From nobody Wed Jun 17 07:22:46 2026
Received: from ha.d.sender-sib.com (ha.d.sender-sib.com [77.32.148.27])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82F993016F5
	for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 14:44:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=77.32.148.27
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776955490; cv=none;
 b=oHtSLztp6J7gtlxRr+sZ988Kwr3IMcdLaHsIAqM2Sb7nWZ1MXHRhZ2mfCyXAmSLUtn3OBHXvdAK2PjOqzQ3qUZSgHHCWQOn4uyAk3yZBQb+PXZ1UKQFYR0Po09sgUvyKzJDSQzdx8g8rDthOVYgjkDs9waTmJbG2fIKcZaBtm8Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776955490; c=relaxed/simple;
	bh=FLmw8y9bee+jgkpgyqiqwkyTo5kSNs5Qv3xG11mv+X8=;
	h=From:Date:Cc:To:Subject:Message-Id:Mime-Version;
 b=avFipjRewGGrBz1XuMCEQXwIpRFBL0AiRH8kWpRrSGmVv/56/2Vh+nNbJnKlcCIYBy1QB/ctvA4WLZOmydpXtO9qg9q34QsjqAAg51WkvGlILUjAI0o9/AOa+0DrgZkGynIF2b5hePhlxS3zdF/umTXQvY6d82Y6bwSFgz9CVow=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz;
 spf=pass smtp.mailfrom=ha.d.sender-sib.com;
 dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz
 header.b=Ziay47F8; arc=none smtp.client-ip=77.32.148.27
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=unknownbbqr.xyz
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=ha.d.sender-sib.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=unknownbbqr.xyz header.i=@unknownbbqr.xyz
 header.b="Ziay47F8"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unknownbbqr.xyz;
 q=dns/txt; s=brevo1; bh=VxMzBlGGP8LlVdqve9WqVnkfaP5ve6f8jlSoq6iivKQ=;
 h=from:subject:date:to:cc:mime-version:content-transfer-encoding:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:x-sib-id:feedback-id;
        b=Ziay47F89GEWHokmdniz90YSQ9/kXwcvP/uETL15sZayELoWrY4mHMFvcNTdyEJmqEYr8TcN53bA
        Cp5GboBw66gJv8GpQC0KrbqMQ5kg+Nrp/4M06ZXXezD6aHUwY4KP8N5MaFZvPyh8ZpqMZyE3FEU4
        7RzW/Mbv1VMIjC+oEr/cq7mIu4g5MIwL3lf7kpxgfL+2B4Vncdmy+gyhlwX/c4Ne2beYrRABrliP
        38winYEwddQAgknh1T+c9b5up9pHGYDLQTM2RojpEW/1VNOegoLQnFd1T4TmOobWpOLaqnI0UhII
        iSFscgHO8W6dbnYjsSofw0C6CJXcLn9G0NERbw==
From: "unknownbbqrx" <dev@unknownbbqr.xyz>
X-CSA-Complaints: csa-complaints@eco.de
X-Mailin-EID: 
 NDQzNzMzMzgyfmxpbnV4LWtlcm5lbEB2Z2VyLmtlcm5lbC5vcmd%2BPDIwMjYwNDIzMTQ0NDQxLjI5OTUtMS1kZXZAdW5rbm93bmJicXIueHl6Pn5oYS5kLnNlbmRlci1zaWIuY29t
Date: Thu, 23 Apr 2026 17:44:41 +0300
X-sib-id: 
 SEW8FXHJTjuI5IDbZqvDAbfjGEVsFJ4y4q7dF6OuQae_JY2r45_4Li8h-4Qhvg_R67j_hbFH2ON9dQHAOEt9bvgKR_bXWz1vKiunKQJ4PCzdG67VDDpAaRD0SMEIfULBCJNFSJ97BRtTxvNy3damzTNoTHlON8X1FSm1ga_O0WIc4soh8MyZgj7iNg
Cc: <linux-trace-kernel@vger.kernel.org>,  <linux-kernel@vger.kernel.org>,
  "unknownbbqrx" <dev@unknownbbqr.xyz>
Origin-messageId: <20260423144441.2995-1-dev@unknownbbqr.xyz>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
To: <rostedt@goodmis.org>,<gmonaco@redhat.com>
Subject: [PATCH] tools/rv: harden monitor name lookup bounds checks
Message-Id: <613feaa1-2fec-42e7-ad18-c1b126a549be@smtp-relay.sendinblue.com>
Feedback-ID: 77.32.148.27:10473219_-1:10473219:Sendinblue
Content-Transfer-Encoding: quoted-printable
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"


Bound monitor-name derived copies in __ikm_find_monitor_name() and avoid un=
bounded writes from sprintf()/memcpy().

Pass the output buffer size from the caller, validate extracted line length=
 from rv/available_monitors, and use snprintf() with truncation checks when=
 building container monitor names.

Signed-off-by: unknownbbqrx <dev@unknownbbqr.xyz>
---
 tools/verification/rv/src/in_kernel.c | 34 +++++++++++++++++++++------
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/=
src/in_kernel.c
index d32453824..f17eac9b6 100644
--- a/tools/verification/rv/src/in_kernel.c
+++ b/tools/verification/rv/src/in_kernel.c
@@ -56,9 +56,12 @@ static int __ikm_read_enable(char *monitor_name)
  * The string out_name is populated with the full name, which can be
  * equal to monitor_name or container/monitor_name if nested
  */
-static int __ikm_find_monitor_name(char *monitor_name, char *out_name)
+static int __ikm_find_monitor_name(char *monitor_name, char *out_name,
+				  size_t out_name_size)
 {
-	char *available_monitors, container[MAX_DA_NAME_LEN+1], *cursor, *end;
+	char *available_monitors, container[MAX_DA_NAME_LEN + 2], *cursor, *end;
+	size_t len;
+	int n;
 	int retval =3D 1;
=20
 	available_monitors =3D tracefs_instance_file_read(NULL, "rv/available_mon=
itors", NULL);
@@ -72,17 +75,34 @@ static int __ikm_find_monitor_name(char *monitor_name, =
char *out_name)
 	}
=20
 	for (; cursor > available_monitors; cursor--)
-		if (*(cursor-1) =3D=3D '\n')
+		if (*(cursor - 1) =3D=3D '\n')
 			break;
+
 	end =3D strstr(cursor, "\n");
-	memcpy(out_name, cursor, end-cursor);
-	out_name[end-cursor] =3D '\0';
+	if (!end) {
+		retval =3D -1;
+		goto out_free;
+	}
+
+	len =3D end - cursor;
+	if (len >=3D out_name_size) {
+		retval =3D -1;
+		goto out_free;
+	}
+
+	memcpy(out_name, cursor, len);
+	out_name[len] =3D '\0';
=20
 	cursor =3D strstr(out_name, ":");
 	if (cursor)
 		*cursor =3D '/';
 	else {
-		sprintf(container, "%s:", monitor_name);
+		n =3D snprintf(container, sizeof(container), "%s:", monitor_name);
+		if (n < 0 || (size_t)n >=3D sizeof(container)) {
+			retval =3D -1;
+			goto out_free;
+		}
+
 		if (strstr(available_monitors, container))
 			config_is_container =3D 1;
 	}
@@ -782,7 +802,7 @@ int ikm_run_monitor(char *monitor_name, int argc, char =
**argv)
 	else
 		nested_name =3D monitor_name;
=20
-	retval =3D __ikm_find_monitor_name(monitor_name, full_name);
+	retval =3D __ikm_find_monitor_name(monitor_name, full_name, sizeof(full_n=
ame));
 	if (!retval)
 		return 0;
 	if (retval < 0) {

base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6
prerequisite-patch-id: b61dd51dee390277603975bf729a687113185c3a
--=20
2.53.0