[DTrace-devel] [PATCH] Fix invalid memory access when looking for pid provider

[Eugene Loh]

On 04/08/2020 08:00 AM, Kris Van Hees wrote:

> The code to determine whether a provider name is a pid provider checks
> whether the last character of the provider name is a digit.  This worked
> fine when the probe description name components were fixed size character

hyphenate "fixed-size"

> arrays, but with the change to using allocated trings, this can result in

trings -> strings

> reading a bytye *before* the allocated string if the string is an empty

bytye -> byte

> string because we look at pdp->prv[strlen(pdp->prv) - 1) which would be

- 1)
->
-1]

But I think you can even just drop the text starting at "because we 
look...".  The commit is short and clear enough that the log message is 
becoming more complicated than the commit itself.

> pdp->prv[0 - 1], and therefore we access pdp->prv[-1].
>
> Signed-off-by: Kris Van Hees <kris.van.hees at oracle.com>
> ---
>   libdtrace/dt_cc.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libdtrace/dt_cc.c b/libdtrace/dt_cc.c
> index fe7082e8..db009461 100644
> --- a/libdtrace/dt_cc.c
> +++ b/libdtrace/dt_cc.c
> @@ -1679,7 +1679,8 @@ dt_setcontext(dtrace_hdl_t *dtp, dtrace_probedesc_t *pdp)
>   	 * On an error, dt_pid_create_probes() will set the error message
>   	 * and tag -- we just have to longjmp() out of here.
>   	 */
> -	if (isdigit(pdp->prv[strlen(pdp->prv) - 1]) &&
> +	if (pdp->prv && pdp->prv[0] &&
> +	    isdigit(pdp->prv[strlen(pdp->prv) - 1]) &&
>   	    ((pvp = dt_provider_lookup(dtp, pdp->prv)) == NULL ||
>   	    pvp->desc.dtvd_priv.dtpp_flags & DTRACE_PRIV_PROC) &&
>   	    dt_pid_create_probes(pdp, dtp, yypcb) != 0) {