Re: BUG: KASAN: slab-out-of-bounds in print_synth_event+0xa68/0xa78

[Steven Rostedt]

On Fri, 04 Aug 2023 18:32:48 +0200
Sven Schnelle <svens@xxxxxxxxxxxxx> wrote:

> > Can you show where exactly the above line is?  
> 
> It is:
> 
> (gdb) list *(print_synth_event+0xa68)
> 0x5e4f60 is in print_synth_event (/home/svens/ibmgit/linux/kernel/trace/trace_events_synth.c:410).
> 405                             p = (void *)entry + data_offset;
> 406                             end = (void *)p + len - (sizeof(long) - 1);
> 407
> 408                             trace_seq_printf(s, "%s=STACK:\n", se->fields[i]->name);
> 409
> 410                             for (; *p && p < end; p++)

I think that conditional needs to be swapped. Can you test the following
change and see if the problem disappears?

> 411                                     trace_seq_printf(s, "=> %pS\n", (void *)*p);
> 412                             n_u64++;
> 413
> 414                     } else {

-- Steve

diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index dd398afc8e25..1e266e6436a0 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -407,7 +407,7 @@ static enum print_line_t print_synth_event(struct trace_iterator *iter,
 
 			trace_seq_printf(s, "%s=STACK:\n", se->fields[i]->name);
 
-			for (; *p && p < end; p++)
+			for (; p < end && *p; p++)
 				trace_seq_printf(s, "=> %pS\n", (void *)*p);
 			n_u64++;