[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAA-qYXhSrMkGXQ69TyC9pOuGO1dCznxw6PU4LTjxLaDKz09iLA@mail.gmail.com>
Date: Fri, 21 May 2021 22:32:20 +0800
From: Jinmeng Zhou <jjjinmeng.zhou@...il.com>
To: rostedt@...dmis.org, mingo@...hat.com
Cc: shenwenbosmile@...il.com, linux-kernel@...r.kernel.org
Subject: A missing security check bug in trace_format_open().
Dear maintainers,
hi, our team has found a missing check bug on Linux kernel v5.10.7
using static analysis. There is a missing security check bug in
trace_format_open() before calling function seq_open().
Function profile_open() checks security_locked_down() before the
critical function seq_open().
1. //check security_locked_down() ///////////////////////
2. static int profile_open(struct inode *inode, struct file *file)
3. {
4. int ret;
5. ret = security_locked_down(LOCKDOWN_TRACEFS);
6. if (ret)
7. return ret;
8. return seq_open(file, &profile_seq_op);
9. }
While trace_format_open() does not call this check,
security_locked_down(), and the parameters of calling seq_open() are
similar.
1. static int trace_format_open(struct inode *inode, struct file *file)
2. {
3. struct seq_file *m;
4. int ret;
5.
6. /* Do we want to hide event format files on tracefs lockdown? */
7.
8. ret = seq_open(file, &trace_format_seq_ops);
9. if (ret < 0)
10. return ret;
11.
12. m = file->private_data;
13. m->private = file;
14.
15. return 0;
16. }
Both functions are assigned to the same struct type and field.
1. static const struct file_operations kprobe_profile_ops = {
2. …
3. .open = profile_open,
4. …
5. };
6. static const struct file_operations ftrace_event_format_fops = {
7. …
8. .open = trace_format_open,
9. …
10. };
In conclusion, we assume that these functions work in the same way.
However, it is not appropriate that one function is called without
checking.
Thanks!
Best regards,
Jinmeng Zhou
Powered by blists - more mailing lists