linux-trace-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/2] libtraceevent: Add eof checks.
@ 2021-06-17 19:43 Claire Jensen
  2021-06-17 19:43 ` [PATCH 2/2] libtraceevent: Changed angled brackets to double quotes Claire Jensen
  2021-06-17 19:58 ` [PATCH 1/2] libtraceevent: Add eof checks Steven Rostedt
  0 siblings, 2 replies; 9+ messages in thread
From: Claire Jensen @ 2021-06-17 19:43 UTC (permalink / raw)
  To: eranian, irogers, tz.stoyanov, linux-trace-devel, rostedt; +Cc: Claire Jensen

Added checking for __read_char and peek_char to make sure value is not at end
of file.

This issue was found while fuzz testing. One of the test cases created an infinite loop because __read_token had reached end of file. Checking was added to all cases where this may occur.

Signed-off-by: Claire Jensen <cjense@google.com>
---
 src/event-parse.c | 62 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 48 insertions(+), 14 deletions(-)

diff --git a/src/event-parse.c b/src/event-parse.c
index 97c1a97..f454e23 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -1155,17 +1155,16 @@ static enum tep_event_type force_token(const char *str, char **tok);
 static enum tep_event_type __read_token(char **tok)
 {
 	char buf[BUFSIZ];
-	int ch, last_ch, quote_ch, next_ch;
+	int ch, last_ch, quote_ch, next_ch, read_ch, peek_ch;
 	int i = 0;
 	int tok_size = 0;
 	enum tep_event_type type;
 
 	*tok = NULL;
 
-
-	ch = __read_char();
+        ch = __read_char();
 	if (ch < 0)
-		return TEP_EVENT_NONE;
+		goto out_eof_error;
 
 	type = get_type(ch);
 	if (type == TEP_EVENT_NONE)
@@ -1184,9 +1183,15 @@ static enum tep_event_type __read_token(char **tok)
 	case TEP_EVENT_OP:
 		switch (ch) {
 		case '-':
-			next_ch = peek_char();
+			peek_ch = peek_char();
+			if (peek_ch < 0)
+				goto out_eof_error;
+			next_ch = peek_ch;
 			if (next_ch == '>') {
-				buf[i++] = __read_char();
+				read_ch = __read_char();
+				if (read_ch < 0)
+					goto out_eof_error;
+				buf[i++] = read_ch;
 				break;
 			}
 			/* fall through */
@@ -1197,9 +1202,14 @@ static enum tep_event_type __read_token(char **tok)
 		case '<':
 			last_ch = ch;
 			ch = peek_char();
+			if (ch < 0)
+				goto out_eof_error;
 			if (ch != last_ch)
 				goto test_equal;
-			buf[i++] = __read_char();
+			read_ch = __read_char();
+			if (read_ch < 0)
+				goto out_eof_error;
+			buf[i++] = read_ch;
 			switch (last_ch) {
 			case '>':
 			case '<':
@@ -1219,10 +1229,17 @@ static enum tep_event_type __read_token(char **tok)
 		return type;
 
  test_equal:
-		ch = peek_char();
-		if (ch == '=')
-			buf[i++] = __read_char();
-		goto out;
+		peek_ch = peek_char();
+		if (peek_ch < 0)
+			goto out_eof_error;
+		ch = peek_ch;
+		if (ch == '=') {
+			read_ch = __read_char();
+			if (read_ch < 0)
+				goto out_eof_error;
+			buf[i++] = read_ch;
+			goto out;
+		}
 
 	case TEP_EVENT_DQUOTE:
 	case TEP_EVENT_SQUOTE:
@@ -1242,6 +1259,8 @@ static enum tep_event_type __read_token(char **tok)
 			}
 			last_ch = ch;
 			ch = __read_char();
+			if(ch < 0)
+				goto out_eof_error;
 			buf[i++] = ch;
 			/* the '\' '\' will cancel itself */
 			if (ch == '\\' && last_ch == '\\')
@@ -1259,6 +1278,8 @@ static enum tep_event_type __read_token(char **tok)
 
 			do {
 				ch = __read_char();
+				if(ch < 0)
+					return TEP_EVENT_NONE;
 			} while (isspace(ch));
 			if (ch == '"')
 				goto concat;
@@ -1273,7 +1294,13 @@ static enum tep_event_type __read_token(char **tok)
 		break;
 	}
 
-	while (get_type(peek_char()) == type) {
+	while (1) {
+		peek_ch = peek_char();
+		if (peek_ch < 0)
+			goto out_eof_error;
+		if (get_type(peek_ch) != type)
+			break;
+
 		if (i == (BUFSIZ - 1)) {
 			buf[i] = 0;
 			tok_size += BUFSIZ;
@@ -1282,8 +1309,10 @@ static enum tep_event_type __read_token(char **tok)
 				return TEP_EVENT_NONE;
 			i = 0;
 		}
-		ch = __read_char();
-		buf[i++] = ch;
+		read_ch = __read_char();
+		if (read_ch < 0)
+			goto out_eof_error;
+		buf[i++] = read_ch;
 	}
 
  out:
@@ -1316,6 +1345,11 @@ static enum tep_event_type __read_token(char **tok)
 	}
 
 	return type;
+
+out_eof_error:
+	free(*tok);
+	*tok = NULL;
+	return TEP_EVENT_NONE;
 }
 
 static enum tep_event_type force_token(const char *str, char **tok)
-- 
2.32.0.288.g62a8d224e6-goog


^ permalink raw reply	[flat|nested] 9+ messages in thread
* [PATCH 0/2] Build and fuzzing related fixes
@ 2021-06-12  1:44 Ian Rogers
  2021-06-12  1:45 ` [PATCH 1/2] libtraceevent: Add eof checks Ian Rogers
  0 siblings, 1 reply; 9+ messages in thread
From: Ian Rogers @ 2021-06-12  1:44 UTC (permalink / raw)
  To: linux-trace-devel, Tzvetomir Stoyanov, Steven Rostedt, Claire Jensen
  Cc: Ian Rogers

EOF checks are missing in a number of cases that cause the parser to
enter an infinite loop if an EOF is encountered.
Some build systems are picky about angled vs quotes, fix this minor issue.

Claire Jensen (2):
  libtraceevent: Add eof checks.
  libtraceevent: Changed angled brackets to double quotes.

 src/event-parse.c | 62 ++++++++++++++++++++++++++++++++++++-----------
 src/event-utils.h |  2 +-
 2 files changed, 49 insertions(+), 15 deletions(-)

-- 
2.32.0.272.g935e593368-goog


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-06-24 13:14 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-17 19:43 [PATCH 1/2] libtraceevent: Add eof checks Claire Jensen
2021-06-17 19:43 ` [PATCH 2/2] libtraceevent: Changed angled brackets to double quotes Claire Jensen
2021-06-17 19:58 ` [PATCH 1/2] libtraceevent: Add eof checks Steven Rostedt
2021-06-24  1:06   ` Steven Rostedt
2021-06-24  5:50     ` Ian Rogers
2021-06-24 13:14       ` Steven Rostedt
  -- strict thread matches above, loose matches on Subject: below --
2021-06-12  1:44 [PATCH 0/2] Build and fuzzing related fixes Ian Rogers
2021-06-12  1:45 ` [PATCH 1/2] libtraceevent: Add eof checks Ian Rogers
2021-06-13 23:30   ` Steven Rostedt
     [not found]     ` <CAFPGG2iQK8XMv6Z1-KurgjOnYuk=m=uWNWJXj6OEb_SBQkokZA@mail.gmail.com>
2021-06-17 19:01       ` Steven Rostedt

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox