perf expr: Prevent normalize() from reading into undefined memory in the expression lexer

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The current implementation does not account for a trailing backslash
followed by a null-byte.

If a null-byte is encountered following a backslash, normalize() will
continue reading (and potentially writing) into garbage memory ignoring
the EOS null-byte.

Signed-off-by: Sohom Datta <sohomdatta1+git@gmail.com>
Acked-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20221204105836.1012885-1-sohomdatta1+git@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

authored by

Sohom Datta and committed by

Arnaldo Carvalho de Melo 3 years ago 85c44913 c905ecfb

+4 -1

1 changed file

expand all

tools

perf

util

expr.l

+4 -1

tools/perf/util/expr.l

··· 42 42 char *dst = str; 43 43 44 44 while (*str) { 45 - if (*str == '\\') 45 + if (*str == '\\') { 46 46 *dst++ = *++str; 47 + if (!*str) 48 + break; 49 + } 47 50 else if (*str == '?') { 48 51 char *paramval; 49 52 int i = 0;