lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240930084018.a725f6e59a3be7be3e356e27@kernel.org>
Date: Mon, 30 Sep 2024 08:40:18 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Mikel Rychliski <mikel@...elr.com>
Cc: Steven Rostedt <rostedt@...dmis.org>, Mathieu Desnoyers
 <mathieu.desnoyers@...icios.com>, linux-kernel@...r.kernel.org,
 linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH] tracing/probes: Fix MAX_TRACE_ARGS limit handling

On Sun, 29 Sep 2024 16:09:37 -0400
Mikel Rychliski <mikel@...elr.com> wrote:

> When creating a trace_probe we would set nr_args prior to truncating the
> arguments to MAX_TRACE_ARGS. However, we would only initialize arguments
> up to the limit.
> 
> This caused invalid memory access when attempting to set up probes with
> more than 128 fetchargs.
> 
>   BUG: kernel NULL pointer dereference, address: 0000000000000020
>   #PF: supervisor read access in kernel mode
>   #PF: error_code(0x0000) - not-present page
>   PGD 0 P4D 0
>   Oops: Oops: 0000 [#1] PREEMPT SMP PTI
>   CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
>   RIP: 0010:__set_print_fmt+0x134/0x330
> 
> Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. This
> restores the prior behaviour of silently ignoring excess arguments.

Good catch! But this silently drop the arguments after MAX_TRACE_ARGS.
I rather like to reject such input with an error (-E2BIG) as below.
(Hmm, and I also need a new ftracetest test case for this.)

diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index 39877c80d6cb..3f6654127d8c 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -2194,6 +2194,9 @@ int trace_probe_create(const char *raw_command, int (*createfn)(int, const char
 	if (!argv)
 		return -ENOMEM;
 
+	if (argc > MAX_TRACE_ARGS + 2)
+		return -E2BIG;
+
 	if (argc)
 		ret = createfn(argc, (const char **)argv);
 

-- 
Masami Hiramatsu (Google) <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ