[PATCH] kprobes: Limit max data_size of the kretprobe instances

[PATCH] kprobes: Limit max data_size of the kretprobe instances

[Masami Hiramatsu]

The kretprobe::data_size is unsigned (size_t) but it is
used as 'data_size + sizeof(struct kretprobe_instance)'.
Thus, it can be smaller than sizeof(struct kretprobe_instance)
while allocating memory for the kretprobe_instance.

To avoid this issue, introduce a max limitation of the
kretprobe::data_size. 4KB per instance should be OK.

Reported-by: zhangyue <zhangyue1@kylinos.cn>
Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
---
 include/linux/kprobes.h |    2 ++
 kernel/kprobes.c        |    3 +++
 2 files changed, 5 insertions(+)

diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index e974caf39d3e..8c8f7a4d93af 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -153,6 +153,8 @@ struct kretprobe {
 	struct kretprobe_holder *rph;
 };
 
+#define KRETPROBE_MAX_DATA_SIZE	4096
+
 struct kretprobe_instance {
 	union {
 		struct freelist_node freelist;
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index e9db0c810554..21eccc961bba 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp)
 		}
 	}
 
+	if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)
+		return -E2BIG;
+
 	rp->kp.pre_handler = pre_handler_kretprobe;
 	rp->kp.post_handler = NULL;
 

Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances

[Steven Rostedt]

On Wed,  1 Dec 2021 23:45:50 +0900
Masami Hiramatsu <mhiramat@kernel.org> wrote:

> The kretprobe::data_size is unsigned (size_t) but it is
> used as 'data_size + sizeof(struct kretprobe_instance)'.
> Thus, it can be smaller than sizeof(struct kretprobe_instance)
> while allocating memory for the kretprobe_instance.

The above doesn't make sense.

data_size is unsigned but it is used as
 'data_size + sizeof(struct kretprobe_instance)'. 

What does that mean?

What can be smaller than sizeof(struct kretprobe_instance) and why does it
matter?

-- Steve


> 
> To avoid this issue, introduce a max limitation of the
> kretprobe::data_size. 4KB per instance should be OK.
> 

Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances

[Masami Hiramatsu]

On Wed, 1 Dec 2021 11:19:22 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:

> On Wed,  1 Dec 2021 23:45:50 +0900
> Masami Hiramatsu <mhiramat@kernel.org> wrote:
> 
> > The kretprobe::data_size is unsigned (size_t) but it is
> > used as 'data_size + sizeof(struct kretprobe_instance)'.
> > Thus, it can be smaller than sizeof(struct kretprobe_instance)
> > while allocating memory for the kretprobe_instance.
> 
> The above doesn't make sense.
> 
> data_size is unsigned but it is used as
>  'data_size + sizeof(struct kretprobe_instance)'. 
> 
> What does that mean?
> 
> What can be smaller than sizeof(struct kretprobe_instance) and why does it
> matter?

OK, what about this ?

The 'kprobe::data_size' is unsigned, thus it can not be negative.
But if user sets it enough big number (e.g. (size_t)-8), the result
of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than
sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance
are allocated without enough memory, and kretprobe accesses outside of
allocated memory.

Thank you,

-- 
Masami Hiramatsu <mhiramat@kernel.org>