[Crash-utility] [PATCH] Fix segmentation fault by "tree -s" option with Maple Tree

lijiang lijiang at redhat.com
Wed Jul 12 08:55:15 UTC 2023 

On Mon, Jul 10, 2023 at 2:05 PM HAGIO KAZUHITO(萩尾 一仁) <k-hagio-ab at nec.com>
wrote:

> Without the patch, do_mt_entry() can call dump_struct_members_for_tree()
> with a NULL entry, and parse_for_member_extended() will cause a
> segmentation fault during strncpy().
>
> Good findings, Kazu.

And looks good to me, for the patch: Ack

Thanks.
Lianbo

This is caused by "tree -t maple -s struct.member.member" style multiple
> level member access:
>
>   crash> tree -t maple -s irq_desc.irq_data.irq  sparse_irqs
>   ffff936980188400
>     irq_data.irq = 0,
>   ffff93698018be00
>     irq_data.irq = 1,
>   ...
>   ffff936980f38e00
>     irq_data.irq = 19,
>   Segmentation fault (core dumped)
>
>   (gdb) bt
>   #0  0x00007faaf8e51635 in __strncpy_avx2 () from /lib64/libc.so.6
>   #1  0x00000000005e5927 in parse_for_member_extended (dm=dm at entry=0x7ffcb9e6d860,
> ...
>   #2  0x0000000000603c45 in dump_struct_member (s=s at entry=0x128cde0
> <shared_bufs+1024> ...
>   #3  0x0000000000513cf5 in dump_struct_members_for_tree (td=td at entry=0x7ffcb9e6eeb0,
> ...
>   #4  0x0000000000651f15 in do_mt_entry (entry=0, min=min at entry=20,
> max=max at entry=119, ...
>   ...
>
> Signed-off-by: Kazuhito Hagio <k-hagio-ab at nec.com>
> ---
>  maple_tree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/maple_tree.c b/maple_tree.c
> index eccd273105a6..8c804d0cb80d 100644
> --- a/maple_tree.c
> +++ b/maple_tree.c
> @@ -313,7 +313,7 @@ static void do_mt_entry(ulong entry, ulong min, ulong
> max, uint depth,
>                 fprintf(fp, "  index: %ld  position: %s/%u\n",
>                         ++(*global_index), path, index);
>
> -       if (td->structname) {
> +       if (td->structname && entry) {
>                 if (td->flags & TREE_STRUCT_RADIX_10)
>                         print_radix = 10;
>                 else if (td->flags & TREE_STRUCT_RADIX_16)
> --
> 2.31.1
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/crash-utility/attachments/20230712/afd937d6/attachment.htm>

More information about the Crash-utility mailing list