lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 14 Jan 2019 10:42:24 -0500
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     Andrea Righi <righi.andrea@...il.com>,
        Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH v2] tracing/kprobes: fix NULL pointer dereference in
 trace_kprobe_create()

On Fri, 11 Jan 2019 22:45:59 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:

> On Fri, 11 Jan 2019 07:01:13 +0100
> Andrea Righi <righi.andrea@...il.com> wrote:
> 
> > It is possible to trigger a NULL pointer dereference by writing an
> > incorrectly formatted string to krpobe_events (trying to create a
> > kretprobe omitting the symbol).
> > 
> > Example:
> > 
> >  echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events
> > 
> > That triggers this:
> > 
> >  BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> >  #PF error: [normal kernel read fault]
> >  PGD 0 P4D 0
> >  Oops: 0000 [#1] SMP PTI
> >  CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
> >  Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
> >  RIP: 0010:kstrtoull+0x2/0x20
> >  Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
> >  RSP: 0018:ffffb5d482e57cb8 EFLAGS: 00010246
> >  RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff82b12720
> >  RDX: ffffb5d482e57cf8 RSI: 0000000000000000 RDI: 0000000000000000
> >  RBP: ffffb5d482e57d70 R08: ffffa0c05e5a7080 R09: ffffa0c05e003980
> >  R10: 0000000000000000 R11: 0000000040000000 R12: ffffa0c04fe87b08
> >  R13: 0000000000000001 R14: 000000000000000b R15: ffffa0c058d749e1
> >  FS:  00007f137c7f7740(0000) GS:ffffa0c05e580000(0000) knlGS:0000000000000000
> >  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >  CR2: 0000000000000000 CR3: 0000000497d46004 CR4: 00000000003606e0
> >  Call Trace:
> >   ? trace_kprobe_create+0xb6/0x840
> >   ? _cond_resched+0x19/0x40
> >   ? _cond_resched+0x19/0x40
> >   ? __kmalloc+0x62/0x210
> >   ? argv_split+0x8f/0x140
> >   ? trace_kprobe_create+0x840/0x840
> >   ? trace_kprobe_create+0x840/0x840
> >   create_or_delete_trace_kprobe+0x11/0x30
> >   trace_run_command+0x50/0x90
> >   trace_parse_run_command+0xc1/0x160
> >   probes_write+0x10/0x20
> >   __vfs_write+0x3a/0x1b0
> >   ? apparmor_file_permission+0x1a/0x20
> >   ? security_file_permission+0x31/0xf0
> >   ? _cond_resched+0x19/0x40
> >   vfs_write+0xb1/0x1a0
> >   ksys_write+0x55/0xc0
> >   __x64_sys_write+0x1a/0x20
> >   do_syscall_64+0x5a/0x120
> >   entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > 
> > Fix by doing the proper argument checks in trace_kprobe_create().  
> 
> Thank you Andrea!
> 
> Acked-by: Masami Hiramatsu <mhiramat@...nel.org>
> 

I've applied it and will be testing it now. Thanks!

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ