed this off! I've never seen it before!
Minor comments below:
> -static unsigned int kallsyms_expand_symbol(unsigned int off, char *result)
> +static unsigned int kallsyms_expand_symbol(unsigned int off,
> + char *result, int maxlen)
'size_t maxlen' would be more explicit.
> {
> int len, skipped_first = 0;
> const u8 *tptr, *data;
> + char *begin = result;
> /* Get the compressed symbol length from the first symbol byte. */
> data = &kallsyms_names[off];
> @@ -113,14 +116,16 @@ static unsigned int kallsyms_expand_symbol(unsigned int off, char *result)
> while (*tptr) {
> if (skipped_first) {
> - *result = *tptr;
> - result++;
> + *result++ = *tptr;
> + if (result - begin == maxlen - 1)
> + goto tail;
You could just decrement maxlen instead, and handle maxlen == 0 at the
same time:
if (maxlen <= 1)
goto tail;
*result = *tptr;
result++;
maxlen--;
> @@ -176,7 +181,7 @@ unsigned long kallsyms_lookup_name(const char *name)
> unsigned int off;
> for (i = 0, off = 0; i < kallsyms_num_syms; i++) {
> - off = kallsyms_expand_symbol(off, namebuf);
> + off = kallsyms_expand_symbol(off, namebuf, sizeof(namebuf));
> if (strcmp(namebuf, name) == 0)
> return kallsyms_addresses[i];
I prefer to use ARRAY_SIZE(namebuf) instead of sizeof(namebuf). That
way we break compile if the declaration is changed from an array to a
pointer one day.
Same for the others.
Thanks,
Rusty.
next prev parent reply other threads:[~2013-04-11 4:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-11 3:15 [PATCH] kernel: kallsyms: memory override issue, need check destination buffer length Chen Gang
2013-04-11 4:08 ` Rusty Russell [this message]
2013-04-11 4:19 ` Chen Gang
2013-04-11 5:32 ` [PATCH v2] " Chen Gang
2013-04-12 9:48 ` Chen Gang
2013-04-15 2:05 ` Rusty Russell
2013-04-15 4:30 ` Chen Gang
2013-04-15 4:47 ` [PATCH v3] " Chen Gang
2013-04-15 5:48 ` Rusty Russell
2013-04-16 1:19 ` Chen Gang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eheh4sls.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=akpm@linux-foundation.org \
--cc=gang.chen@asianux.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sboyd@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox