FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-28 04:17:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
057db8488b
linux/kernel/trace
History
Steven Rostedt 057db8488b tracing: Fix potential out-of-bounds in trace_get_user() 
Andrey reported the following report:

ERROR: AddressSanitizer: heap-buffer-overflow on address ffff8800359c99f3
ffff8800359c99f3 is located 0 bytes to the right of 243-byte region [ffff8800359c9900, ffff8800359c99f3)
Accessed by thread T13003:
  #0 ffffffff810dd2da (asan_report_error+0x32a/0x440)
  #1 ffffffff810dc6b0 (asan_check_region+0x30/0x40)
  #2 ffffffff810dd4d3 (__tsan_write1+0x13/0x20)
  #3 ffffffff811cd19e (ftrace_regex_release+0x1be/0x260)
  #4 ffffffff812a1065 (__fput+0x155/0x360)
  #5 ffffffff812a12de (____fput+0x1e/0x30)
  #6 ffffffff8111708d (task_work_run+0x10d/0x140)
  #7 ffffffff810ea043 (do_exit+0x433/0x11f0)
  #8 ffffffff810eaee4 (do_group_exit+0x84/0x130)
  #9 ffffffff810eafb1 (SyS_exit_group+0x21/0x30)
  #10 ffffffff81928782 (system_call_fastpath+0x16/0x1b)

Allocated by thread T5167:
  #0 ffffffff810dc778 (asan_slab_alloc+0x48/0xc0)
  #1 ffffffff8128337c (__kmalloc+0xbc/0x500)
  #2 ffffffff811d9d54 (trace_parser_get_init+0x34/0x90)
  #3 ffffffff811cd7b3 (ftrace_regex_open+0x83/0x2e0)
  #4 ffffffff811cda7d (ftrace_filter_open+0x2d/0x40)
  #5 ffffffff8129b4ff (do_dentry_open+0x32f/0x430)
  #6 ffffffff8129b668 (finish_open+0x68/0xa0)
  #7 ffffffff812b66ac (do_last+0xb8c/0x1710)
  #8 ffffffff812b7350 (path_openat+0x120/0xb50)
  #9 ffffffff812b8884 (do_filp_open+0x54/0xb0)
  #10 ffffffff8129d36c (do_sys_open+0x1ac/0x2c0)
  #11 ffffffff8129d4b7 (SyS_open+0x37/0x50)
  #12 ffffffff81928782 (system_call_fastpath+0x16/0x1b)

Shadow bytes around the buggy address:
  ffff8800359c9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  ffff8800359c9780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  ffff8800359c9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff8800359c9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff8800359c9900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>ffff8800359c9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fb
  ffff8800359c9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff8800359c9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  ffff8800359c9b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  ffff8800359c9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8800359c9c00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap redzone:          fa
  Heap kmalloc redzone:  fb
  Freed heap region:     fd
  Shadow gap:            fe

The out-of-bounds access happens on 'parser->buffer[parser->idx] = 0;'

Although the crash happened in ftrace_regex_open() the real bug
occurred in trace_get_user() where there's an incrementation to
parser->idx without a check against the size. The way it is triggered
is if userspace sends in 128 characters (EVENT_BUF_SIZE + 1), the loop
that reads the last character stores it and then breaks out because
there is no more characters. Then the last character is read to determine
what to do next, and the index is incremented without checking size.

Then the caller of trace_get_user() usually nulls out the last character
with a zero, but since the index is equal to the size, it writes a nul
character after the allocated space, which can corrupt memory.

Luckily, only root user has write access to this file.

Link: http://lkml.kernel.org/r/20131009222323.04fd1a0d@gandalf.local.home

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-10-18 21:02:56 -04:00
..
blktrace.c Merge branch 'for-3.10/drivers' of git://git.kernel.dk/linux-block 2013-05-08 11:51:05 -07:00
ftrace.c ftrace: Fix a slight race in modifying what function callback gets traced 2013-09-03 19:36:26 -04:00
Kconfig ring-buffer: Select IRQ_WORK 2013-05-03 19:24:17 -04:00
Makefile
power-traces.c
ring_buffer_benchmark.c
ring_buffer.c tracing: Typo fix on ring buffer comments 2013-07-18 21:31:26 -04:00
rpm-traces.c
trace_branch.c tracing: Fix the branch tracer that broke with buffer change 2013-03-15 00:35:54 -04:00
trace_clock.c tracing: Add "uptime" trace clock that uses jiffies 2013-03-15 00:36:09 -04:00
trace_entries.h tracing: Add trace_puts() for even faster trace_printk() tracing 2013-03-15 00:35:55 -04:00
trace_event_perf.c tracing/perf: Move the PERF_MAX_TRACE_SIZE check into perf_trace_buf_prepare() 2013-07-18 21:31:28 -04:00
trace_events_filter_test.h
trace_events_filter.c tracing: Change event_filter_read/write to verify i_private != NULL 2013-07-29 22:56:59 -04:00
trace_events.c tracing: Kill the !CONFIG_MODULES code in trace_events.c 2013-08-21 23:28:03 -04:00
trace_export.c tracing: Fix some section mismatch warnings 2013-03-15 00:34:54 -04:00
trace_functions_graph.c tracing: Add ref_data to function and fgraph tracer structs 2013-07-18 21:31:31 -04:00
trace_functions.c tracing: Add ref_data to function and fgraph tracer structs 2013-07-18 21:31:31 -04:00
trace_irqsoff.c tracing: Use flag buffer_disabled for irqsoff tracer 2013-07-01 20:34:28 -04:00
trace_kdb.c tracing: Consolidate max_tr into main trace_array structure 2013-03-15 00:35:40 -04:00
trace_kprobe.c tracing/kprobes: Fail to unregister if probe event files are in use 2013-07-31 22:25:46 -04:00
trace_mmiotrace.c tracing: Use trace_seq_puts()/trace_seq_putc() where possible 2013-07-18 21:30:36 -04:00
trace_nop.c
trace_output.c tracing: Use trace_seq_puts()/trace_seq_putc() where possible 2013-07-18 21:30:36 -04:00
trace_output.h tracing: Rename trace_event_mutex to trace_event_sem 2013-03-15 13:22:10 -04:00
trace_printk.c tracing: Add __tracepoint_string() to export string pointers 2013-07-26 13:39:44 -04:00
trace_probe.c
trace_probe.h
trace_sched_switch.c tracing: Consolidate max_tr into main trace_array structure 2013-03-15 00:35:40 -04:00
trace_sched_wakeup.c tracing: Add function-trace option to disable function tracing of latency tracers 2013-03-15 00:36:08 -04:00
trace_selftest_dynamic.c
trace_selftest.c ftrace: Do not run selftest if command line parameter is set 2013-07-01 20:57:15 -04:00
trace_stack.c Tracing updates for Linux 3.10 2013-04-29 13:55:38 -07:00
trace_stat.c tracing: Check return value of tracing_init_dentry() 2013-04-12 23:02:32 -04:00
trace_stat.h
trace_syscalls.c tracing/syscalls: Annotate raw_init function with __init 2013-08-21 22:24:52 -04:00
trace_uprobe.c tracing/uprobes: Fail to unregister if probe event files are in use 2013-08-01 18:25:50 -04:00
trace.c tracing: Fix potential out-of-bounds in trace_get_user() 2013-10-18 21:02:56 -04:00
trace.h Not much changes for the 3.12 merge window. The major tracing changes 2013-09-09 14:42:15 -07:00