lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181103091754.33189927@vmware.local.home>
Date:   Sat, 3 Nov 2018 09:17:54 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [BUGFIX PATCH] tracing/kprobes: Fix strpbrk() argument order

On Sat, 3 Nov 2018 20:54:48 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:

> On Fri, 2 Nov 2018 09:54:24 -0400
> Steven Rostedt <rostedt@...dmis.org> wrote:
> 
> > On Fri, 2 Nov 2018 16:14:59 +0900
> > Masami Hiramatsu <mhiramat@...nel.org> wrote:
> >   
> > > On Thu, 1 Nov 2018 15:10:14 -0400
> > > Steven Rostedt <rostedt@...dmis.org> wrote:
> > >   
> > > > On Thu,  1 Nov 2018 23:29:28 +0900
> > > > Masami Hiramatsu <mhiramat@...nel.org> wrote:
> > > >     
> > > > > Fix strpbrk()'s argument order, it must pass acceptable string
> > > > > in 2nd argument. Note that this can cause a kernel panic where
> > > > > it recovers backup character to code->data.
> > > > > 
> > > > > Fixes: a6682814f371 ("tracing/kprobes: Allow kprobe-events to record module symbol")
> > > > > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>    
> > > > 
> > > > Thanks Masami,
> > > > 
> > > > I'm pulling this and starting to test it.    
> > > 
> > > Thank you! I still couldn't believe how this bug passed through the tests...  
> > 
> > I am too. I'm running tests with and without this patch, and the patch
> > doesn't appear to be making much difference.  
> 
> Maybe traceprobe_free_probe_arg() is silently failed.

I don't see how.

> 
> > 
> > Then I tested with this:
> > 
> > diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
> > index 3ef15a6683c0..4ddafddf1343 100644
> > --- a/kernel/trace/trace_probe.c
> > +++ b/kernel/trace/trace_probe.c
> > @@ -516,6 +516,7 @@ void traceprobe_free_probe_arg(struct probe_arg
> > *arg) kfree(code->data);
> >  		code++;
> >  	}
> > +	printk("free arg->code %s\n", arg->code);
> >  	kfree(arg->code);
> >  	kfree(arg->name);
> >  	kfree(arg->comm);
> > @@ -535,11 +536,15 @@ int traceprobe_update_arg(struct probe_arg *arg)
> >  			if (code[1].op != FETCH_OP_IMM)
> >  				return -EINVAL;
> >  
> > +			tmp = strpbrk(code->data, "+-");
> > +			printk("first tmp tmp=%s\n", tmp);
> >  			tmp = strpbrk("+-", code->data);
> > +			printk("second tmp=%s data=%s\n", tmp,
> > code->data); if (tmp)
> >  				c = *tmp;
> >  			ret =
> > traceprobe_split_symbol_offset(code->data, &offset);
> > +			printk("third data=%s\n", code->data);
> >  			if (ret)
> >  				return ret;
> >  
> > @@ -547,6 +552,7 @@ int traceprobe_update_arg(struct probe_arg *arg)
> >  				(unsigned
> > long)kallsyms_lookup_name(code->data); if (tmp)
> >  				*tmp = c;
> > +			printk("forth data=%s\n", code->data);
> >  			if (!code[1].immediate)
> >  				return -ENOENT;
> >  			code[1].immediate += offset;
> > 
> > And I don't see where that code->data is used elsewhere. That is, why
> > even bother saving the character?  
> 
> Would you mean parsing the symbol+offs every time is useless?
> It needs to solve the symbol address always because  traceprobe_update_arg
> is called when new symbols added on the kernel (by loading modules).

OK, so it is called multiple times? That is when a module is loaded?
Because I couldn't get this called multiple times.

I'll try that out and if that's the case, then yeah, this needs to be
fixed (otherwise, I was thinking we could just remove the strpbrk()
altogether).


> 
> Hmm, maybe I can introduce a struct like 
> 
> struct symbol_offset {
> 	long offset;
> 	char symbol[];
> };
> 
> and use it instead of parsing the symbol+offset always.

The parsing should be fine. The issue I had was that I couldn't trigger
it to happen more than once. That's why this passed testing. We didn't
do something that required it to be called more than once and that is
here the bug would trigger.

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ