[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190123034005.2b49e4fe@vmware.local.home>
Date: Wed, 23 Jan 2019 03:40:05 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Andreas Ziegler <andreas.ziegler@....de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for
uprobe events
On Fri, 18 Jan 2019 13:44:25 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:
> Since commit 533059281ee5 ("tracing: probeevent: Introduce new
> argument fetching code") dropped the $comm support from uprobe
> events, this re-enables it.
>
> For $comm support, uses strlcpy() instead of strncpy_from_user()
> to copy current task's comm. Because it is in the kernel space,
> strncpy_from_user() always fails to copy the comm.
> This also uses strlen() instead of strnlen_user() to measure the
> length of the comm.
>
> Fixes: 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code")
> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> Reported-by: Andreas Ziegler <andreas.ziegler@....de>
> Acked-by: Andreas Ziegler <andreas.ziegler@....de>
> ---
> kernel/trace/trace_uprobe.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index 3a1d5ab6b4ba..b07e498ccbc6 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -156,7 +156,10 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
> if (unlikely(!maxlen))
> return -ENOMEM;
>
> - ret = strncpy_from_user(dst, src, maxlen);
> + if (addr == (unsigned long)current->comm)
> + ret = strlcpy(dst, current->comm, maxlen);
As user space (although only root) defines the size of the event being
stored, and we could trick addr to be current->comm (although
difficult), we could possibly leak data if maxlen is > TASK_COMM_LEN. I
would feel better if we tested maxlen against TASK_COMM_LEN in this
case.
if (maxlen > TASK_COMM_LEN)
maxlen = TASK_COMM_LEN;
Or if we don't think it can happen, add a WARN_ON(maxlen >
TASK_COMM_LEN).
-- Steve
> + else
> + ret = strncpy_from_user(dst, src, maxlen);
> if (ret >= 0) {
> if (ret == maxlen)
> dst[ret - 1] = '\0';
> @@ -180,7 +183,12 @@ fetch_store_strlen(unsigned long addr)
> int len;
> void __user *vaddr = (void __force __user *) addr;
>
> - len = strnlen_user(vaddr, MAX_STRING_SIZE);
> + if (addr == (unsigned long)current->comm) {
> + len = strlen(current->comm);
> + if (len)
> + len++;
> + } else
> + len = strnlen_user(vaddr, MAX_STRING_SIZE);
>
> return (len > MAX_STRING_SIZE) ? 0 : len;
> }
> @@ -220,6 +228,9 @@ process_fetch_insn(struct fetch_insn *code, struct pt_regs *regs, void *dest,
> case FETCH_OP_IMM:
> val = code->immediate;
> break;
> + case FETCH_OP_COMM:
> + val = (unsigned long)current->comm;
> + break;
> case FETCH_OP_FOFFS:
> val = translate_user_vaddr(code->immediate);
> break;
Powered by blists - more mailing lists