Re: [PATCH] tracing: Fix out-of-range read in trace_stack_print()
On 2019/06/15 5:31, Steven Rostedt wrote:
...
>
>>
>> Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
>
> Actually it fixes:
>
> 4285f2fcef80 ("tracing: Remove the ULONG_MAX stack trace hackery")
>
> Because before that, a ULONG_MAX was inserted into the buffer.
>
> -- Steve
Thank you for the advice.
Now there is no ULONG_MAX marker, so I should have fixed it by just
removing `*p != ULONG_MAX` check, right?
Thanks
Eiichi
>
>> Signed-off-by: Eiichi Tsukata
>> ---
>> kernel/trace/trace_output.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
>> index 54373d93e251..ba751f993c3b 100644
>> --- a/kernel/trace/trace_output.c
>> +++ b/kernel/trace/trace_output.c
>> @@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct
>> trace_iterator *iter,
>>
>> trace_seq_puts(s, "\n");
>>
>> -for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
>> +for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
>>
>> if (trace_seq_has_overflowed(s))
>> break;
>
Re: [PATCH] tracing: Fix out-of-range read in trace_stack_print()
On Mon, 10 Jun 2019 13:00:16 +0900
Eiichi Tsukata wrote:
> Puts range check before dereferencing the pointer.
>
> Reproducer:
>
> # echo stacktrace > trace_options
> # echo 1 > events/enable
> # cat trace > /dev/null
>
>
Thanks I applied this.
>
> Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
Actually it fixes:
4285f2fcef80 ("tracing: Remove the ULONG_MAX stack trace hackery")
Because before that, a ULONG_MAX was inserted into the buffer.
-- Steve
> Signed-off-by: Eiichi Tsukata
> ---
> kernel/trace/trace_output.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index 54373d93e251..ba751f993c3b 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct
> trace_iterator *iter,
>
> trace_seq_puts(s, "\n");
>
> - for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
> + for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
>
> if (trace_seq_has_overflowed(s))
> break;
[PATCH] tracing: Fix out-of-range read in trace_stack_print()
Puts range check before dereferencing the pointer.
Reproducer:
# echo stacktrace > trace_options
# echo 1 > events/enable
# cat trace > /dev/null
KASAN report:
==
BUG: KASAN: use-after-free in trace_stack_print+0x26b/0x2c0
Read of size 8 at addr 888069d2 by task cat/1953
CPU: 0 PID: 1953 Comm: cat Not tainted 5.2.0-rc3+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30
04/01/2014
Call Trace:
dump_stack+0x8a/0xce
print_address_description+0x60/0x224
? trace_stack_print+0x26b/0x2c0
? trace_stack_print+0x26b/0x2c0
__kasan_report.cold+0x1a/0x3e
? trace_stack_print+0x26b/0x2c0
kasan_report+0xe/0x20
trace_stack_print+0x26b/0x2c0
print_trace_line+0x6ea/0x14d0
? tracing_buffers_read+0x700/0x700
? trace_find_next_entry_inc+0x158/0x1d0
s_show+0xea/0x310
seq_read+0xaa7/0x10e0
? seq_escape+0x230/0x230
__vfs_read+0x7c/0x100
vfs_read+0x16c/0x3a0
ksys_read+0x121/0x240
? kernel_write+0x110/0x110
? perf_trace_sys_enter+0x8a0/0x8a0
? syscall_slow_exit_work+0xa9/0x410
do_syscall_64+0xb7/0x390
? prepare_exit_to_usermode+0x165/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f867681f910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44
00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 04
RSP: 002b:7ffdabf23488 EFLAGS: 0246 ORIG_RAX:
RAX: ffda RBX: 0002 RCX: 7f867681f910
RDX: 0002 RSI: 7f8676cde000 RDI: 0003
RBP: 7f8676cde000 R08: R09:
R10: 0871 R11: 0246 R12: 7f8676cde000
R13: 0003 R14: 0002 R15: 0ec0
Allocated by task 1214:
save_stack+0x1b/0x80
__kasan_kmalloc.constprop.0+0xc2/0xd0
kmem_cache_alloc+0xaf/0x1a0
getname_flags+0xd2/0x5b0
do_sys_open+0x277/0x5a0
do_syscall_64+0xb7/0x390
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 1214:
save_stack+0x1b/0x80
__kasan_slab_free+0x12c/0x170
kmem_cache_free+0x8a/0x1c0
putname+0xe1/0x120
do_sys_open+0x2c5/0x5a0
do_syscall_64+0xb7/0x390
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at 888069d2
which belongs to the cache names_cache of size 4096
The buggy address is located 0 bytes inside of
4096-byte region [888069d2, 888069d21000)
The buggy address belongs to the page:
page:ea0001a74800 refcount:1 mapcount:0 mapping:88806ccd1380
index:0x0 compound_mapcount: 0
flags: 0x1010200(slab|head)
raw: 01010200 dead0100 dead0200 88806ccd1380
raw: 00070007 0001
page dumped because: kasan: bad access detected
Memory state around the buggy address:
888069d1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
888069d1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>888069d2: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
888069d20080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
888069d20100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==
Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
Signed-off-by: Eiichi Tsukata
---
kernel/trace/trace_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index 54373d93e251..ba751f993c3b 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct
trace_iterator *iter,
trace_seq_puts(s, "\n");
- for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
+ for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
if (trace_seq_has_overflowed(s))
break;
--
2.21.0
