Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4761195rdb; Tue, 12 Dec 2023 08:36:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IFz92ZY7d15prjifufvuYeiAgAljtk9UmlHZ8BO4tIdzV7/GLg2sYGmSZ0+n6wOatQkF2tI X-Received: by 2002:a05:6a00:8a13:b0:6ce:f5c5:469 with SMTP id ic19-20020a056a008a1300b006cef5c50469mr2075549pfb.46.1702398978540; Tue, 12 Dec 2023 08:36:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702398978; cv=none; d=google.com; s=arc-20160816; b=MLZCAOXMfKaA7dN26R8DToQuqICrDb9kSXVBc/OzqswENWTFVHWYsHyVfDoRQgVy1m 6r3AmksaVLftyuswK0GxcSydYcpaNFe+D7B1EaomtPe8dg5U6yFqBtJBkfNpsRlWwJio 2EY9RO5vBz4Co0ufeCvO20iOVmwGOvgVvSUttDkaVnliXEfcvW8WtCQU7/2NZBviOboK xSXzVT42so6Y3xmvb398QNG+C8Pdzm3r1UIiypebbvffjrbAa7CWhRVWzIAIZ54Yepub Oy//pf+wFDQwTWGHU21TBYkJ/S6PIVdrYjpk78WpZeR959TPHHtJxkZeQdSNc4NT4OkC 2OLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=W3Ug9Puh92QCkIdFpyJ/sTp6WmUX+582ybEruYHChoM=; fh=tyOIEkUk8BjytTKF6jUj1x9ICNZa6oXt5o+Bp4dhKrE=; b=gPQ0TkR7hs7r5OCVNPbwfMp3RPUumWhkr/x6HO1+Lklve3fHGfHCGBvLaPWTTG+ZeY jLVeFlXqyvQTDGatXrSLRzIYTqbjnGq+TDZUmrlyQjnR3PpWk0KQ71OcrTp76i8Qbn4+ sgl+ZjEqT+Ht2WmynkP9yPdvj66L50doA2ab6Qz7U9JfclL5uj6v4HjLrCoQBo1L+ms1 U/RxvmL5sc69nv4CWuVPP3QXi+dad3Z5D8D9E2Yh/1nYLWP+rGMW2Pq9OLByeA6UnwuW gSbVZGiDOej/YCEjNh6WZZOoVuy+UMQX8SeBDniPr2OXXSLtmGS48wmrdV8d5ScUE2V1 BqYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id a123-20020a636681000000b005c6032d28c2si7622177pgc.41.2023.12.12.08.36.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 08:36:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 640CA8078306; Tue, 12 Dec 2023 08:35:14 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346422AbjLLQfA (ORCPT + 99 others); Tue, 12 Dec 2023 11:35:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232702AbjLLQe7 (ORCPT ); Tue, 12 Dec 2023 11:34:59 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E00A5A8 for ; Tue, 12 Dec 2023 08:35:05 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B80B0C433C7; Tue, 12 Dec 2023 16:35:04 +0000 (UTC) Date: Tue, 12 Dec 2023 11:35:46 -0500 From: Steven Rostedt To: Zheng Yejian Cc: , , , , Subject: Re: [PATCH] tracing: Fix uaf issue when open the hist or hist_debug file Message-ID: <20231212113546.6a51d359@gandalf.local.home> In-Reply-To: <20231212113317.4159890-1-zhengyejian1@huawei.com> References: <20231212113317.4159890-1-zhengyejian1@huawei.com> X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 12 Dec 2023 08:35:14 -0800 (PST) On Tue, 12 Dec 2023 19:33:17 +0800 Zheng Yejian wrote: > diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c > index 1abc07fba1b9..00447ea7dabd 100644 > --- a/kernel/trace/trace_events_hist.c > +++ b/kernel/trace/trace_events_hist.c > @@ -5623,10 +5623,12 @@ static int event_hist_open(struct inode *inode, struct file *file) > { > int ret; > > - ret = security_locked_down(LOCKDOWN_TRACEFS); > + ret = tracing_open_file_tr(inode, file); > if (ret) > return ret; > > + /* Clear private_data to avoid warning in single_open */ > + file->private_data = NULL; > return single_open(file, hist_show, file); > } > > @@ -5634,7 +5636,7 @@ const struct file_operations event_hist_fops = { > .open = event_hist_open, > .read = seq_read, > .llseek = seq_lseek, > - .release = single_release, > + .release = tracing_release_file_tr, single_release() still needs to be called. This can't simply be replaced with tracing_release_file_tr(). > }; > > #ifdef CONFIG_HIST_TRIGGERS_DEBUG > @@ -5900,10 +5902,12 @@ static int event_hist_debug_open(struct inode *inode, struct file *file) > { > int ret; > > - ret = security_locked_down(LOCKDOWN_TRACEFS); > + ret = tracing_open_file_tr(inode, file); > if (ret) > return ret; > > + /* Clear private_data to avoid warning in single_open */ > + file->private_data = NULL; > return single_open(file, hist_debug_show, file); > } > > @@ -5911,7 +5915,7 @@ const struct file_operations event_hist_debug_fops = { > .open = event_hist_debug_open, > .read = seq_read, > .llseek = seq_lseek, > - .release = single_release, > + .release = tracing_release_file_tr, Same here. This just causes a leak of the single resources. What needs to be done is to add a: tracing_single_release_file_tr() That does both: int tracing_single_release_file_tr(struct inode *inode, struct file *filp) { struct trace_event_file *file = inode->i_private; trace_array_put(file->tr); event_file_put(file); return single_release(inode, filp); } -- Steve > }; > #endif >