[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190124104322.29e62ee0024c77a40110d569@kernel.org>
Date: Thu, 24 Jan 2019 10:43:22 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Andreas Ziegler <andreas.ziegler@....de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for
uprobe events
On Wed, 23 Jan 2019 03:40:05 -0500
Steven Rostedt <rostedt@...dmis.org> wrote:
> On Fri, 18 Jan 2019 13:44:25 +0900
> Masami Hiramatsu <mhiramat@...nel.org> wrote:
>
> > Since commit 533059281ee5 ("tracing: probeevent: Introduce new
> > argument fetching code") dropped the $comm support from uprobe
> > events, this re-enables it.
> >
> > For $comm support, uses strlcpy() instead of strncpy_from_user()
> > to copy current task's comm. Because it is in the kernel space,
> > strncpy_from_user() always fails to copy the comm.
> > This also uses strlen() instead of strnlen_user() to measure the
> > length of the comm.
> >
> > Fixes: 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code")
> > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > Reported-by: Andreas Ziegler <andreas.ziegler@....de>
> > Acked-by: Andreas Ziegler <andreas.ziegler@....de>
> > ---
> > kernel/trace/trace_uprobe.c | 15 +++++++++++++--
> > 1 file changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> > index 3a1d5ab6b4ba..b07e498ccbc6 100644
> > --- a/kernel/trace/trace_uprobe.c
> > +++ b/kernel/trace/trace_uprobe.c
> > @@ -156,7 +156,10 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
> > if (unlikely(!maxlen))
> > return -ENOMEM;
> >
> > - ret = strncpy_from_user(dst, src, maxlen);
> > + if (addr == (unsigned long)current->comm)
> > + ret = strlcpy(dst, current->comm, maxlen);
>
> As user space (although only root) defines the size of the event being
> stored, and we could trick addr to be current->comm (although
> difficult), we could possibly leak data if maxlen is > TASK_COMM_LEN. I
> would feel better if we tested maxlen against TASK_COMM_LEN in this
> case.
>
> if (maxlen > TASK_COMM_LEN)
> maxlen = TASK_COMM_LEN;
>
> Or if we don't think it can happen, add a WARN_ON(maxlen >
> TASK_COMM_LEN).
Hmm, I thought current->comm is null terminated, isn't it?
Anyway, if user can specify current->comm, he must be able to specify
current->comm + TASK_COMM_LEN too by kprobe_events.
Moreover, it can leak any data in kernel...
And also, maxlen is calculated by fetch_store_strlen, right before
this has been called.
I rather concern the case that if we have shorter size of maxlen than
current->comm. Would we better show "(fault)" or tail-cut name ?
(of course this is very difficult to happen, since the length is
already checked.)
Thank you,
>
> -- Steve
>
>
> > + else
> > + ret = strncpy_from_user(dst, src, maxlen);
> > if (ret >= 0) {
> > if (ret == maxlen)
> > dst[ret - 1] = '\0';
> > @@ -180,7 +183,12 @@ fetch_store_strlen(unsigned long addr)
> > int len;
> > void __user *vaddr = (void __force __user *) addr;
> >
> > - len = strnlen_user(vaddr, MAX_STRING_SIZE);
> > + if (addr == (unsigned long)current->comm) {
> > + len = strlen(current->comm);
> > + if (len)
> > + len++;
> > + } else
> > + len = strnlen_user(vaddr, MAX_STRING_SIZE);
> >
> > return (len > MAX_STRING_SIZE) ? 0 : len;
> > }
> > @@ -220,6 +228,9 @@ process_fetch_insn(struct fetch_insn *code, struct pt_regs *regs, void *dest,
> > case FETCH_OP_IMM:
> > val = code->immediate;
> > break;
> > + case FETCH_OP_COMM:
> > + val = (unsigned long)current->comm;
> > + break;
> > case FETCH_OP_FOFFS:
> > val = translate_user_vaddr(code->immediate);
> > break;
>
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists