Commit c1bc09d7 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'probes-fixes-v6.12-rc4' of...

Merge tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull uprobe fix from Masami Hiramatsu:

 - uprobe: avoid out-of-bounds memory access of fetching args

   Uprobe trace events can cause out-of-bounds memory access when
   fetching user-space data which is bigger than one page, because it
   does not check the local CPU buffer size when reading the data. This
   checks the read data size and cut it down to the local CPU buffer
   size.

* tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  uprobe: avoid out-of-bounds memory access of fetching args
parents 7166c326 373b9338
...@@ -875,6 +875,7 @@ struct uprobe_cpu_buffer { ...@@ -875,6 +875,7 @@ struct uprobe_cpu_buffer {
}; };
static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer; static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
static int uprobe_buffer_refcnt; static int uprobe_buffer_refcnt;
#define MAX_UCB_BUFFER_SIZE PAGE_SIZE
static int uprobe_buffer_init(void) static int uprobe_buffer_init(void)
{ {
...@@ -979,6 +980,11 @@ static struct uprobe_cpu_buffer *prepare_uprobe_buffer(struct trace_uprobe *tu, ...@@ -979,6 +980,11 @@ static struct uprobe_cpu_buffer *prepare_uprobe_buffer(struct trace_uprobe *tu,
ucb = uprobe_buffer_get(); ucb = uprobe_buffer_get();
ucb->dsize = tu->tp.size + dsize; ucb->dsize = tu->tp.size + dsize;
if (WARN_ON_ONCE(ucb->dsize > MAX_UCB_BUFFER_SIZE)) {
ucb->dsize = MAX_UCB_BUFFER_SIZE;
dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;
}
store_trace_args(ucb->buf, &tu->tp, regs, NULL, esize, dsize); store_trace_args(ucb->buf, &tu->tp, regs, NULL, esize, dsize);
*ucbp = ucb; *ucbp = ucb;
...@@ -998,9 +1004,6 @@ static void __uprobe_trace_func(struct trace_uprobe *tu, ...@@ -998,9 +1004,6 @@ static void __uprobe_trace_func(struct trace_uprobe *tu,
WARN_ON(call != trace_file->event_call); WARN_ON(call != trace_file->event_call);
if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE))
return;
if (trace_trigger_soft_disabled(trace_file)) if (trace_trigger_soft_disabled(trace_file))
return; return;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment