[v1] kallsyms: Prevent invalid access when showing module buildid

[PATCH 5/6] kallsyms: Clean up @namebuf initialization in kallsyms_lookup_buildid()

Posted by Petr Mladek 1 month, 1 week ago

The function kallsyms_lookup_buildid() initializes the given @namebuf
by clearing the first and the last byte. It is not clear why.

The 1st byte makes sense because some callers ignore the return code
and expect that the buffer contains a valid string, for example:

  - function_stat_show()
    - kallsyms_lookup()
      - kallsyms_lookup_buildid()

The initialization of the last byte does not make much sense because it
can later be overwritten. Fortunately, it seems that all called
functions behave correctly:

  -  kallsyms_expand_symbol() explicitly adds the trailing '\0'
     at the end of the function.

  - All *__address_lookup() functions either use the safe strscpy()
    or they do not touch the buffer at all.

Document the reason for clearing the first byte. And remove the useless
initialization of the last byte.

Signed-off-by: Petr Mladek <pmladek@suse.com>
---
 kernel/kallsyms.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 71868a76e9a1..ff7017337535 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -352,7 +352,12 @@ static int kallsyms_lookup_buildid(unsigned long addr,
 {
 	int ret;
 
-	namebuf[KSYM_NAME_LEN - 1] = 0;
+	/*
+	 * kallsyms_lookus() returns pointer to namebuf on success and
+	 * NULL on error. But some callers ignore the return value.
+	 * Instead they expect @namebuf filled either with valid
+	 * or empty string.
+	 */
 	namebuf[0] = 0;
 
 	if (is_ksym_addr(addr)) {
-- 
2.51.1

Re: [PATCH 5/6] kallsyms: Clean up @namebuf initialization in kallsyms_lookup_buildid()

Posted by Aaron Tomlin 1 month, 1 week ago

On Wed, Nov 05, 2025 at 03:23:17PM +0100, Petr Mladek wrote:
> The function kallsyms_lookup_buildid() initializes the given @namebuf
> by clearing the first and the last byte. It is not clear why.
> 
> The 1st byte makes sense because some callers ignore the return code
> and expect that the buffer contains a valid string, for example:
> 
>   - function_stat_show()
>     - kallsyms_lookup()
>       - kallsyms_lookup_buildid()
> 
> The initialization of the last byte does not make much sense because it
> can later be overwritten. Fortunately, it seems that all called
> functions behave correctly:
> 
>   -  kallsyms_expand_symbol() explicitly adds the trailing '\0'
>      at the end of the function.
> 
>   - All *__address_lookup() functions either use the safe strscpy()
>     or they do not touch the buffer at all.
> 
> Document the reason for clearing the first byte. And remove the useless
> initialization of the last byte.
> 
> Signed-off-by: Petr Mladek <pmladek@suse.com>
> ---
>  kernel/kallsyms.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
> index 71868a76e9a1..ff7017337535 100644
> --- a/kernel/kallsyms.c
> +++ b/kernel/kallsyms.c
> @@ -352,7 +352,12 @@ static int kallsyms_lookup_buildid(unsigned long addr,
>  {
>  	int ret;
>  
> -	namebuf[KSYM_NAME_LEN - 1] = 0;
> +	/*
> +	 * kallsyms_lookus() returns pointer to namebuf on success and
> +	 * NULL on error. But some callers ignore the return value.
> +	 * Instead they expect @namebuf filled either with valid
> +	 * or empty string.
> +	 */
>  	namebuf[0] = 0;
>  
>  	if (is_ksym_addr(addr)) {
> -- 
> 2.51.1
> 
> 

Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>

-- 
Aaron Tomlin

[PATCH 1/6] module: Add helper function for reading module_buildid()
[PATCH 2/6] kallsyms: Cleanup code for appending the module buildid
[PATCH 3/6] kallsyms/bpf: Set module buildid in bpf_address_lookup()
[PATCH 4/6] kallsyms/ftrace: Set module buildid in ftrace_mod_address_lookup()
[PATCH 5/6] kallsyms: Clean up @namebuf initialization in kallsyms_lookup_buildid()
[PATCH 6/6] kallsyms: Prevent module removal when printing module name and buildid