Re: [PATCH] scripts/kallsyms: fix memory corruption caused by write over-run

From: Masahiro Yamada
Date: Tue Feb 11 2020 - 09:47:33 EST


Hi.

On Tue, Feb 11, 2020 at 11:36 AM Justin Capella <justincapella@xxxxxxxxx> wrote:
>
> Looks like len is already +1, maybe it shouldn't be?

This increment is for storing one more character, 'type'.

sym->sym[0] = type;



> > len = strlen(name) + 1;
> >
> > - sym = malloc(sizeof(*sym) + len);
> > + sym = malloc(sizeof(*sym) + len + 1);


This increment is for the '\0' termination.



So, malloc() needs to allocate:
sizeof(*sym) + strlen(name) + 2.





>
>
> Maybe strlcpy or if len wasn't incremented?
>
> >
> > - memcpy(sym_name(sym), name, len);
> > + strcpy(sym_name(sym), name);
> >



--
Best Regards
Masahiro Yamada