Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull uprobe fix from Masami Hiramatsu:
- uprobe: avoid out-of-bounds memory access of fetching args
Uprobe trace events can cause out-of-bounds memory access when
fetching user-space data which is bigger than one page, because it
does not check the local CPU buffer size when reading the data. This
checks the read data size and cut it down to the local CPU buffer
size.
* tag 'probes-fixes-v6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
uprobe: avoid out-of-bounds memory access of fetching args
+6
-3
+6
-3
kernel/trace/trace_uprobe.c
+6
-3
kernel/trace/trace_uprobe.c
···
875
875
};
876
876
static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
877
877
static int uprobe_buffer_refcnt;
878
+
#define MAX_UCB_BUFFER_SIZE PAGE_SIZE
878
879
879
880
static int uprobe_buffer_init(void)
880
881
{
···
980
979
ucb = uprobe_buffer_get();
981
980
ucb->dsize = tu->tp.size + dsize;
982
981
982
+
if (WARN_ON_ONCE(ucb->dsize > MAX_UCB_BUFFER_SIZE)) {
983
+
ucb->dsize = MAX_UCB_BUFFER_SIZE;
984
+
dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;
985
+
}
986
+
983
987
store_trace_args(ucb->buf, &tu->tp, regs, NULL, esize, dsize);
984
988
985
989
*ucbp = ucb;
···
1003
997
struct trace_event_call *call = trace_probe_event_call(&tu->tp);
1004
998
1005
999
WARN_ON(call != trace_file->event_call);
1006
-
1007
-
if (WARN_ON_ONCE(ucb->dsize > PAGE_SIZE))
1008
-
return;
1009
1000
1010
1001
if (trace_trigger_soft_disabled(trace_file))
1011
1002
return;