| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1659910883-18223-2-git-send-email-alan.maguire@oracle.com>
Date: Sun, 7 Aug 2022 23:21:20 +0100
From: Alan Maguire <alan.maguire@...cle.com>
To: rostedt@...dmis.org
Cc: corbet@....net, mingo@...hat.com, shuah@...nel.org,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org,
Alan Maguire <alan.maguire@...cle.com>
Subject: [RFC tracing 1/4] tracing: predicate matching trigger crashes for > 8-byte arrays
The following (wrong) use of tracepoint filtering was enough to trigger
a null-pointer dereference crash:
cd /sys/kernel/debug/tracing
echo "saddr_v6 == 0x0100007f" > tcp/tcp_receive_reset/filter
echo 1 > tcp/tcp_receive_reset/enable
wget https://localhost
This works fine if saddr - a 4-byte array representing the source address -
is used instead.
Fix is to handle case where we encounter an unexpected size.
Signed-off-by: Alan Maguire <alan.maguire@...cle.com>
---
kernel/trace/trace_events_filter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 4b1057ab9d96..65e01c8d48d9 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1490,6 +1490,11 @@ static int parse_pred(const char *str, void *data,
else {
pred->fn = select_comparison_fn(pred->op, field->size,
field->is_signed);
+ if (!pred->fn) {
+ parse_error(pe, FILT_ERR_ILLEGAL_FIELD_OP,
+ pos + i);
+ goto err_free;
+ }
if (pred->op == OP_NE)
pred->not = 1;
}
--
2.31.1
Powered by blists - more mailing lists