expr_str() allocates a fixed MAX_FILTER_STR_VAL buffer and then builds expression names with a series of raw strcat() appends. Nested operands, constants and field flags can push the rendered string past that fixed limit before the name is attached to the hist field.
Build the expression strings with seq_buf and return -E2BIG when the rendered name would exceed MAX_FILTER_STR_VAL. Signed-off-by: Pengpeng Hou <[email protected]> --- Changes since v3: https://lore.kernel.org/all/[email protected]/ - rebase on top of v7.1-rc3 - keep the ERR_PTR() conversion in patch 1 - use seq_buf for expression construction and return -E2BIG on overflow kernel/trace/trace_events_hist.c | 62 +++++++++++++++++++------------- 1 file changed, 38 insertions(+), 24 deletions(-) diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index 0b33bb8ef6f7..c878dc8f0cb9 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -8,6 +8,7 @@ #include <linux/module.h> #include <linux/kallsyms.h> #include <linux/security.h> +#include <linux/seq_buf.h> #include <linux/mutex.h> #include <linux/slab.h> #include <linux/stacktrace.h> @@ -1743,33 +1744,37 @@ static const char *get_hist_field_flags(struct hist_field *hist_field) return flags_str; } -static void expr_field_str(struct hist_field *field, char *expr) +static bool expr_field_str(struct hist_field *field, struct seq_buf *s) { + const char *field_name; + if (field->flags & HIST_FIELD_FL_VAR_REF) { if (!field->system) - strcat(expr, "$"); - } else if (field->flags & HIST_FIELD_FL_CONST) { - char str[HIST_CONST_DIGITS_MAX]; + seq_buf_putc(s, '$'); + } else if (field->flags & HIST_FIELD_FL_CONST) + seq_buf_printf(s, "%llu", field->constant); - snprintf(str, HIST_CONST_DIGITS_MAX, "%llu", field->constant); - strcat(expr, str); - } + field_name = hist_field_name(field, 0); + if (!field_name) + return false; - strcat(expr, hist_field_name(field, 0)); + seq_buf_puts(s, field_name); if (field->flags && !(field->flags & HIST_FIELD_FL_VAR_REF)) { const char *flags_str = get_hist_field_flags(field); - if (flags_str) { - strcat(expr, "."); - strcat(expr, flags_str); - } + if (flags_str) + seq_buf_printf(s, ".%s", flags_str); } + + seq_buf_str(s); + return !seq_buf_has_overflowed(s); } static char *expr_str(struct hist_field *field, unsigned int level) { char *expr __free(kfree) = NULL; + struct seq_buf s; if (level > 1) return ERR_PTR(-EINVAL); @@ -1778,47 +1783,56 @@ static char *expr_str(struct hist_field *field, unsigned int level) if (!expr) return ERR_PTR(-ENOMEM); + seq_buf_init(&s, expr, MAX_FILTER_STR_VAL); + if (!field->operands[0]) { - expr_field_str(field, expr); + if (!expr_field_str(field, &s)) + return ERR_PTR(-E2BIG); + return_ptr(expr); } if (field->operator == FIELD_OP_UNARY_MINUS) { - char *subexpr; + char *subexpr __free(kfree) = NULL; - strcat(expr, "-("); + seq_buf_puts(&s, "-("); subexpr = expr_str(field->operands[0], ++level); if (IS_ERR(subexpr)) return subexpr; - strcat(expr, subexpr); - strcat(expr, ")"); + seq_buf_puts(&s, subexpr); + seq_buf_putc(&s, ')'); + seq_buf_str(&s); - kfree(subexpr); + if (seq_buf_has_overflowed(&s)) + return ERR_PTR(-E2BIG); return_ptr(expr); } - expr_field_str(field->operands[0], expr); + if (!expr_field_str(field->operands[0], &s)) + return ERR_PTR(-E2BIG); switch (field->operator) { case FIELD_OP_MINUS: - strcat(expr, "-"); + seq_buf_putc(&s, '-'); break; case FIELD_OP_PLUS: - strcat(expr, "+"); + seq_buf_putc(&s, '+'); break; case FIELD_OP_DIV: - strcat(expr, "/"); + seq_buf_putc(&s, '/'); break; case FIELD_OP_MULT: - strcat(expr, "*"); + seq_buf_putc(&s, '*'); break; default: return ERR_PTR(-EINVAL); } - expr_field_str(field->operands[1], expr); + if (seq_buf_has_overflowed(&s) || + !expr_field_str(field->operands[1], &s)) + return ERR_PTR(-E2BIG); return_ptr(expr); } -- 2.50.1 (Apple Git-155)
