Message-ID: <20250421101912.4fd7c11a@gandalf.local.home>
Date: Mon, 21 Apr 2025 10:19:12 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Jeongjun Park <aha310510@...il.com>
Cc: mhiramat@...nel.org, linux-kernel@...r.kernel.org,
 linux-trace-kernel@...r.kernel.org,
 syzbot+c8cd2d2c412b868263fb@...kaller.appspotmail.com
Subject: Re: [PATCH] tracing: fix oob write in trace_seq_to_buffer()

On Mon, 21 Apr 2025 22:49:36 +0900
Jeongjun Park <aha310510@...il.com> wrote:

> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 8ddf6b17215c..8ba6ea38411d 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -1827,6 +1827,8 @@ static ssize_t trace_seq_to_buffer(struct trace_seq *s, void *buf, size_t cnt)
>  	len = trace_seq_used(s) - s->readpos;
>  	if (cnt > len)
>  		cnt = len;
> +	if (cnt > PAGE_SIZE)
> +		return -EINVAL;

You fixed the wrong location. The caller should know how much size the
buffer is, and that's passed in by cnt.

>  	memcpy(buf, s->buffer + s->readpos, cnt);
>  
>  	s->readpos += cnt;

The correct fix would be:

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index b6e40e8791fa..c23b5ab27314 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6729,7 +6864,8 @@ static ssize_t tracing_splice_read_pipe(struct file *filp,
 		/* Copy the data into the page, so we can start over. */
 		ret = trace_seq_to_buffer(&iter->seq,
 					  page_address(spd.pages[i]),
-					  trace_seq_used(&iter->seq));
+					  min(trace_seq_used(&iter->seq),
+					      PAGE_SIZE));
 		if (ret < 0) {
 			__free_page(spd.pages[i]);
 			break;

Especially since the trace_seq_to_buffer() code should be moved out of this
file and should have no idea how big the buffer passed in is.

-- Steve

Powered by blists - more mailing lists