lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240221201816.0d1e7829@gandalf.local.home>
Date: Wed, 21 Feb 2024 20:18:16 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Masami Hiramatsu
 <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Subject: [GIT PULL] tracing: Add ring buffer sub-buffer size check



Linus,

Tracing fix for v6.8:

- While working on the ring buffer I noticed that the counter used
  for knowing where the end of the data is on a sub-buffer was not
  a full "int" but just 20 bits. It was masked out to 0xfffff.
  With the new code that allows the user to change the size of the
  sub-buffer, it is theoretically possible to ask for a size
  bigger than 2^20. If that happens, unexpected results may
  occur as there's no code checking if the counter overflowed the
  20 bits of the write mask. There are other checks to make sure
  events fit in the sub-buffer, but if the sub-buffer itself is
  too big, that is not checked.

  Add a check in the resize of the sub-buffer to make sure that it
  never goes beyond the size of the counter that holds how much
  data is on it.


Please pull the latest trace-v6.8-rc5 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.8-rc5

Tag SHA1: 2ff328f136698ef4a0b8660ed372017d338f9435
Head SHA1: e78fb4eac817308027da88d02e5d0213462a7562


Steven Rostedt (Google) (1):
      ring-buffer: Do not let subbuf be bigger than write mask

----
 kernel/trace/ring_buffer.c | 4 ++++
 1 file changed, 4 insertions(+)
---------------------------
commit e78fb4eac817308027da88d02e5d0213462a7562
Author: Steven Rostedt (Google) <rostedt@...dmis.org>
Date:   Tue Feb 20 09:51:12 2024 -0500

    ring-buffer: Do not let subbuf be bigger than write mask
    
    The data on the subbuffer is measured by a write variable that also
    contains status flags. The counter is just 20 bits in length. If the
    subbuffer is bigger than then counter, it will fail.
    
    Make sure that the subbuffer can not be set to greater than the counter
    that keeps track of the data on the subbuffer.
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240220095112.77e9cb81@gandalf.local.home
    
    Cc: Masami Hiramatsu <mhiramat@...nel.org>
    Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
    Fixes: 2808e31ec12e5 ("ring-buffer: Add interface for configuring trace sub buffer size")
    Signed-off-by: Steven Rostedt (Google) <rostedt@...dmis.org>

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index fd4bfe3ecf01..0699027b4f4c 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5877,6 +5877,10 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
 	if (psize <= BUF_PAGE_HDR_SIZE)
 		return -EINVAL;
 
+	/* Size of a subbuf cannot be greater than the write counter */
+	if (psize > RB_WRITE_MASK + 1)
+		return -EINVAL;
+
 	old_order = buffer->subbuf_order;
 	old_size = buffer->subbuf_size;
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ