From 44aefc87779c6f5d3e6b2cac534f3c07f7f337f6 Mon Sep 17 00:00:00 2001 From: Johannes Schlatow Date: Thu, 17 Feb 2022 12:01:03 +0100 Subject: [PATCH] trace_buffer: fix out-of-bounds read The calculation in next() actually checked whether the current entry fitted into the buffer, not if another one fitted. genodelabs/genode#4430 --- repos/base/include/base/trace/buffer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/repos/base/include/base/trace/buffer.h b/repos/base/include/base/trace/buffer.h index 0dfb38b6d9..25d7c875f1 100644 --- a/repos/base/include/base/trace/buffer.h +++ b/repos/base/include/base/trace/buffer.h @@ -170,7 +170,7 @@ class Genode::Trace::Buffer if (entry.length() == 0) return Entry(0); - addr_t const offset = (addr_t)entry._entry - (addr_t)_entries; + addr_t const offset = (addr_t)entry.data() - (addr_t)_entries; if (offset + entry.length() + sizeof(_Entry) > _size) return Entry(0);