[compiler-rt] r281015 - [sanitizer] fix a potential buffer overflow due to __sanitizer_symbolize_pc (need to put a zero after strncmp). LOL
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Thu Sep 8 19:13:27 PDT 2016
Author: kcc
Date: Thu Sep 8 21:13:27 2016
New Revision: 281015
URL: http://llvm.org/viewvc/llvm-project?rev=281015&view=rev
Log:
[sanitizer] fix a potential buffer overflow due to __sanitizer_symbolize_pc (need to put a zero after strncmp). LOL
Modified:
compiler-rt/trunk/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc
compiler-rt/trunk/test/sanitizer_common/TestCases/symbolize_pc.cc
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc?rev=281015&r1=281014&r2=281015&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc Thu Sep 8 21:13:27 2016
@@ -88,11 +88,13 @@ extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_symbolize_pc(uptr pc, const char *fmt, char *out_buf,
uptr out_buf_size) {
+ if (!out_buf_size) return;
using namespace __sanitizer;
pc = StackTrace::GetPreviousInstructionPc(pc);
SymbolizedStack *frame = Symbolizer::GetOrInit()->SymbolizePC(pc);
if (!frame) {
internal_strncpy(out_buf, "<can't symbolize>", out_buf_size);
+ out_buf[out_buf_size - 1] = 0;
return;
}
InternalScopedString frame_desc(GetPageSizeCached());
@@ -100,5 +102,6 @@ void __sanitizer_symbolize_pc(uptr pc, c
common_flags()->symbolize_vs_style,
common_flags()->strip_path_prefix);
internal_strncpy(out_buf, frame_desc.data(), out_buf_size);
+ out_buf[out_buf_size - 1] = 0;
}
} // extern "C"
Modified: compiler-rt/trunk/test/sanitizer_common/TestCases/symbolize_pc.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/sanitizer_common/TestCases/symbolize_pc.cc?rev=281015&r1=281014&r2=281015&view=diff
==============================================================================
--- compiler-rt/trunk/test/sanitizer_common/TestCases/symbolize_pc.cc (original)
+++ compiler-rt/trunk/test/sanitizer_common/TestCases/symbolize_pc.cc Thu Sep 8 21:13:27 2016
@@ -6,13 +6,21 @@
#include <stdio.h>
#include <sanitizer/common_interface_defs.h>
void SymbolizeCaller() {
- char data[1000];
+ char data[100];
__sanitizer_symbolize_pc(__builtin_return_address(0), "%p %F %L", data,
sizeof(data));
printf("FIRST_FORMAT %s\n", data);
__sanitizer_symbolize_pc(__builtin_return_address(0),
"FUNC:%f LINE:%l FILE:%s", data, sizeof(data));
printf("SECOND_FORMAT %s\n", data);
+ __sanitizer_symbolize_pc(__builtin_return_address(0),
+ "LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+ "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+ "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+ "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
+ "OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG"
+ "FUNC:%f LINE:%l FILE:%s", data, sizeof(data));
+ printf("LONG_FORMAT %s\n", data);
}
// CHECK: FIRST_FORMAT 0x{{.*}} in main symbolize_pc.cc:[[@LINE+3]]
More information about the llvm-commits
mailing list