libbpf-tools: fix uprobe helper possible overflow

get_pid_lib_path didn't use path_sz in sscanf, so it may cause buffer overflow when path_sz is smaller than the real lib path. For exmample: "get_pid_lib_path(1, "c", minpath, 1)" may bring error.
e-dant · Dec 17, 2022 · a7f2ac1 · a7f2ac1
1 parent 9fb71e0
commit a7f2ac1
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/libbpf-tools/uprobe_helpers.c b/libbpf-tools/uprobe_helpers.c
@@ -56,6 +56,7 @@ int get_pid_lib_path(pid_t pid, const char *lib, char *path, size_t path_sz)
  char *p;
  char proc_pid_maps[32];
  char line_buf[1024];
+ char path_buf[1024];
 
  if (snprintf(proc_pid_maps, sizeof(proc_pid_maps), "/proc/%d/maps", pid)
  >= sizeof(proc_pid_maps)) {
@@ -68,10 +69,10 @@ int get_pid_lib_path(pid_t pid, const char *lib, char *path, size_t path_sz)
  return -1;
  }
  while (fgets(line_buf, sizeof(line_buf), maps)) {
- if (sscanf(line_buf, "%*x-%*x %*s %*x %*s %*u %s", path) != 1)
+ if (sscanf(line_buf, "%*x-%*x %*s %*x %*s %*u %s", path_buf) != 1)
  continue;
  /* e.g. /usr/lib/x86_64-linux-gnu/libc-2.31.so */
- p = strrchr(path, '/');
+ p = strrchr(path_buf, '/');
  if (!p)
  continue;
  if (strncmp(p, "/lib", 4))
@@ -83,7 +84,11 @@ int get_pid_lib_path(pid_t pid, const char *lib, char *path, size_t path_sz)
  /* libraries can have - or . after the name */
  if (*p != '.' && *p != '-')
  continue;
-
+ if (strnlen(path_buf, 1024) >= path_sz) {
+ warn("path size too small\n");
+ return -1;
+ }
+ strcpy(path, path_buf);
  fclose(maps);
  return 0;
  }