| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Feb 2017 15:20:59 +0900
From: Namhyung Kim <namhyung@...nel.org>
To: Steven Rostedt <rostedt@...dmis.org>
CC: LKML <linux-kernel@...r.kernel.org>,
Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Ingo Molnar <mingo@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [RFC][PATCH] tracing: Have traceprobe_probes_write() not access
userspace unnecessarily
On Thu, Feb 09, 2017 at 06:04:58PM -0500, Steven Rostedt wrote:
>
> The code in traceprobe_probes_write() reads up to 4096 bytes from userpace
> for each line. If userspace passes in several lines to execute, the code
> will do a large read for each line, even though, it is highly likely that
> the first read from userspace received all of the lines at one.
>
> I changed the logic to do a single read from userspace, and to only read
> from userspace again if not all of the read from userspace made it in.
>
> I tested this by adding printk()s and writing files that would test -1, ==,
> and +1 the buffer size, to make sure that there's no overflows and that if a
> single line is written with +1 the buffer size, that it fails properly.
>
> Signed-off-by: Steven Rostedt (VMware) <rostedt@...dmis.org>
Acked-by: Namhyung Kim <namhyung@...nel.org>
Thanks,
Namhyung
> ---
> kernel/trace/trace_probe.c | 48 ++++++++++++++++++++++++++++------------------
> 1 file changed, 29 insertions(+), 19 deletions(-)
>
> diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
> index 8c0553d..2a06f1f 100644
> --- a/kernel/trace/trace_probe.c
> +++ b/kernel/trace/trace_probe.c
> @@ -647,7 +647,7 @@ ssize_t traceprobe_probes_write(struct file *file, const char __user *buffer,
> size_t count, loff_t *ppos,
> int (*createfn)(int, char **))
> {
> - char *kbuf, *tmp;
> + char *kbuf, *buf, *tmp;
> int ret = 0;
> size_t done = 0;
> size_t size;
> @@ -667,27 +667,37 @@ ssize_t traceprobe_probes_write(struct file *file, const char __user *buffer,
> goto out;
> }
> kbuf[size] = '\0';
> - tmp = strchr(kbuf, '\n');
> + buf = kbuf;
> + do {
> + tmp = strchr(buf, '\n');
> + if (tmp) {
> + *tmp = '\0';
> + size = tmp - buf + 1;
> + } else {
> + size = strlen(buf);
> + if (done + size < count) {
> + if (buf != kbuf)
> + break;
> + pr_warn("Line length is too long: Should be less than %d\n",
> + WRITE_BUFSIZE);
> + ret = -EINVAL;
> + goto out;
> + }
> + }
> + done += size;
>
> - if (tmp) {
> - *tmp = '\0';
> - size = tmp - kbuf + 1;
> - } else if (done + size < count) {
> - pr_warn("Line length is too long: Should be less than %d\n",
> - WRITE_BUFSIZE);
> - ret = -EINVAL;
> - goto out;
> - }
> - done += size;
> - /* Remove comments */
> - tmp = strchr(kbuf, '#');
> + /* Remove comments */
> + tmp = strchr(buf, '#');
>
> - if (tmp)
> - *tmp = '\0';
> + if (tmp)
> + *tmp = '\0';
>
> - ret = traceprobe_command(kbuf, createfn);
> - if (ret)
> - goto out;
> + ret = traceprobe_command(buf, createfn);
> + if (ret)
> + goto out;
> + buf += size;
> +
> + } while (done < count);
> }
> ret = done;
>
> --
> 2.9.3
>
Powered by blists - more mailing lists