Skip to content

libbpf-tools: fix stack smashing in ksyms__load from long kernel symbol names#5478

Draft
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-biosnoop-stack-smashing
Draft

libbpf-tools: fix stack smashing in ksyms__load from long kernel symbol names#5478
Copilot wants to merge 2 commits intomasterfrom
copilot/fix-biosnoop-stack-smashing

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 1, 2026
edited
Loading

Rust-mangled kernel symbols can exceed 287 characters. ksyms__load used a 256-byte stack buffer with an unbounded %s in fscanf, causing a stack buffer overflow and SIGABRT in tools that load ksyms (biosnoop, biotop, biostacks, etc.).

Changes

  • libbpf-tools/trace_helpers.c
    • Increase sym_name buffer: char sym_name[256]char sym_name[2048]
    • Add matching width guard in fscanf: %s%2047s
// Before
char sym_type, sym_name[256];
...
ret = fscanf(f, "%lx %c %s%*[^\n]\n", &sym_addr, &sym_type, sym_name);

// After
char sym_type, sym_name[2048];
...
ret = fscanf(f, "%lx %c %2047s%*[^\n]\n", &sym_addr, &sym_type, sym_name);

The 2048-byte buffer provides headroom well beyond current observed maximums; the %2047s width specifier enforces a hard bound regardless of future symbol length growth.

Original prompt

This section details on the original issue you should resolve

<issue_title>biosnoop fails w/ stack smashing detected</issue_title>
<issue_description>### Environment

  • OS: Arch Linux
  • Package version: bcc-libbpf-tools=0.36.1-1
  • Kernel: "vanilla" kernel. Version 6.18.9.arch1-2

Steps to reproduce

  • Run sudo biosnoop. Also reproducible with biotop and biostacks (maybe more)

Expected Behavior

Works as usual

Actual Behavior

Exits with the following error message:

*** stack smashing detected ***: terminated
fish: Job 1, 'sudo biotop' terminated by signal SIGABRT (Abort)

Exit code is 134.

Possible Root Cause

Diagnosed by @heftig:

wc -L /proc/kallsyms reports 306 /proc/kallsyms for linux-zen. There's at least one symbol with a very long name, up to 287 characters. It's probably one of the mangled symbols of Rust code.

The ksyms__load function uses an on-stack string (char sym_name[256]) to hold the name of each symbol it reads, and reading any name longer than 255 characters causes a buffer overflow.

Misc

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@ekyooo
Fix stack smashing in ksyms__load due to long kernel symbol names
4d69445 
Co-authored-by: ekyooo <46103109+ekyooo@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix biosnoop stack smashing detected issue libbpf-tools: fix stack smashing in ksyms__load from long kernel symbol names Mar 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenhengqi chenhengqi Awaiting requested review from chenhengqi chenhengqi will be requested when the pull request is marked ready for review chenhengqi is a code owner

@ekyooo ekyooo Awaiting requested review from ekyooo ekyooo will be requested when the pull request is marked ready for review ekyooo is a code owner

@yonghong-song yonghong-song Awaiting requested review from yonghong-song yonghong-song will be requested when the pull request is marked ready for review yonghong-song is a code owner

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg will be requested when the pull request is marked ready for review brendangregg is a code owner

Assignees

@ekyooo ekyooo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

biosnoop fails w/ stack smashing detected

2 participants

@ekyooo