From: Masahiro Yamada <masahiroy@kernel.org>
To: linux-kbuild@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
Nick Desaulniers <ndesaulniers@google.com>
Subject: [PATCH 1/5] modpost: fix undefined behavior of is_arm_mapping_symbol()
Date: Tue, 24 May 2022 01:46:22 +0900 [thread overview]
Message-ID: <20220523164626.858340-1-masahiroy@kernel.org> (raw)
The return value of is_arm_mapping_symbol() is unpredictable when
"$" is passed in.
strchr(3) says:
The strchr() and strrchr() functions return a pointer to the matched
character or NULL if the character is not found. The terminating null
byte is considered part of the string, so that if c is specified as
'\0', these functions return a pointer to the terminator.
When str[1] is '\0', strchr("axtd", str[1]) is not NULL, and str[2] is
referenced (i.e. buffer overrun).
Test code
---------
char str1[] = "abc";
char str2[] = "ab";
strcpy(str1, "$");
strcpy(str2, "$");
printf("test1: %d\n", is_arm_mapping_symbol(str1));
printf("test2: %d\n", is_arm_mapping_symbol(str2));
Result
------
test1: 0
test2: 1
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---
scripts/mod/modpost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 6f5c605ab0fb..845bc438ca49 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1179,7 +1179,8 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
static inline int is_arm_mapping_symbol(const char *str)
{
- return str[0] == '$' && strchr("axtd", str[1])
+ return str[0] == '$' &&
+ (str[1] == 'a' || str[1] == 'd' || str[1] == 't' || str[1] == 'x')
&& (str[2] == '\0' || str[2] == '.');
}
--
2.32.0
next reply other threads:[~2022-05-23 16:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 16:46 Masahiro Yamada [this message]
2022-05-23 16:46 ` [PATCH 2/5] modpost: remove the unused argument of check_sec_ref() Masahiro Yamada
2022-05-24 20:44 ` Nick Desaulniers
2022-05-26 10:47 ` Masahiro Yamada
2022-05-23 16:46 ` [PATCH 3/5] modpost: simplify mod->name allocation Masahiro Yamada
2022-05-24 20:47 ` Nick Desaulniers
2022-05-23 16:46 ` [PATCH 4/5] modpost: reuse ARRAY_SIZE() macro for section_mismatch() Masahiro Yamada
2022-05-24 20:49 ` Nick Desaulniers
2022-05-23 16:46 ` [PATCH 5/5] modpost: squash if...else if in find_elf_symbol2() Masahiro Yamada
2022-05-24 20:51 ` Nick Desaulniers
2022-05-24 20:42 ` [PATCH 1/5] modpost: fix undefined behavior of is_arm_mapping_symbol() Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523164626.858340-1-masahiroy@kernel.org \
--to=masahiroy@kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.lkml@markovi.net \
--cc=ndesaulniers@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.