| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Nov 2023 12:20:01 -0700
From: jim.cromie@...il.com
To: Łukasz Bartosik <lb@...ihalf.com>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Jason Baron <jbaron@...mai.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>,
Douglas Anderson <dianders@...omium.org>,
Guenter Roeck <groeck@...gle.com>,
Yaniv Tzoreff <yanivt@...gle.com>,
Benson Leung <bleung@...gle.com>,
Vincent Whitchurch <vincent.whitchurch@...s.com>,
Pekka Paalanen <ppaalanen@...il.com>,
Sean Paul <seanpaul@...omium.org>,
Daniel Vetter <daniel@...ll.ch>, linux-kernel@...r.kernel.org,
upstream@...ihalf.com
Subject: Re: [PATCH v1 04/12] dyndbg: add 2 trace-events: pr_debug, dev_dbg
On Fri, Nov 10, 2023 at 7:51 AM Łukasz Bartosik <lb@...ihalf.com> wrote:
>
> wt., 7 lis 2023 o 00:55 Steven Rostedt <rostedt@...dmis.org> napisał(a):
> >
> > On Fri, 3 Nov 2023 14:10:03 +0100
> > Łukasz Bartosik <lb@...ihalf.com> wrote:
> >
> > > +/* capture pr_debug() callsite descriptor and message */
> > > +TRACE_EVENT(prdbg,
> > > + TP_PROTO(const struct _ddebug *desc, const char *text, size_t len),
> > > +
> > > + TP_ARGS(desc, text, len),
> > > +
> > > + TP_STRUCT__entry(
> > > + __field(const struct _ddebug *, desc)
> > > + __dynamic_array(char, msg, len + 1)
> > > + ),
> > > +
> > > + TP_fast_assign(
> > > + __entry->desc = desc;
> > > + /*
> > > + * Each trace entry is printed in a new line.
> > > + * If the msg finishes with '\n', cut it off
> > > + * to avoid blank lines in the trace.
> > > + */
> > > + if (len > 0 && (text[len - 1] == '\n'))
> > > + len -= 1;
> > > +
> > > + memcpy(__get_str(msg), text, len);
> > > + __get_str(msg)[len] = 0;
> > > + ),
> > > +
> >
> >
> > > + TP_printk("%s.%s %s", __entry->desc->modname,
> > > + __entry->desc->function, __get_str(msg))
> > > +);
> > > +
> >
> > That TP_printk() is dangerous. How do you know __entry->desc still exists
> > when reading the buffer?
> >
> > Is the struct _ddebug permanent? Can it be freed? If so, the above can
> > easily cause a crash.
> >
>
> I assume that we're talking here about the scenario where TP prdbg is
> called and before TP_printk runs _ddebug pointer
> becomes invalid, is that correct ? If so then I believe this also
> applied to __dynamic_pr_debug and other dyndbg functions because there
> is also potential for _ddebug pointer to become invalid (in case of
> rrmod) before a function dereferences it.
>
> Would it be acceptable to increase reference count of a module and
> hold it until at least one callsite in that module is enabled ?
> This would ensure that passed pointer to a _ddebug struct is valid.
>
Im not understanding you, but I dont think its on-point -
a loadable module might write lots to trace-log, and each trace-entry
would have the descriptor address, with which it could deref and print 3 fields.
Then rmmod happens, all the module mem is freed, and reused for someth9ing else.
then someone cats trace, and the descriptor addrs are used to render
the tracelog.
BOOM.
> > -- Steve
Powered by blists - more mailing lists