Skip to content

Fix out-of-bounds write and lack of null-termination in /proc/cpuinfo…#408

Open
mhansen wants to merge 2 commits into
pytorch:mainfrom
mhansen:oob
Open

Fix out-of-bounds write and lack of null-termination in /proc/cpuinfo…#408
mhansen wants to merge 2 commits into
pytorch:mainfrom
mhansen:oob

Conversation

@mhansen

@mhansen mhansen commented Jul 3, 2026

Copy link
Copy Markdown

… parser

The parser for 'Hardware' and 'Revision' fields in src/arm/linux/cpuinfo.c had logic errors when handling values with length equal to or greater than the maximum buffer size.

  1. If value_length == LIMIT, it would write '\0' at index LIMIT, which is out of bounds (buffer size is LIMIT).
  2. If value_length > LIMIT, it would truncate to LIMIT, skip writing the null terminator, and copy LIMIT bytes, leaving the buffer non-null-terminated.

Fixed by checking if value_length >= LIMIT, truncating to LIMIT - 1 if so, and always writing the null terminator at the end of the (potentially truncated) copied value.

Fixes #407

@meta-cla meta-cla Bot added the cla signed label Jul 3, 2026
mhansen added 2 commits July 3, 2026 16:50
Added a reproduction test case `repro_cpuinfo` which uses a mock
filesystem with an overly long 'Hardware' value to trigger the issue.
The test is added to the CMake build (guarded for ARM).

Marked the test as WILL_FAIL in CMake because the bug is not yet fixed
in this commit.

TAG=agy
CONV=54bab573-9944-4cb7-9b45-7b056f7d9c47
… parser

The parser for 'Hardware' and 'Revision' fields in src/arm/linux/cpuinfo.c
had logic errors when handling values with length equal to or greater
than the maximum buffer size.

1. If value_length == LIMIT, it would write '\0' at index LIMIT, which is
   out of bounds (buffer size is LIMIT).
2. If value_length > LIMIT, it would truncate to LIMIT, skip writing
   the null terminator, and copy LIMIT bytes, leaving the buffer
   non-null-terminated.

Fixed by checking if value_length >= LIMIT, truncating to LIMIT - 1
if so, and always writing the null terminator at the end of the
(potentially truncated) copied value.

Removed the WILL_FAIL property from the repro test in CMakeLists.txt
as the test now passes.

TAG=agy
CONV=54bab573-9944-4cb7-9b45-7b056f7d9c47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Buffer Overflow (OOB Write/Read) in Hardware and Revision Parsing

1 participant