[Lldb-commits] [lldb] [lldb][Linux] Fix potential out of bounds read of pr_fname (PR #159375)

David Spickett via lldb-commits lldb-commits at lists.llvm.org
Wed Sep 17 07:37:28 PDT 2025 

https://github.com/DavidSpickett created https://github.com/llvm/llvm-project/pull/159375

https://github.com/llvm/llvm-project/pull/157170 added code that assigned pr_fname to another std::string member.

In the lines before, we copy pr_fname using assign with a max length set to either the length of the string in pr_fname, or the size of pr_fname. Which is 16 bytes.

struct ELFLinuxPrPsInfo {
<...>
  char pr_fname[16];

The content of pr_fname can fill all 16 bytes, that's why we need the limit.

This was not done for m_executable_name where it ended up calling the assignment from char* operator which could read on into the rest of the corefile in some cases.

Likely wouldn't crash for reading out of bounds, but you would at least see some strange things in LLDB.

Fix this by copying the std::string we already made for thread_data.name.

>From cc97ef00452784f54f3ac470a99935739e2de6ba Mon Sep 17 00:00:00 2001
From: David Spickett <david.spickett at linaro.org>
Date: Wed, 17 Sep 2025 15:31:44 +0100
Subject: [PATCH] [lldb][Linux] Fix potential out of bounds read of pr_fname

https://github.com/llvm/llvm-project/pull/157170 added code that
assigned pr_fname to another std::string member.

In the lines before, we copy pr_fname using assign with a max
length set to either the length of the string in pr_fname, or
the size of pr_fname. Which is 16 bytes.

struct ELFLinuxPrPsInfo {
<...>
  char pr_fname[16];

The content of pr_fname can fill all 16 bytes, that's why
we need the limit.

This was not done for m_executable_name where it ended up
calling the assignment from char* operator which could
read on into the rest of the corefile in some cases.

Likely wouldn't crash for reading out of bounds, but you
would at least see some strange things in LLDB.

Fix this by copying the std::string we already made for
thread_data.name.
---
 lldb/source/Plugins/Process/elf-core/ProcessElfCore.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lldb/source/Plugins/Process/elf-core/ProcessElfCore.cpp b/lldb/source/Plugins/Process/elf-core/ProcessElfCore.cpp
index 8f5f1242116f5..38bf13543c617 100644
--- a/lldb/source/Plugins/Process/elf-core/ProcessElfCore.cpp
+++ b/lldb/source/Plugins/Process/elf-core/ProcessElfCore.cpp
@@ -952,7 +952,7 @@ llvm::Error ProcessElfCore::parseLinuxNotes(llvm::ArrayRef<CoreNote> notes) {
         return status.ToError();
       thread_data.name.assign (prpsinfo.pr_fname, strnlen (prpsinfo.pr_fname, sizeof (prpsinfo.pr_fname)));
       SetID(prpsinfo.pr_pid);
-      m_executable_name = prpsinfo.pr_fname;
+      m_executable_name = thread_data.name;
       break;
     }
     case ELF::NT_SIGINFO: {

More information about the lldb-commits mailing list