Probes fixes for v6.12-rc4:
- uprobe: avoid out-of-bounds memory access of fetching args Uprobe trace events can cause out-of-bounds memory access when fetching user-space data which is bigger than one page, because it does not check the local CPU buffer size when reading the data. This checks the read data size and cut it down to the local CPU buffer size. -----BEGIN PGP SIGNATURE----- iQFPBAABCgA5FiEEh7BulGwFlgAOi5DV2/sHvwUrPxsFAmcWarUbHG1hc2FtaS5o aXJhbWF0c3VAZ21haWwuY29tAAoJENv7B78FKz8b3R4H/j1k6K4hYlDqiVyEaAgl u1b6cJncJShKdhE3laxDDvBv6oLrAypJbxiWv6obuBLpM1VTtjAFFQB84FoJae2w 3y7UPeVrIHDnxlSDGDW3jwSh8FYaFKgLMr1pLRKw6R1ED4ZhkbEIVJ6G1qFaMrYn FCMF7ZX1E7MW2FuUI3L+vaaKop8FLZUKyW1gRDfw+IPy/UTgUJLRohMbxixdprPe W+14GHPvf/lh2MiWzVjvzaBRRiUX8OW7nA4UvvCcHQXVmzx0GmPpPuiVHC7YyhTU 6FiVFKjMsv2jbzyREP4QYPF1n16Us0WZ0ZmGLfrSHyasr7ihj1m//YWCpFxCqzLb /Js= =VBeG -----END PGP SIGNATURE----- Merge tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull uprobe fix from Masami Hiramatsu: - uprobe: avoid out-of-bounds memory access of fetching args Uprobe trace events can cause out-of-bounds memory access when fetching user-space data which is bigger than one page, because it does not check the local CPU buffer size when reading the data. This checks the read data size and cut it down to the local CPU buffer size. * tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: uprobe: avoid out-of-bounds memory access of fetching args
This commit is contained in:
commit
c1bc09d7bf
@ -875,6 +875,7 @@ struct uprobe_cpu_buffer {
|
|||||||
};
|
};
|
||||||
static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
|
static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
|
||||||
static int uprobe_buffer_refcnt;
|
static int uprobe_buffer_refcnt;
|
||||||
|
#define MAX_UCB_BUFFER_SIZE PAGE_SIZE
|
||||||
|
|
||||||
static int uprobe_buffer_init(void)
|
static int uprobe_buffer_init(void)
|
||||||
{
|
{
|
||||||
@ -979,6 +980,11 @@ static struct uprobe_cpu_buffer *prepare_uprobe_buffer(struct trace_uprobe *tu,
|
|||||||
ucb = uprobe_buffer_get();
|
ucb = uprobe_buffer_get();
|
||||||
ucb->dsize = tu->tp.size + dsize;
|
ucb->dsize = tu->tp.size + dsize;
|
||||||
|
|
||||||
|
if (WARN_ON_ONCE(ucb->dsize > MAX_UCB_BUFFER_SIZE)) {
|
||||||
|
ucb->dsize = MAX_UCB_BUFFER_SIZE;
|
||||||
|
dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;
|
||||||
|
}
|
||||||
|
|
||||||
store_trace_args(ucb->buf, &tu->tp, regs, NULL, esize, dsize);
|
store_trace_args(ucb->buf, &tu->tp, regs, NULL, esize, dsize);
|
||||||
|
|
||||||
*ucbp = ucb;
|
*ucbp = ucb;
|
||||||
@ -998,9 +1004,6 @@ static void __uprobe_trace_func(struct trace_uprobe *tu,
|
|||||||
|
|
||||||
WARN_ON(call != trace_file->event_call);
|
WARN_ON(call != trace_file->event_call);
|
||||||
|
|
||||||
if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE))
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (trace_trigger_soft_disabled(trace_file))
|
if (trace_trigger_soft_disabled(trace_file))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user