lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d0a3ea62-e600-483c-a5d5-4584b9e464dd@huawei.com>
Date:   Mon, 14 Nov 2022 21:06:57 +0800
From:   Zheng Yejian <zhengyejian1@...wei.com>
To:     "Masami Hiramatsu (Google)" <mhiramat@...nel.org>
CC:     <rostedt@...dmis.org>, <linux-kernel@...r.kernel.org>,
        <linux-trace-kernel@...r.kernel.org>
Subject: Re: [PATCH] tracing: Fix potential null-pointer-access of entry in
 list 'tr->err_log'



On 2022/11/14 20:46, Masami Hiramatsu (Google) wrote:
> On Mon, 14 Nov 2022 18:46:32 +0800
> Zheng Yejian <zhengyejian1@...wei.com> wrote:
> 
>> Entries in list 'tr->err_log' will be reused after entry number
>> exceed TRACING_LOG_ERRS_MAX.
>>
>> The cmd string of the to be reused entry will be freed first then
>> allocated a new one. If the allocation failed, then the entry will
>> still be in list 'tr->err_log' but its 'cmd' field is set to be NULL,
>> later access of 'cmd' is risky.
>>
>> Currently above problem can cause the loss of 'cmd' information of first
>> entry in 'tr->err_log'. When execute `cat /sys/kernel/tracing/error_log`,
>> reproduce logs like:
>>    [   37.495100] trace_kprobe: error: Maxactive is not for kprobe(null) ^
>>    [   38.412517] trace_kprobe: error: Maxactive is not for kprobe
>>      Command: p4:myprobe2 do_sys_openat2
>>              ^
> 
> This looks good to me.
> 
> Acked-by: Masami Hiramatsu (Google) <mhiramat@...nel.org>

Thanks!

> 
> BTW, I'm interested in how did you reproduce it. Did you inject a memory
> allocation failure to reproduce it?

Yes. I happended to find this problem when I was looking at the code, 
then I inject an allocation failure to proof it.

> 
> Thank you,
> 
>>
>> Fixes: 1581a884b7ca ("tracing: Remove size restriction on tracing_log_err cmd strings")
>> Signed-off-by: Zheng Yejian <zhengyejian1@...wei.com>
>> ---
>>   kernel/trace/trace.c | 9 +++++----
>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
>> index 47a44b055a1d..5ae776598106 100644
>> --- a/kernel/trace/trace.c
>> +++ b/kernel/trace/trace.c
>> @@ -7802,6 +7802,7 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr,
>>   						   int len)
>>   {
>>   	struct tracing_log_err *err;
>> +	char *cmd;
>>   
>>   	if (tr->n_err_log_entries < TRACING_LOG_ERRS_MAX) {
>>   		err = alloc_tracing_log_err(len);
>> @@ -7810,12 +7811,12 @@ static struct tracing_log_err *get_tracing_log_err(struct trace_array *tr,
>>   
>>   		return err;
>>   	}
>> -
>> +	cmd = kzalloc(len, GFP_KERNEL);
>> +	if (!cmd)
>> +		return ERR_PTR(-ENOMEM);
>>   	err = list_first_entry(&tr->err_log, struct tracing_log_err, list);
>>   	kfree(err->cmd);
>> -	err->cmd = kzalloc(len, GFP_KERNEL);
>> -	if (!err->cmd)
>> -		return ERR_PTR(-ENOMEM);
>> +	err->cmd = cmd;
>>   	list_del(&err->list);
>>   
>>   	return err;
>> -- 
>> 2.25.1
>>
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ