fix: harden ebpf snprintf handling (#11755)

* fix: harden ebpf snprintf handling

Fix incorrect snprintf/vsnprintf return-value semantics in eBPF user-space code.

Add safe_snprintf/safe_vsnprintf helpers that consistently return the actual written length, and avoid treating snprintf's intended output length as the actual written length when it is later used for:
- offset accumulation
- remaining buffer size calculation
- send length propagation

Also fix the affected paths in:
- log message assembly
- Java symbol collection and log sending
- stringifier string assembly
- socket datadump/http2/grpc/io-event formatting
- agent so path construction under target namespaces

Also fix one case where a dynamic string was used directly as a format string.

* test: add safe snprintf regression coverage

Add a focused eBPF test that compares snprintf and safe_snprintf for exact-fit, truncation, and offset-accumulation cases.

Also fix the socket datadump branch structure around safe_snprintf usage so the remaining-length calculation and write stay in the same conditional branch.

* fix: finish ebpf snprintf follow-up

Switch the remaining stack-trace string assembly in profile_common.c
from offset-based snprintf accumulation to safe_snprintf, and avoid
using map_name directly as a format string in tracer.c.

Also include the current ebpf test Makefile updates in this follow-up.
Conflicts:
	agent/src/ebpf/test/Makefile

Author: yinjiping

agent/src/ebpf/test/Makefile

@@ -24,7 +24,7 @@ ARCH ?= $(shell uname -m)
 CC ?= gcc
 CFLAGS ?= -std=gnu99 --static -g -O2 -ffunction-sections -fdata-sections -fPIC -fno-omit-frame-pointer -Wall -Wno-sign-compare -Wno-unused-parameter -Wno-missing-field-initializers
 
-EXECS := test_symbol test_offset test_insns_cnt test_bihash test_vec test_fetch_container_id test_parse_range test_set_ports_bitmap test_pid_check test_match_pids
+EXECS := test_symbol test_offset test_insns_cnt test_bihash test_vec test_fetch_container_id test_parse_range test_set_ports_bitmap test_match_pids test_safe_snprintf
 ifeq ($(ARCH), x86_64)
 #-lbcc -lstdc++
         LDLIBS += ../libtrace.a ./libtrace_utils.a -ljattach -lbcc_bpf -lGoReSym -lbddisasm -ldwarf -lelf -lz -lpthread -lbcc -lstdc++ -ldl -lm
@@ -38,7 +38,7 @@ all: $(EXECS) libtrace_utils.a
 	$(call msg,TEST,$@)
 	echo "$(Q)$(CC) $(CFLAGS) -o $@ $^ $(LDLIBS)"
 	$(Q)$(CC) $(CFLAGS) -o $@ $^ $(LDLIBS)
-#	$(Q)./$@
+	$(Q)./$@
 
 libtrace_utils.a:
 	$(Q)cargo rustc -p trace-utils --crate-type=staticlib

agent/src/ebpf/test/test_safe_snprintf.c

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2026 Yunshan Networks
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "../user/utils.h"
+
+static int check_exact_fill(void)
+{
+	char raw[6] = { 0 };
+	char safe[6] = { 0 };
+	int raw_len = snprintf(raw, sizeof(raw), "%s", "hello");
+	size_t safe_len = safe_snprintf(safe, sizeof(safe), "%s", "hello");
+
+	if (raw_len != 5 || safe_len != 5) {
+		printf("exact fill length mismatch: raw=%d safe=%zu\n",
+		       raw_len, safe_len);
+		return -1;
+	}
+
+	if (strcmp(raw, "hello") != 0 || strcmp(safe, "hello") != 0) {
+		printf("exact fill buffer mismatch: raw=\"%s\" safe=\"%s\"\n",
+		       raw, safe);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int check_truncation(void)
+{
+	char raw[4] = { 0 };
+	char safe[4] = { 0 };
+	int raw_len = snprintf(raw, sizeof(raw), "%s", "hello");
+	size_t safe_len = safe_snprintf(safe, sizeof(safe), "%s", "hello");
+
+	if (raw_len != 5) {
+		printf("unexpected raw truncation length: %d\n", raw_len);
+		return -1;
+	}
+
+	if (safe_len != sizeof(safe) - 1) {
+		printf("unexpected safe truncation length: %zu\n", safe_len);
+		return -1;
+	}
+
+	if (strcmp(raw, "hel") != 0 || strcmp(safe, "hel") != 0) {
+		printf("truncation buffer mismatch: raw=\"%s\" safe=\"%s\"\n",
+		       raw, safe);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int check_offset_accumulation(void)
+{
+	char raw[4] = { 0 };
+	char safe[4] = { 0 };
+	int raw_len = 0;
+	size_t safe_len = 0;
+
+	raw_len += snprintf(raw + raw_len, sizeof(raw) - raw_len, "%s", "hello");
+	safe_len += safe_snprintf(safe + safe_len,
+				  (int64_t)sizeof(safe) - (int64_t)safe_len,
+				  "%s", "hello");
+
+	if (raw_len < sizeof(raw)) {
+		printf("raw offset unexpectedly remained in bounds: %d\n", raw_len);
+		return -1;
+	}
+
+	if (safe_len >= sizeof(safe)) {
+		printf("safe offset escaped buffer: %zu\n", safe_len);
+		return -1;
+	}
+
+	if (safe_len != sizeof(safe) - 1 || strcmp(safe, "hel") != 0) {
+		printf("safe offset accumulation mismatch: len=%zu buf=\"%s\"\n",
+		       safe_len, safe);
+		return -1;
+	}
+
+	/*
+	 * The next append would be unsafe with raw_len because it already exceeds
+	 * the valid offset range after truncation. safe_len remains a valid offset.
+	 */
+	safe_len += safe_snprintf(safe + safe_len,
+				  (int64_t)sizeof(safe) - (int64_t)safe_len,
+				  "%s", "!");
+	if (safe_len != sizeof(safe) - 1 || strcmp(safe, "hel") != 0) {
+		printf("safe follow-up append changed truncated buffer: len=%zu buf=\"%s\"\n",
+		       safe_len, safe);
+		return -1;
+	}
+
+	return 0;
+}
+
+int main(void)
+{
+	if (check_exact_fill() != 0)
+		return -1;
+
+	if (check_truncation() != 0)
+		return -1;
+
+	if (check_offset_accumulation() != 0)
+		return -1;
+
+	printf("[OK]\n");
+	return 0;
+}

agent/src/ebpf/user/log.c

@@ -22,6 +22,7 @@
 #include <stdlib.h>
 #include <time.h>
 #include "log.h"
+#include "utils.h"
 
 #include "trace_utils.h"
 
@@ -81,7 +82,7 @@ __attribute__((weak)) void rust_info_wrapper(char *msg)
 	printf("%s\n", msg);
 }
 
-static char *dispatch_message(char *msg, uint16_t len)
+static char *dispatch_message(char *msg, size_t len)
 {
 	if (!msg || len < 1)
 		return msg;
@@ -96,28 +97,38 @@ void _ebpf_error(int how_to_die, char *function_name, char *file_path,
 		 uint32_t line_number, char *fmt, ...)
 {
 	char msg[MSG_SZ] = {};
-	uint16_t len = 0;
-	uint16_t max = MSG_SZ;
+	size_t len = 0;
+	int64_t remaining;
 	va_list va;
 
 	if (function_name) {
+		remaining = (int64_t)sizeof(msg) - (int64_t)len;
 		if (how_to_die & ERROR_WARNING) {
-			len += snprintf(msg + len, max - len, "[eBPF] WARN func %s()", function_name);
+			len += safe_snprintf(msg + len, remaining,
+					     "[eBPF] WARN func %s()",
+					     function_name);
 		} else {
-			len += snprintf(msg + len, max - len, "[eBPF] ERROR func %s()", function_name);
+			len += safe_snprintf(msg + len, remaining,
+					     "[eBPF] ERROR func %s()",
+					     function_name);
+		}
+		if (line_number > 0) {
+			remaining = (int64_t)sizeof(msg) - (int64_t)len;
+			len += safe_snprintf(msg + len, remaining, " [%s:%u] ",
+					     file_path, line_number);
 		}
-		if (line_number > 0)
-			len +=
-			    snprintf(msg + len, max - len, " [%s:%u] ",
-				     file_path, line_number);
 	}
 #ifdef HAVE_ERRNO
-	if (how_to_die & ERROR_ERRNO_VALID)
-		len += snprintf(msg + len, max - len,
-				": %s (errno %d)", strerror(errno), errno);
+	if (how_to_die & ERROR_ERRNO_VALID) {
+		remaining = (int64_t)sizeof(msg) - (int64_t)len;
+		len += safe_snprintf(msg + len, remaining,
+				     ": %s (errno %d)", strerror(errno),
+				     errno);
+	}
 #endif
 	va_start(va, fmt);
-	len += vsnprintf(msg + len, max - len, fmt, va);
+	remaining = (int64_t)sizeof(msg) - (int64_t)len;
+	len += safe_vsnprintf(msg + len, remaining, fmt, va);
 	va_end(va);
 
 	dispatch_message(msg, len);
@@ -131,17 +142,19 @@ void _ebpf_error(int how_to_die, char *function_name, char *file_path,
 void _ebpf_info(char *fmt, ...)
 {
 	char msg[MSG_SZ] = {};
-	uint16_t len = 0;
-	uint16_t max = MSG_SZ;
+	size_t len = 0;
+	int64_t remaining;
 	va_list va;
 
-	len += snprintf(msg + len, max - len, "[eBPF] INFO ");
+	remaining = (int64_t)sizeof(msg) - (int64_t)len;
+	len += safe_snprintf(msg + len, remaining, "[eBPF] INFO ");
 
 	va_start(va, fmt);
-	len += vsnprintf(msg + len, max - len, fmt, va);
+	remaining = (int64_t)sizeof(msg) - (int64_t)len;
+	len += safe_vsnprintf(msg + len, remaining, fmt, va);
 	va_end(va);
-	if (msg[len - 1] != '\n') {
-		if (len < max)
+	if (len > 0 && msg[len - 1] != '\n') {
+		if (len < sizeof(msg))
 			msg[len++] = '\n';
 		else
 			msg[len - 1] = '\n';
@@ -165,16 +178,23 @@ void _ebpf_log(int how_to_die, char *function_name, char *file_path,
 {
     char msg[MSG_SZ] = {};
     va_list va;
+    int ret;
+    size_t len;
 
     va_start(va, fmt);
-    uint16_t len = vsnprintf(msg, MSG_SZ, fmt, va);
+    ret = vsnprintf(msg, MSG_SZ, fmt, va);
     va_end(va);
 
+	if (ret < 0) {
+		len = 0;
+	} else {
+		len = ret;
+	}
 	if (len >= MSG_SZ) {
 		len = MSG_SZ - 1;
 	}
 	// remove trailing newline if any
-	if (msg[len - 1] == '\n') {
+	if (len > 0 && msg[len - 1] == '\n') {
 		msg[len - 1] = '\0';
 	}
 

agent/src/ebpf/user/profile/java/jvm_symbol_collect.c

@@ -1221,6 +1221,12 @@ static int copy_agent_libs_into_target_ns(pid_t target_pid, int target_uid,
 	char copy_target_path[MAX_PATH_LENGTH];
 	int len = snprintf(copy_target_path, sizeof(copy_target_path),
 			   TARGET_NS_STORAGE_PATH, target_pid);
+	if (len < 0 || len >= sizeof(copy_target_path)) {
+		ebpf_warning(JAVA_LOG_TAG
+			     "Fun %s target ns path is too long for pid %d\n",
+			     __func__, target_pid);
+		return ETR_INVAL;
+	}
 	if (access(copy_target_path, F_OK)) {
 		/*
 		 * The purpose of umask(0); is to set the current process's file
@@ -1240,8 +1246,9 @@ static int copy_agent_libs_into_target_ns(pid_t target_pid, int target_uid,
 		}
 	}
 
-	snprintf(copy_target_path + len, sizeof(copy_target_path) - len,
-		 "/%s", AGENT_LIB_NAME);
+	safe_snprintf(copy_target_path + len,
+		      (int64_t)sizeof(copy_target_path) - len, "/%s",
+		      AGENT_LIB_NAME);
 	if ((ret =
 	     agent_so_lib_copy(AGENT_LIB_SRC_PATH,
 			       copy_target_path, target_uid,
@@ -1251,8 +1258,9 @@ static int copy_agent_libs_into_target_ns(pid_t target_pid, int target_uid,
 		return ret;
 	}
 
-	snprintf(copy_target_path + len, sizeof(copy_target_path) - len,
-		 "/%s", AGENT_MUSL_LIB_NAME);
+	safe_snprintf(copy_target_path + len,
+		      (int64_t)sizeof(copy_target_path) - len, "/%s",
+		      AGENT_MUSL_LIB_NAME);
 
 	if ((ret =
 	     agent_so_lib_copy(AGENT_MUSL_LIB_SRC_PATH,

agent/src/ebpf/user/profile/java/symbol_collect_agent.c

@@ -39,6 +39,7 @@
 #include <jvmticmlr.h>
 
 #include "../../config.h"
+#include "../../utils.h"
 #include "config.h"
 
 #define LOG_BUF_SZ 512
@@ -80,7 +81,7 @@ jint close_files(void);
   do {                                            \
 	if (perf_map_log_socket_fd > 0) { \
 		char str_buf[LOG_BUF_SZ]; \
-		int n = snprintf(str_buf, sizeof(str_buf), format, ##__VA_ARGS__); \
+		size_t n = safe_snprintf(str_buf, sizeof(str_buf), format, ##__VA_ARGS__); \
 	        pthread_mutex_lock(&g_df_lock);	 \
 	        send_msg(perf_map_log_socket_fd, str_buf, n); \
 	        pthread_mutex_unlock(&g_df_lock); \

agent/src/ebpf/user/profile/profile_common.c

@@ -1110,27 +1110,31 @@ static void aggregate_stack_traces(struct profiler_context *ctx,
 
 			char *msg_str = (char *)&msg->data[0];
 			int offset = 0;
+			int64_t remaining;
 			if (matched) {
-				offset +=
-				    snprintf(msg_str + offset, str_len - offset,
-					     "%s%s;", pre_tag, v->comm);
+				remaining = (int64_t)str_len - offset;
+				offset += safe_snprintf(msg_str + offset,
+							remaining, "%s%s;",
+							pre_tag, v->comm);
 			}
-			offset +=
-			    snprintf(msg_str + offset, str_len - offset, "%s",
-				     trace_str);
+			remaining = (int64_t)str_len - offset;
+			offset += safe_snprintf(msg_str + offset, remaining, "%s",
+						trace_str);
 			if (ctx->type == PROFILER_TYPE_MEMORY && v->memory.class_id != 0) {
 				if (class_name) {
-					offset +=
-					    snprintf(msg_str + offset,
-						     str_len - offset, ";%s",
-						     class_name);
+					remaining = (int64_t)str_len - offset;
+					offset += safe_snprintf(msg_str + offset,
+								remaining,
+								";%s",
+								class_name);
 					clib_mem_free(class_name);
 					class_name = NULL;
 				} else {
-					offset +=
-					    snprintf(msg_str + offset,
-						     str_len - offset, ";%s",
-						     UNKNOWN_JAVA_SYMBOL_STR);
+					remaining = (int64_t)str_len - offset;
+					offset += safe_snprintf(msg_str + offset,
+								remaining,
+								";%s",
+								UNKNOWN_JAVA_SYMBOL_STR);
 				}
 			}