Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2644227pxj; Mon, 14 Jun 2021 03:53:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPz70Jc1OF0G7YjkpRlIEytY/KAwxekFiorWLoEQpqun5XPrCONbR7637aGoIM4GOcZzC8 X-Received: by 2002:a05:6402:3487:: with SMTP id v7mr4504995edc.378.1623668023273; Mon, 14 Jun 2021 03:53:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623668023; cv=none; d=google.com; s=arc-20160816; b=mayZNwF5FeE9gXLW6+vLRLgrjFNOl4nNLarsBAhAqItBYrFGFfe0c1JHyoMFLWMhGZ UiCjoFJJkEds9yvy3BG6+lXQYnoj305D1LdXCzBs/ui7SRRax5tsTiR0pjijK7T8l1H5 3Yv0P8V0yq6TywHjaWy1xMCr+Lmc0anaoi8nc3kX7AnabdNwcIo94a7ozuP8MLR8Q49d mYl8U+Y+RfJr+0uOxwAeQSbxg4sX8d8VncFep/sXOEUlcdEqptD2mVm6GC6Rgcg0yYDe x49AqSBhDLeT2pG+HUZq5CDwouk73+3Hj9lJIimjo9OlfsfSJmD9xQX+MMucRgHYZChf +DIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xeM44SGHKHzWX32HEDfOv834G5bECx0xXRv+exBXou8=; b=mQw5jTAqPICp2AXDjm2rtroWBBRyIcWS3Vqb9HwRlN4uNUtf/uFW6KIfw8NQ0jGYqo jTNYbQ7ABjvWObPPkQv4EHS5DnWjh9WA6LyRyVsPqAA2EWk89T0cLoAVfm2POFaWEIjr 5eiFGvl/YO+KYn1fX1Ec8i6BvBZUYyz5+r+l970IzHIlDMVdOp4MTN1IYakxsbEGKRUi UjGj+5PMwi+iyCdnfGvJdREppyTWm71169fGPHt4ZI9pptg4z9SFZJH/UdJM5GnBVNHW vpZKf18xRsa1yDNoMLYPlfTL7tDyMBe+mcfeR0Qw0Y6y4jPj3RjCfsriq9c8RtL3kxNc dyPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KVCPMWEf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f13si11724737edr.531.2021.06.14.03.53.20; Mon, 14 Jun 2021 03:53:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KVCPMWEf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234651AbhFNKyA (ORCPT + 99 others); Mon, 14 Jun 2021 06:54:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:52688 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232892AbhFNKqm (ORCPT ); Mon, 14 Jun 2021 06:46:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C78D0610CD; Mon, 14 Jun 2021 10:37:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667027; bh=ATYZqRrsRPfehS+o/jS6KNB3jqIPcn7jKi6aPZDxvIM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KVCPMWEftrPRZBz5DjTeRc8GiYrRnIWrAaWHM8T6ncm6sfzqd+q2Kgnt6N4OwoABX mSmzijZzVQ161e0L4R8+ivXtE4CwR6jeF1+AijqSoPawGtkR6zNtUdSNfdJId3BRXO 1zn7xEAoSWcOW/Tw03Nds4wCCXLT9qFB943wAtRI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ingo Molnar , Xunlei Pang , yinbinbin , Wetp Zhang , James Wang , Liangyan , "Steven Rostedt (VMware)" Subject: [PATCH 4.19 67/67] tracing: Correct the length check which causes memory corruption Date: Mon, 14 Jun 2021 12:27:50 +0200 Message-Id: <20210614102646.035773202@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102643.797691914@linuxfoundation.org> References: <20210614102643.797691914@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Liangyan commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3 upstream. We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow. Link: https://lkml.kernel.org/r/20210607125734.1770447-1-liangyan.peng@linux.alibaba.com Cc: stable@vger.kernel.org Cc: Ingo Molnar Cc: Xunlei Pang Cc: Greg Kroah-Hartman Fixes: b220c049d519 ("tracing: Check length before giving out the filter buffer") Reviewed-by: Xunlei Pang Reviewed-by: yinbinbin Reviewed-by: Wetp Zhang Tested-by: James Wang Signed-off-by: Liangyan Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2281,7 +2281,7 @@ trace_event_buffer_lock_reserve(struct r (entry = this_cpu_read(trace_buffered_event))) { /* Try to use the per cpu buffer first */ val = this_cpu_inc_return(trace_buffered_event_cnt); - if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { + if ((len < (PAGE_SIZE - sizeof(*entry) - sizeof(entry->array[0]))) && val == 1) { trace_event_setup(entry, type, flags, pc); entry->array[0] = len; return entry;