From: "Steven Rostedt (Google)" <[email protected]>
If for some reason the trace_marker write does not have a nul byte for the
string, it will overflow the print:
trace_seq_printf(s, ": %s", field->buf);
The field->buf could be missing the nul byte. To prevent overflow, add the
max size that the buf can be by using the event size and the field
location.
int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_seq_printf(s, ": %*s", max, field->buf);
Signed-off-by: Steven Rostedt (Google) <[email protected]>
---
kernel/trace/trace_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index d8b302d01083..e11fb8996286 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
{
struct print_entry *field;
struct trace_seq *s = &iter->seq;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
seq_print_ip_sym(s, field->ip, flags);
- trace_seq_printf(s, ": %s", field->buf);
+ trace_seq_printf(s, ": %*s", max, field->buf);
return trace_handle_return(s);
}
@@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
struct trace_event *event)
{
struct print_entry *field;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
- trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
+ trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
return trace_handle_return(&iter->seq);
}
--
2.42.0
On 2023-12-12 08:44, Steven Rostedt wrote:
> From: "Steven Rostedt (Google)" <[email protected]>
>
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
Does this result in leaking kernel memory to userspace ? If so, it
should state "Fixes..." and CC stable.
Thanks,
Mathieu
>
> trace_seq_printf(s, ": %s", field->buf);
>
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
>
> int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_seq_printf(s, ": %*s", max, field->buf);
>
> Signed-off-by: Steven Rostedt (Google) <[email protected]>
> ---
> kernel/trace/trace_output.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
> {
> struct print_entry *field;
> struct trace_seq *s = &iter->seq;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> seq_print_ip_sym(s, field->ip, flags);
> - trace_seq_printf(s, ": %s", field->buf);
> + trace_seq_printf(s, ": %*s", max, field->buf);
>
> return trace_handle_return(s);
> }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
> struct trace_event *event)
> {
> struct print_entry *field;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> - trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> + trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>
> return trace_handle_return(&iter->seq);
> }
--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com
On Tue, 12 Dec 2023 09:23:54 -0500
Mathieu Desnoyers <[email protected]> wrote:
> On 2023-12-12 08:44, Steven Rostedt wrote:
> > From: "Steven Rostedt (Google)" <[email protected]>
> >
> > If for some reason the trace_marker write does not have a nul byte for the
> > string, it will overflow the print:
>
> Does this result in leaking kernel memory to userspace ? If so, it
> should state "Fixes..." and CC stable.
No, it was triggered because of a bug elsewhere ;-)
https://lore.kernel.org/linux-trace-kernel/[email protected]/
Which does have a Cc stable and Fixes tag.
The event truncated the trace_marker output and caused the buffer overflow
here. The trace_marker always adds a '\0', but that got dropped due to the
other bug. This is just hardening the kernel.
Note, this can only happen with the new code that allows trace_marker to
use the max size of the buffer, which is for the next kernel release.
-- Steve
On Tue, 12 Dec 2023 08:44:44 -0500
Steven Rostedt <[email protected]> wrote:
> From: "Steven Rostedt (Google)" <[email protected]>
>
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
>
> trace_seq_printf(s, ": %s", field->buf);
>
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
>
> int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_seq_printf(s, ": %*s", max, field->buf);
>
This looks good to me.
Reviewed-by: Masami Hiramatsu (Google) <[email protected]>
Thanks!
> Signed-off-by: Steven Rostedt (Google) <[email protected]>
> ---
> kernel/trace/trace_output.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
> {
> struct print_entry *field;
> struct trace_seq *s = &iter->seq;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> seq_print_ip_sym(s, field->ip, flags);
> - trace_seq_printf(s, ": %s", field->buf);
> + trace_seq_printf(s, ": %*s", max, field->buf);
>
> return trace_handle_return(s);
> }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
> struct trace_event *event)
> {
> struct print_entry *field;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> - trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> + trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>
> return trace_handle_return(&iter->seq);
> }
> --
> 2.42.0
>
--
Masami Hiramatsu (Google) <[email protected]>
On Tue, 12 Dec 2023 08:44:44 -0500
Steven Rostedt <[email protected]> wrote:
> From: "Steven Rostedt (Google)" <[email protected]>
>
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
>
> trace_seq_printf(s, ": %s", field->buf);
>
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
>
> int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_seq_printf(s, ": %*s", max, field->buf);
Bah, this needs to be:
trace_seq_printf(s, ": %.*s", max, field->buf);
Note the '.' between % and *. Otherwise it right aligns the output.
This did fail the selftest for trace_printk(), but I modified the new one
to add " *" to accommodate it :-p
Sending out v2.
-- Steve