Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 187FAC433FE for ; Mon, 6 Dec 2021 15:39:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1389752AbhLFPk5 (ORCPT ); Mon, 6 Dec 2021 10:40:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1386608AbhLFP0r (ORCPT ); Mon, 6 Dec 2021 10:26:47 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5442C08E6E1; Mon, 6 Dec 2021 07:16:37 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 54C8D61321; Mon, 6 Dec 2021 15:16:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65D6CC341C1; Mon, 6 Dec 2021 15:16:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1638803796; bh=s0sczKJCjhCa2PC1m4yI3VM2DXbgGwBfPUX35AF0CPQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=asPJTIeP8hT4ynPvZ06ve3OGSdGUWGKFCQl5loEC+qdDRGr85SzzaTATFW6za+TUV 071Aqvn3qSQobRlbRDIF3T3SfszuiLYJMca+zhT9uzmNbNakSI0edDiSlIRSNsk5Y0 rJhZBER58FZBdGdg41mEpKh2mFmG2MI/7KsOoOSQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, zhangyue , Masami Hiramatsu , "Steven Rostedt (VMware)" Subject: [PATCH 5.10 032/130] kprobes: Limit max data_size of the kretprobe instances Date: Mon, 6 Dec 2021 15:55:49 +0100 Message-Id: <20211206145600.758364220@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211206145559.607158688@linuxfoundation.org> References: <20211206145559.607158688@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Masami Hiramatsu commit 6bbfa44116689469267f1a6e3d233b52114139d2 upstream. The 'kprobe::data_size' is unsigned, thus it can not be negative. But if user sets it enough big number (e.g. (size_t)-8), the result of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance are allocated without enough memory, and kretprobe accesses outside of allocated memory. To avoid this issue, introduce a max limitation of the kretprobe::data_size. 4KB per instance should be OK. Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2 Cc: stable@vger.kernel.org Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler") Reported-by: zhangyue Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- include/linux/kprobes.h | 2 ++ kernel/kprobes.c | 3 +++ 2 files changed, 5 insertions(+) --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -155,6 +155,8 @@ struct kretprobe { raw_spinlock_t lock; }; +#define KRETPROBE_MAX_DATA_SIZE 4096 + struct kretprobe_instance { union { struct hlist_node hlist; --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2137,6 +2137,9 @@ int register_kretprobe(struct kretprobe } } + if (rp->data_size > KRETPROBE_MAX_DATA_SIZE) + return -E2BIG; + rp->kp.pre_handler = pre_handler_kretprobe; rp->kp.post_handler = NULL; rp->kp.fault_handler = NULL;