lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 May 2022 01:05:17 +0200 From: Eugene Syromiatnikov <esyr@...hat.com> To: Jiri Olsa <jolsa@...nel.org>, Masami Hiramatsu <mhiramat@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, Ingo Molnar <mingo@...hat.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net> Cc: Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, netdev@...r.kernel.org, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, Shuah Khan <shuah@...nel.org>, linux-kselftest@...r.kernel.org Subject: [PATCH bpf v2 3/4] bpf_trace: handle compat in kprobe_multi_resolve_syms For compat processes, userspace pointer size is different. Since the copied array is iterated anyway, the simplest fix seems to be copy the user-supplied array as-is and the iterate as an array of native or compat pointers, depending on the in_compat_syscall() value. Fixes: 0dcac272540613d4 ("bpf: Add multi kprobe link") Signed-off-by: Eugene Syromiatnikov <esyr@...hat.com> --- kernel/trace/bpf_trace.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index bf5bcfb..268c92b 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -2353,16 +2353,19 @@ kprobe_multi_resolve_syms(const void __user *usyms, u32 cnt, unsigned long *addrs) { unsigned long addr, sym_size; - u32 size; + u32 size, elem_size; const char __user **syms; + compat_uptr_t __user *compat_syms; int err = -ENOMEM; unsigned int i; char *func; - if (check_mul_overflow(cnt, (u32)sizeof(*syms), &size)) + elem_size = in_compat_syscall() ? sizeof(*compat_syms) : sizeof(*syms); + if (check_mul_overflow(cnt, elem_size, &size)) return -EOVERFLOW; - size = cnt * sizeof(*syms); + size = cnt * elem_size; syms = kvzalloc(size, GFP_KERNEL); + compat_syms = (void *)syms; if (!syms) return -ENOMEM; @@ -2376,7 +2379,10 @@ kprobe_multi_resolve_syms(const void __user *usyms, u32 cnt, } for (i = 0; i < cnt; i++) { - err = strncpy_from_user(func, syms[i], KSYM_NAME_LEN); + const char __user *ufunc = in_compat_syscall() + ? (char __user *)(uintptr_t)compat_syms[i] + : syms[i]; + err = strncpy_from_user(func, ufunc, KSYM_NAME_LEN); if (err == KSYM_NAME_LEN) err = -E2BIG; if (err < 0) -- 2.1.4
Powered by blists - more mailing lists