From nobody Sun May 24 19:34:44 2026
Received: from va-1-111.ptr.blmpb.com (va-1-111.ptr.blmpb.com
 [209.127.230.111])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0395335675C
	for <linux-kernel@vger.kernel.org>; Fri, 22 May 2026 07:08:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.127.230.111
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779433689; cv=none;
 b=B3gz4R0naDOyJ12IkMBzkqeq8PwAg2jqc905Yr1fMSU2qwyxOceDKeG1ChyGJ1vHwzeRdWGbOd+YtdNZAvXV2Vr+MqfIDpKO6dlUxk0WRl1PHbJk0riYO/ClLeQt2Nj32R1XYr9R3FFi9+Xw9To4NDj6ASRVW/fIW6E6d3uakS0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779433689; c=relaxed/simple;
	bh=BZheaZlvdNOGDwnHYLM4kyyCtxpqR+olfIdYle2boqs=;
	h=Date:From:Mime-Version:Content-Type:Cc:Subject:To:Message-Id;
 b=lw0hTwDg2whAcrGsPrVn+voTZS7i0PvzL5FO2M7apKdWxH1vGIAp0uPn+kr0jGpBrqThE/OFa+W3+KhxIy5TZFhgsZkWggIYtiXsEagZbBDz2BtHNP/0/k68RMuoE7jtuujJnsLrgZB3jq8UqwpYzxbz6+aWnU2AqTIxFm7s6us=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=I1GWJjzo; arc=none smtp.client-ip=209.127.230.111
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="I1GWJjzo"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 s=2212171451; d=bytedance.com; t=1779433677; h=from:subject:
 mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:
 mime-version:in-reply-to:message-id;
 bh=6z1TYy5E0tOzgyxnPs/nOn5HdZODxSrxiWThQuif2zM=;
 b=I1GWJjzoYtY6D16U7/hkvWisew+gfGxIr4IUHBfmOk/lw/D6lhBqqYNU7MetJVBFZHdCGg
 RlZsNMLw/mqT8kVcUDbBZQKzg0+J6x8lbAsFBMIdCiREZXokiXYSj5c/nva+8noKQnfJz+
 myl8G9OGTnriWd0rzX5lE9bp9n4rQn0kJT2liQ7VLn6PpMiVFcLkcRwMJXpZgHGRC7wxkd
 jOg4HQEkrT9t23DEwQ31AUEckfIpK9LTbHdzHDwHbKga/SdUk8CWnPsCTIaIz4MChgqzQ+
 ElI6UELO8xzzuLIstx17BTJkktZfsC+Uep4WivJ/NybqkbhIFwLhFuj+Cl/flw==
Date: Fri, 22 May 2026 15:07:38 +0800
Content-Transfer-Encoding: quoted-printable
X-Lms-Return-Path: 
 <lba+26a1000cb+439227+vger.kernel.org+qirui.001@bytedance.com>
X-Mailer: git-send-email 2.20.1
From: "Rui Qi" <qirui.001@bytedance.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Cc: "Mark Rutland" <mark.rutland@arm.com>,
	"Alexander Shishkin" <alexander.shishkin@linux.intel.com>,
	"Jiri Olsa" <jolsa@kernel.org>, "Ian Rogers" <irogers@google.com>,
	"Adrian Hunter" <adrian.hunter@intel.com>,
	"James Clark" <james.clark@linaro.org>,
	<linux-perf-users@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	"Rui Qi" <qirui.001@bytedance.com>
Subject: [PATCH v2] perf: Fix off-by-one stack buffer overflow in
 kallsyms__parse()
X-Original-From: Rui Qi <qirui.001@bytedance.com>
To: "Peter Zijlstra" <peterz@infradead.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Arnaldo Carvalho de Melo" <acme@kernel.org>,
	"Namhyung Kim" <namhyung@kernel.org>
Message-Id: <20260522070738.31900-1-qirui.001@bytedance.com>
Content-Type: text/plain; charset="utf-8"

In kallsyms__parse(), the loop reading symbol names iterates with
i < sizeof(symbol_name), which allows i to reach sizeof(symbol_name)
upon loop exit. The subsequent symbol_name[i] =3D '\0' then writes one
byte past the end of the stack-allocated symbol_name[] array.

Fix this by changing the loop bound to sizeof(symbol_name) - 1, so
the null terminator always lands within the array. The overflow is
triggerable by a kallsyms entry with a symbol name of KSYM_NAME_LEN+1
or more characters (e.g., long Rust mangled names or a malicious
/proc/kallsyms).

Fixes: 53df2b934412 ("libsymbols kallsyms: Parse using io api")
Signed-off-by: Rui Qi <qirui.001@bytedance.com>
---
Changes in v2:
- Added read_to_eol(&io) when a symbol name exceeds the buffer size,=20
  preventing remaining characters from being parsed as the next symbol entr=
y.
- Added Fixes tag.

 tools/lib/symbol/kallsyms.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/lib/symbol/kallsyms.c b/tools/lib/symbol/kallsyms.c
index e335ac2b9e19..0f87c654ea63 100644
--- a/tools/lib/symbol/kallsyms.c
+++ b/tools/lib/symbol/kallsyms.c
@@ -60,7 +60,7 @@ int kallsyms__parse(const char *filename, void *arg,
 			read_to_eol(&io);
 			continue;
 		}
-		for (i =3D 0; i < sizeof(symbol_name); i++) {
+		for (i =3D 0; i < sizeof(symbol_name) - 1; i++) {
 			ch =3D io__get_char(&io);
 			if (ch < 0 || ch =3D=3D '\n')
 				break;
@@ -68,6 +68,9 @@ int kallsyms__parse(const char *filename, void *arg,
 		}
 		symbol_name[i]  =3D '\0';
=20
+		if (i =3D=3D sizeof(symbol_name) - 1)
+			read_to_eol(&io);
+
 		err =3D process_symbol(arg, symbol_name, symbol_type, start);
 		if (err)
 			break;
--=20
2.20.1