Heap-buffer-overflow (off-by-one) in get_or_create_temp_file() in loader.c #492
Description
Description
get_or_create_temp_file() in src/lib/loader.c has an off-by-one heap-buffer-overflow in its malloc size calculation.
Steps to reproduce
- Build any application that
dlopenslibdd_profiling.so - Run under AddressSanitizer (ASAN)
- The library's constructor (
loader()) callsget_or_create_temp_file(), which triggers the overflow
Expected behavior
No memory corruption — the buffer should be large enough for the full path string including the NUL terminator.
Actual behavior
ASAN reports a heap-buffer-overflow (WRITE of size 65) in strcat, 0 bytes after a 97-byte allocation:
==2568==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7bf027027061
WRITE of size 65 at 0x7bf027027061 thread T0
[frame=0, function=strcat]
[frame=1, function=get_or_create_temp_file, location=loader.c]
[frame=2, function=loader, location=loader.c]
[frame=3, function=call_init, location=elf/dl-init.c:70:3]
0x7bf027027061 is located 0 bytes after 97-byte region [0x7bf027027000,0x7bf027027061)
allocated by thread T0 here:
[frame=0, function=malloc]
[frame=1, function=get_or_create_temp_file, location=loader.c]
Root cause
Line 213 of src/lib/loader.c:
char *path =
malloc(strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2);The constructed path is tmp_dir + / + prefix + - + data.digest + \0, which requires 3 extra bytes (for /, -, and the NUL terminator), but only 2 are allocated.
For comparison, the sister function create_temp_file() (line 170) is correct — its format tmp_dir/prefix.XXXXXX only needs 2 extra bytes (/ and \0), since .XXXXXX is included in strlen(".XXXXXX").
Fix
Change + 2 to + 3 on line 213.
Configuration
- ddprof version: v0.23.0 (release tarball)
- OS: Ubuntu 22.04 (jammy)
- Detected with: clang AddressSanitizer