[Crash-utility] [PATCH v1 3/3] tools: Fix potential write to object of 0 size

HATAYAMA Daisuke d.hatayama at fujitsu.com
Mon Jan 4 05:28:45 UTC 2021 

valgrind detects the following invalid write on the call of strcpy():

    ==22674== Invalid write of size 1
    ==22674==    at 0x483CCFE: strcpy (vg_replace_strmem.c:511)
    ==22674==    by 0x47202B: extract_hex (tools.c:1152)
    ==22674==    by 0x5104ED: search_for_switch_to (x86_64.c:6342)
    ==22674==    by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368)
    ==22674==    by 0x51D6EE: x86_64_init (x86_64.c:721)
    ==22674==    by 0x464A2D: main_loop (main.c:770)
    ==22674==    by 0x6BF1B2: captured_command_loop (main.c:258)
    ==22674==    by 0x6BD7B9: catch_errors (exceptions.c:557)
    ==22674==    by 0x6C0235: captured_main (main.c:1064)
    ==22674==    by 0x6BD7B9: catch_errors (exceptions.c:557)
    ==22674==    by 0x6C04E6: gdb_main (main.c:1079)
    ==22674==    by 0x6C04E6: gdb_main_entry (main.c:1099)
    ==22674==    by 0x46316F: main (main.c:708)
    ==22674==  Address 0x2b439eb8 is 0 bytes after a block of size 40 alloc'd
    ==22674==    at 0x483BAE9: calloc (vg_replace_malloc.c:760)
    ==22674==    by 0x471794: getbuf (tools.c:6036)
    ==22674==    by 0x47201D: extract_hex (tools.c:1151)
    ==22674==    by 0x5104ED: search_for_switch_to (x86_64.c:6342)
    ==22674==    by 0x51D6EE: x86_64_thread_return_init (x86_64.c:6368)
    ==22674==    by 0x51D6EE: x86_64_init (x86_64.c:721)
    ==22674==    by 0x464A2D: main_loop (main.c:770)
    ==22674==    by 0x6BF1B2: captured_command_loop (main.c:258)
    ==22674==    by 0x6BD7B9: catch_errors (exceptions.c:557)
    ==22674==    by 0x6C0235: captured_main (main.c:1064)
    ==22674==    by 0x6BD7B9: catch_errors (exceptions.c:557)
    ==22674==    by 0x6C04E6: gdb_main (main.c:1079)
    ==22674==    by 0x6C04E6: gdb_main_entry (main.c:1099)
    ==22674==    by 0x46316F: main (main.c:708)

This is due to strcpy() receives empty string in its 1st argument
because the size of the buffer associated with buf variable then is of
size 0 due to lack of consideration of the terminal '\0' byte.

Fix this by +1 to the buffer size for the terminal '\0' byte.

Signed-off-by: HATAYAMA Daisuke <d.hatayama at fujitsu.com>
---
 tools.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools.c b/tools.c
index 91d5baf..8050d30 100644
--- a/tools.c
+++ b/tools.c
@@ -1150,7 +1150,7 @@ extract_hex(char *s, ulong *result, char stripchar, ulong first_instance)
 	ulong value;
 	char *buf;
 
-	buf = GETBUF(strlen(s));
+	buf = GETBUF(strlen(s) + 1);
 	strcpy(buf, s);
 	argc = parse_line(buf, arglist);
 
-- 
1.8.3.1

More information about the Crash-utility mailing list