Merge pull request #1338 from palmtenor/uprobe_check

Improve string buffer checking on uprobe attach and detach
iovisor · Sep 8, 2017 · 15b15ed · 15b15ed
2 parents d56fff0 + 0760b75
commit 15b15ed
Showing 1 changed file with 29 additions and 19 deletions.
diff --git a/src/cc/libbpf.c b/src/cc/libbpf.c
@@ -606,15 +606,12 @@ void * bpf_attach_uprobe(int progfd, enum bpf_probe_attach_type attach_type, con
  pid_t pid, int cpu, int group_fd,
  perf_reader_cb cb, void *cb_cookie)
 {
- int kfd;
  char buf[PATH_MAX];
- char new_name[256];
+ char event_alias[PATH_MAX];
  struct perf_reader *reader = NULL;
  static char *event_type = "uprobe";
- int ns_fd = -1;
- int n;
+ int res, kfd = -1, ns_fd = -1;
 
- snprintf(new_name, sizeof(new_name), "%s_bcc_%d", ev_name, getpid());
  reader = perf_reader_new(cb, NULL, NULL, cb_cookie, probe_perf_reader_page_cnt);
  if (!reader)
  goto error;
@@ -626,57 +623,70 @@ void * bpf_attach_uprobe(int progfd, enum bpf_probe_attach_type attach_type, con
  goto error;
  }
 
- n = snprintf(buf, sizeof(buf), "%c:%ss/%s %s:0x%lx", attach_type==BPF_PROBE_ENTRY ? 'p' : 'r',
- event_type, new_name, binary_path, offset);
- if (n >= sizeof(buf)) {
- fprintf(stderr, "Name too long for uprobe; ev_name (%s) is probably too long\n", ev_name);
- close(kfd);
+ res = snprintf(event_alias, sizeof(event_alias), "%s_bcc_%d", ev_name, getpid());
+ if (res < 0 || res >= sizeof(event_alias)) {
+ fprintf(stderr, "Event name (%s) is too long for buffer\n", ev_name);
+ goto error;
+ }
+ res = snprintf(buf, sizeof(buf), "%c:%ss/%s %s:0x%lx", attach_type==BPF_PROBE_ENTRY ? 'p' : 'r',
+ event_type, event_alias, binary_path, offset);
+ if (res < 0 || res >= sizeof(buf)) {
+ fprintf(stderr, "Event alias (%s) too long for buffer\n", event_alias);
  goto error;
  }
 
  ns_fd = enter_mount_ns(pid);
  if (write(kfd, buf, strlen(buf)) < 0) {
  if (errno == EINVAL)
  fprintf(stderr, "check dmesg output for possible cause\n");
- close(kfd);
  goto error;
  }
  close(kfd);
  exit_mount_ns(ns_fd);
  ns_fd = -1;
 
- snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s", event_type, new_name);
+ snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s", event_type, event_alias);
  if (bpf_attach_tracing_event(progfd, buf, reader, pid, cpu, group_fd) < 0)
  goto error;
 
  return reader;
 
 error:
+ if (kfd >= 0)
+ close(kfd);
  exit_mount_ns(ns_fd);
  perf_reader_free(reader);
  return NULL;
 }
 
 static int bpf_detach_probe(const char *ev_name, const char *event_type)
 {
- int kfd;
- char buf[256];
+ int kfd, res;
+ char buf[PATH_MAX];
  snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/%s_events", event_type);
  kfd = open(buf, O_WRONLY | O_APPEND, 0);
  if (kfd < 0) {
  fprintf(stderr, "open(%s): %s\n", buf, strerror(errno));
- return -1;
+ goto error;
  }
 
- snprintf(buf, sizeof(buf), "-:%ss/%s_bcc_%d", event_type, ev_name, getpid());
+ res = snprintf(buf, sizeof(buf), "-:%ss/%s_bcc_%d", event_type, ev_name, getpid());
+ if (res < 0 || res >= sizeof(buf)) {
+ fprintf(stderr, "snprintf(%s): %d\n", ev_name, res);
+ goto error;
+ }
  if (write(kfd, buf, strlen(buf)) < 0) {
  fprintf(stderr, "write(%s): %s\n", buf, strerror(errno));
- close(kfd);
- return -1;
+ goto error;
  }
- close(kfd);
 
+ close(kfd);
  return 0;
+
+error:
+ if (kfd >= 0)
+ close(kfd);
+ return -1;
 }
 
 int bpf_detach_kprobe(const char *ev_name)