tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

tracing: ring-buffer: Fix to check event length before using

Check the event length before adding it for accessing next index in
rb_read_data_buffer(). Since this function is used for validating
possibly broken ring buffers, the length of the event could be broken.
In that case, the new event (e + len) can point a wrong address.
To avoid invalid memory access at boot, check whether the length of
each event is in the possible range before using it.

Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 5f3b6e839f3c ("ring-buffer: Validate boot range memory events")
Link: https://patch.msgid.link/177123421541.142205.9414352170164678966.stgit@devnote2
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

authored by

Masami Hiramatsu (Google) and committed by
Steven Rostedt (Google) 912b0ee2 f1547779

+5 -1
+5 -1
kernel/trace/ring_buffer.c
··· 1849 1849 struct ring_buffer_event *event; 1850 1850 u64 ts, delta; 1851 1851 int events = 0; 1852 + int len; 1852 1853 int e; 1853 1854 1854 1855 *delta_ptr = 0; ··· 1857 1856 1858 1857 ts = dpage->time_stamp; 1859 1858 1860 - for (e = 0; e < tail; e += rb_event_length(event)) { 1859 + for (e = 0; e < tail; e += len) { 1861 1860 1862 1861 event = (struct ring_buffer_event *)(dpage->data + e); 1862 + len = rb_event_length(event); 1863 + if (len <= 0 || len > tail - e) 1864 + return -1; 1863 1865 1864 1866 switch (event->type_len) { 1865 1867