Skip to content

Heap-buffer-overflow (off-by-one) in get_or_create_temp_file() in loader.c #492

@xroche

Description

@xroche

Description

get_or_create_temp_file() in src/lib/loader.c has an off-by-one heap-buffer-overflow in its malloc size calculation.

Steps to reproduce

  1. Build any application that dlopens libdd_profiling.so
  2. Run under AddressSanitizer (ASAN)
  3. The library's constructor (loader()) calls get_or_create_temp_file(), which triggers the overflow

Expected behavior

No memory corruption — the buffer should be large enough for the full path string including the NUL terminator.

Actual behavior

ASAN reports a heap-buffer-overflow (WRITE of size 65) in strcat, 0 bytes after a 97-byte allocation:

==2568==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7bf027027061
WRITE of size 65 at 0x7bf027027061 thread T0
  [frame=0, function=strcat]
  [frame=1, function=get_or_create_temp_file, location=loader.c]
  [frame=2, function=loader, location=loader.c]
  [frame=3, function=call_init, location=elf/dl-init.c:70:3]

0x7bf027027061 is located 0 bytes after 97-byte region [0x7bf027027000,0x7bf027027061)
allocated by thread T0 here:
  [frame=0, function=malloc]
  [frame=1, function=get_or_create_temp_file, location=loader.c]

Root cause

Line 213 of src/lib/loader.c:

char *path =
    malloc(strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2);

The constructed path is tmp_dir + / + prefix + - + data.digest + \0, which requires 3 extra bytes (for /, -, and the NUL terminator), but only 2 are allocated.

For comparison, the sister function create_temp_file() (line 170) is correct — its format tmp_dir/prefix.XXXXXX only needs 2 extra bytes (/ and \0), since .XXXXXX is included in strlen(".XXXXXX").

Fix

Change + 2 to + 3 on line 213.

Configuration

  • ddprof version: v0.23.0 (release tarball)
  • OS: Ubuntu 22.04 (jammy)
  • Detected with: clang AddressSanitizer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions