| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241022223214.f2e6f5d314e09d54a64c0d5f@kernel.org>
Date: Tue, 22 Oct 2024 22:32:14 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Mikel Rychliski <mikel@...elr.com>
Cc: Steven Rostedt <rostedt@...dmis.org>, Mathieu Desnoyers
<mathieu.desnoyers@...icios.com>, linux-kernel@...r.kernel.org,
linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH v2] tracing/probes: Fix MAX_TRACE_ARGS limit handling
On Mon, 30 Sep 2024 16:26:54 -0400
Mikel Rychliski <mikel@...elr.com> wrote:
> When creating a trace_probe we would set nr_args prior to truncating the
> arguments to MAX_TRACE_ARGS. However, we would only initialize arguments
> up to the limit.
>
> This caused invalid memory access when attempting to set up probes with
> more than 128 fetchargs.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
> RIP: 0010:__set_print_fmt+0x134/0x330
>
> Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return
> an error when there are too many arguments instead of silently
> truncating.
Yeah, looks good to me. Let me pick it.
Thanks!
>
> Fixes: 035ba76014c0 ("tracing/probes: cleanup: Set trace_probe::nr_args at trace_probe_init")
> Signed-off-by: Mikel Rychliski <mikel@...elr.com>
> ---
> V1 -> V2: Return error instead of dropping excessive arguments
>
> kernel/trace/trace_eprobe.c | 7 ++++++-
> kernel/trace/trace_fprobe.c | 6 +++++-
> kernel/trace/trace_kprobe.c | 6 +++++-
> kernel/trace/trace_uprobe.c | 4 +++-
> 4 files changed, 19 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c
> index b0e0ec85912e..ebda68ee9abf 100644
> --- a/kernel/trace/trace_eprobe.c
> +++ b/kernel/trace/trace_eprobe.c
> @@ -912,6 +912,11 @@ static int __trace_eprobe_create(int argc, const char *argv[])
> }
> }
>
> + if (argc - 2 > MAX_TRACE_ARGS) {
> + ret = -E2BIG;
> + goto error;
> + }
> +
> mutex_lock(&event_mutex);
> event_call = find_and_get_event(sys_name, sys_event);
> ep = alloc_event_probe(group, event, event_call, argc - 2);
> @@ -937,7 +942,7 @@ static int __trace_eprobe_create(int argc, const char *argv[])
>
> argc -= 2; argv += 2;
> /* parse arguments */
> - for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
> + for (i = 0; i < argc; i++) {
> trace_probe_log_set_index(i + 2);
> ret = trace_eprobe_tp_update_arg(ep, argv, i);
> if (ret)
> diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c
> index a079abd8955b..c62d1629cffe 100644
> --- a/kernel/trace/trace_fprobe.c
> +++ b/kernel/trace/trace_fprobe.c
> @@ -1187,6 +1187,10 @@ static int __trace_fprobe_create(int argc, const char *argv[])
> argc = new_argc;
> argv = new_argv;
> }
> + if (argc > MAX_TRACE_ARGS) {
> + ret = -E2BIG;
> + goto out;
> + }
>
> ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
> if (ret)
> @@ -1203,7 +1207,7 @@ static int __trace_fprobe_create(int argc, const char *argv[])
> }
>
> /* parse arguments */
> - for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
> + for (i = 0; i < argc; i++) {
> trace_probe_log_set_index(i + 2);
> ctx.offset = 0;
> ret = traceprobe_parse_probe_arg(&tf->tp, i, argv[i], &ctx);
> diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
> index 61a6da808203..263fac44d3ca 100644
> --- a/kernel/trace/trace_kprobe.c
> +++ b/kernel/trace/trace_kprobe.c
> @@ -1013,6 +1013,10 @@ static int __trace_kprobe_create(int argc, const char *argv[])
> argc = new_argc;
> argv = new_argv;
> }
> + if (argc > MAX_TRACE_ARGS) {
> + ret = -E2BIG;
> + goto out;
> + }
>
> ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
> if (ret)
> @@ -1029,7 +1033,7 @@ static int __trace_kprobe_create(int argc, const char *argv[])
> }
>
> /* parse arguments */
> - for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
> + for (i = 0; i < argc; i++) {
> trace_probe_log_set_index(i + 2);
> ctx.offset = 0;
> ret = traceprobe_parse_probe_arg(&tk->tp, i, argv[i], &ctx);
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index c3df411a2684..f0273b4d4a7b 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -565,6 +565,8 @@ static int __trace_uprobe_create(int argc, const char **argv)
>
> if (argc < 2)
> return -ECANCELED;
> + if (argc - 2 > MAX_TRACE_ARGS)
> + return -E2BIG;
>
> if (argv[0][1] == ':')
> event = &argv[0][2];
> @@ -690,7 +692,7 @@ static int __trace_uprobe_create(int argc, const char **argv)
> tu->filename = filename;
>
> /* parse arguments */
> - for (i = 0; i < argc && i < MAX_TRACE_ARGS; i++) {
> + for (i = 0; i < argc; i++) {
> struct traceprobe_parse_context ctx = {
> .flags = (is_return ? TPARG_FL_RETURN : 0) | TPARG_FL_USER,
> };
>
> base-commit: 886f3732878dc92fb0ad6d8b6740b66410d1d50a
> --
> 2.46.1
>
--
Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists