From be2d01ee635103a77a9f68576c852f5ef3b16d0f Mon Sep 17 00:00:00 2001
From: Aleksandr Nogikh <nogikh@google.com>
Date: Mon, 15 Apr 2024 15:49:16 +0200
Subject: pkg/report: fix OOB in linux.symbolize()

NewScanner() had an implicit limit on the maximum line size, which we
could surpass e.g. by printing some long serialized program.

In this case, there's no reason to use NewScanner() -- we already have
the whole buffer, so let's use raw byte operations instead.

Remove one of the checks that turned out to be unneeded, but leave an
assertion inside the symbolize() method.

Closes #4198.
---
 pkg/report/linux.go | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

(limited to 'pkg/report')

diff --git a/pkg/report/linux.go b/pkg/report/linux.go
index 8d44893f9..0fdcee54c 100644
--- a/pkg/report/linux.go
+++ b/pkg/report/linux.go
@@ -375,15 +375,7 @@ func (ctx *linux) Symbolize(rep *Report) error {
 			return err
 		}
 	}
-
-	oldLen := len(rep.Report)
 	rep.Report = ctx.decompileOpcodes(rep.Report, rep)
-	if len(rep.Report) > 0 && rep.reportPrefixLen > len(rep.Report) {
-		// An attempt to catch #4198.
-		panic(fmt.Sprintf("invalid reportPrefixLen (%d) after decompileOpcodes, report len: %d -> %d, report: %+v",
-			rep.reportPrefixLen, oldLen, len(rep.Report), rep,
-		))
-	}
 
 	// Skip getting maintainers for Android fuzzing since the kernel source
 	// directory structure is different.
@@ -411,27 +403,24 @@ func (ctx *linux) symbolize(rep *Report) error {
 		return ctx.symbolizerCache.Symbolize(symb.Symbolize, bin, pc)
 	}
 	var symbolized []byte
-	s := bufio.NewScanner(bytes.NewReader(rep.Report))
 	prefix := rep.reportPrefixLen
-	for s.Scan() {
-		line := append([]byte{}, s.Bytes()...)
-		line = append(line, '\n')
+	for _, originalLine := range bytes.SplitAfter(rep.Report, []byte("\n")) {
+		line := append([]byte{}, originalLine...)
 		newLine := symbolizeLine(symbFunc, ctx.symbols, ctx.vmlinux, ctx.kernelBuildSrc, line)
 		if prefix > len(symbolized) {
 			prefix += len(newLine) - len(line)
 		}
 		symbolized = append(symbolized, newLine...)
 	}
-	oldLen := len(rep.Report)
+	oldReport := rep.Report
 	rep.Report = symbolized
 	oldPrefixLen := rep.reportPrefixLen
 	rep.reportPrefixLen = prefix
 
 	if len(rep.Report) > 0 && rep.reportPrefixLen > len(rep.Report) {
-		// An attempt to catch #4198.
 		panic(fmt.Sprintf("invalid reportPrefixLen after symbolize: prefix %d -> %d,"+
-			"report len: %d -> %d, report: %+v",
-			oldPrefixLen, rep.reportPrefixLen, oldLen, len(rep.Report), rep,
+			"report len: %d -> %d, old report: %q",
+			oldPrefixLen, rep.reportPrefixLen, len(oldReport), len(rep.Report), oldReport,
 		))
 	}
 	return nil
-- 
cgit mrf-deployment