]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
perf: Fix off-by-one stack buffer overflow in kallsyms__parse()
authorRui Qi <qirui.001@bytedance.com>
Thu, 28 May 2026 06:23:55 +0000 (14:23 +0800)
committerArnaldo Carvalho de Melo <acme@redhat.com>
Thu, 4 Jun 2026 13:58:47 +0000 (10:58 -0300)
commit68018df3f55eba96a20dd703f5f276a6518f4963
tree9c1a2866c1bf770f874c7acd745b7cbbcc27f393
parentca156ab12b2e2718b35dd6d30e0aea7be0edb11d
perf: Fix off-by-one stack buffer overflow in kallsyms__parse()

In kallsyms__parse(), the loop reading symbol names iterates with i <
sizeof(symbol_name), which allows i to reach sizeof(symbol_name) upon
loop exit. The subsequent symbol_name[i] = '\0' then writes one byte
past the end of the stack-allocated symbol_name[] array.

Fix this by changing the loop bound to KSYM_NAME_LEN, so the null
terminator always lands within the array. The overflow is triggerable by
a kallsyms entry with a symbol name of KSYM_NAME_LEN+1 or more
characters (e.g., long Rust mangled names or a malicious
/proc/kallsyms).

Fixes: 53df2b9344128984 ("libsymbols kallsyms: Parse using io api")
Signed-off-by: Rui Qi <qirui.001@bytedance.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
tools/lib/symbol/kallsyms.c