From nobody Sun May 24 21:38:45 2026 Received: from va-1-113.ptr.blmpb.com (va-1-113.ptr.blmpb.com [209.127.230.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B5503BB130 for ; Thu, 21 May 2026 11:14:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.127.230.113 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779362095; cv=none; b=tFldgF5Cd3jhYhHr0OPldpFtgag9BEEkfZJk3o3pVytSQDCaiJJf73AQxvS8ouaPWV+7o9gjK1bcIn8LL+cvbQFGkqA4IHaIOUkSBsgUMVFfrqStWXZSDj1HuZv2sZ2bu6P5qGZuw+GJ0ApBbzfgIFdZMyAl6IOYdvbffCRQoGg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779362095; c=relaxed/simple; bh=8MQncbk3PkKdWLQOQBcSX2uFmzw7dIsaDKTVDxl4RUY=; h=To:From:Message-Id:Cc:Date:Content-Type:Subject:Mime-Version; b=R8KC1c3FIddGvdve0vTgMi00Q5vMtlblTt6Wf7PvJlI+LWp4ZDKziLLN4ikrzxGjNDK1vJtKnv9ZGB2c3W6drAEobzG0jRMU/+6oRepI4NngRVd7EsH9OT0L1ZIs5j6oHlqAedNFkVGsDjKqBoAocRP0e5wpw0cxfBsf5CfEOHI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=Ppbmf3D9; arc=none smtp.client-ip=209.127.230.113 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="Ppbmf3D9" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=2212171451; d=bytedance.com; t=1779362086; h=from:subject: mime-version:from:date:message-id:subject:to:cc:reply-to:content-type: mime-version:in-reply-to:message-id; bh=d7ZCh8m2voWK3gzcY2pJKmDWXfZxjO+ytTGSGQ+ql5I=; b=Ppbmf3D9jN2akvssgmPrb7FLkzeB7wVpTuKiI8w7Zru+RUBU8/e8VjZsDU4kTydsBJy2eW fQDYhc2waVDbRYMdtUuO5vlFpi+DniZ1Y63xkDfYbBo0oyt9g4vlGGjgika0m580vhfPOh 4MC2Fcvh5CSeHNkC6FeqbdakuzgwRPCazjzUisR7iQ+eF7HEo6ph7k+OWrpO/Y2niG0YzL uDrYibFWZoXGh8euaDFvOwFLcYgejp7maulUuQmTzmRrHFHDkySn9RcMpVkmL1r+PLF91e 7EelpfODmU896jKrmLGj81kb7twPqop8YRNZK3D9y84GA6VUh8E5WElE3gKuHw== Content-Transfer-Encoding: quoted-printable To: "Peter Zijlstra" , "Ingo Molnar" , "Arnaldo Carvalho de Melo" , "Namhyung Kim" From: "Rui Qi" Message-Id: <20260521111429.4042238-1-qirui.001@bytedance.com> Cc: "Mark Rutland" , "Alexander Shishkin" , "Jiri Olsa" , "Ian Rogers" , "Adrian Hunter" , "James Clark" , , , "Rui Qi" Date: Thu, 21 May 2026 19:14:29 +0800 X-Lms-Return-Path: X-Mailer: git-send-email 2.20.1 Subject: [PATCH] perf: Fix off-by-one stack buffer overflow in kallsyms__parse() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Original-From: Rui Qi Content-Type: text/plain; charset="utf-8" In kallsyms__parse(), the loop reading symbol names iterates with i < sizeof(symbol_name), which allows i to reach sizeof(symbol_name) upon loop exit. The subsequent symbol_name[i] =3D '\0' then writes one byte past the end of the stack-allocated symbol_name[] array. Fix this by changing the loop bound to sizeof(symbol_name) - 1, so the null terminator always lands within the array. The overflow is triggerable by a kallsyms entry with a symbol name of KSYM_NAME_LEN+1 or more characters (e.g., long Rust mangled names or a malicious /proc/kallsyms). Signed-off-by: Rui Qi --- tools/lib/symbol/kallsyms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/lib/symbol/kallsyms.c b/tools/lib/symbol/kallsyms.c index e335ac2b9e19..f7100d43ecf4 100644 --- a/tools/lib/symbol/kallsyms.c +++ b/tools/lib/symbol/kallsyms.c @@ -60,7 +60,7 @@ int kallsyms__parse(const char *filename, void *arg, read_to_eol(&io); continue; } - for (i =3D 0; i < sizeof(symbol_name); i++) { + for (i =3D 0; i < sizeof(symbol_name) - 1; i++) { ch =3D io__get_char(&io); if (ch < 0 || ch =3D=3D '\n') break; --=20 2.20.1