This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] buffer overflow when too many modules loaded

From: Michal Schmidt <mschmidt at redhat dot com>
To: systemtap at sources dot redhat dot com
Date: Mon, 09 Jul 2007 00:20:37 +0200
Subject: [PATCH] buffer overflow when too many modules loaded

Hello,

SystemTap hasn't been working for me at all for some time. It produced
messages like:
WARNING: There were -480085571 transport failures.
... and oopsed in the kernel every time.
It was caused by buffer overflows of _stp_modules and
_stp_modules_by_addr arrays.  I have 139 modules loaded after boot (lots
of Netfilter modules) - this is more than the current limit of 128.
There was no boundary check.
This patch raises the limit to 256 modules and adds proper checking. It
fixes the problem for me. And I verified that the probe now correctly
fails to initialize if the limit is reached.

Michal

Index: runtime/sym.h
===================================================================
RCS file: /cvs/systemtap/src/runtime/sym.h,v
retrieving revision 1.4
diff -u -p -r1.4 sym.h
--- runtime/sym.h	21 Mar 2007 15:09:57 -0000	1.4
+++ runtime/sym.h	8 Jul 2007 22:00:33 -0000
@@ -49,7 +49,7 @@ struct _stp_module {
 };
 
 #ifndef STP_MAX_MODULES
-#define STP_MAX_MODULES 128
+#define STP_MAX_MODULES 256
 #endif
 
 /* the alphabetical array of modules */
Index: runtime/transport/symbols.c
===================================================================
RCS file: /cvs/systemtap/src/runtime/transport/symbols.c,v
retrieving revision 1.13
diff -u -p -r1.13 symbols.c
--- runtime/transport/symbols.c	2 Jul 2007 07:05:10 -0000	1.13
+++ runtime/transport/symbols.c	8 Jul 2007 22:00:34 -0000
@@ -378,7 +378,7 @@ static int _stp_module_exists(struct _st
 	return 0;
 }
 
-static void _stp_ins_module(struct _stp_module *mod)
+static int _stp_ins_module(struct _stp_module *mod)
 {
 	int i, num, res;
 	unsigned long flags;
@@ -387,6 +387,11 @@ static void _stp_ins_module(struct _stp_
 
 	STP_LOCK_MODULES;
 
+	if (_stp_num_modules == STP_MAX_MODULES) {
+		STP_UNLOCK_MODULES;
+		return -ENOMEM;
+	}
+
 	/* insert alphabetically in _stp_modules[] */
 	for (num = 1; num < _stp_num_modules; num++) {
 		res = strcmp(_stp_modules[num]->name, mod->name);
@@ -413,6 +418,7 @@ static void _stp_ins_module(struct _stp_
 	_stp_num_modules++;
 
 	STP_UNLOCK_MODULES;
+	return 0;
 }
 
 
@@ -462,7 +468,8 @@ static int _stp_do_module(const char __u
 		return 0;
 	}
 
-	_stp_ins_module(mod);
+	if (_stp_ins_module(mod) < 0)
+		return -ENOMEM;
 	
 	return count;
 }

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]