Re: [PATCH v4] perf: Fix off-by-one stack buffer overflow in kallsyms__parse()

Next message: Jeff Layton: "[PATCH v3] nfsd: close shrinker/GC/fsnotify vs per-net shutdown race in filecache"
Previous message: Jason Gunthorpe: "Re: [PATCH] RDMA/irdma: Use acquire/release for CQP request completion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Thu Jun 04 2026 - 10:16:27 EST

On Thu, May 28, 2026 at 10:34:55AM -0700, Namhyung Kim wrote:
> On Thu, May 28, 2026 at 02:23:55PM +0800, Rui Qi wrote:
> > In kallsyms__parse(), the loop reading symbol names iterates with
> > i < sizeof(symbol_name), which allows i to reach sizeof(symbol_name)
> > upon loop exit. The subsequent symbol_name[i] = '\0' then writes one
> > byte past the end of the stack-allocated symbol_name[] array.
> >
> > Fix this by changing the loop bound to KSYM_NAME_LEN, so
> > the null terminator always lands within the array. The overflow is
> > triggerable by a kallsyms entry with a symbol name of KSYM_NAME_LEN+1
> > or more characters (e.g., long Rust mangled names or a malicious
> > /proc/kallsyms).
> >
> > Fixes: 53df2b934412 ("libsymbols kallsyms: Parse using io api")
> > Signed-off-by: Rui Qi <qirui.001@xxxxxxxxxxxxx>
>
> Acked-by: Namhyung Kim <namhyung@xxxxxxxxxx>

Thanks, applied to perf-tools-next, for v7.2.

- Arnaldo