From: Andrey Konovalov <andreyknvl@google.com>
To: Dave Jones <davej@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Andrey Konovalov <andreyknvl@google.com>,
linux-kernel@vger.kernel.org, fweisbec@gmail.com,
mingo@redhat.com, Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>
Subject: Re: Fwd: Potential out-of-bounds in ftrace_regex_release
Date: Wed, 9 Oct 2013 14:05:26 +0400 [thread overview]
Message-ID: <CAAeHK+wTs3THbh+EVoTm0wqQH8cg2VbT8aKYBX67A385+ohq0w@mail.gmail.com> (raw)
In-Reply-To: <20131002223437.GA15728@redhat.com>
I got one more report of a similar bug:
AddressSanitizer: heap-buffer-overflow on address ffff8800205f0e40
Write of size 1 by thread T14005:
[<ffffffff811e2542>] ftrace_event_write+0xe2/0x130
./kernel/trace/trace_events.c:583
[<ffffffff8128c497>] vfs_write+0x127/0x2f0 ??:0
[<ffffffff8128d572>] SyS_write+0x72/0xd0 ??:0
[<ffffffff818423d2>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
Allocated by thread T14005:
[< inlined >] trace_parser_get_init+0x28/0x70 kmalloc
./include/linux/slab.h:413
[<ffffffff811cc258>] trace_parser_get_init+0x28/0x70 ./kernel/trace/trace.c:759
[<ffffffff811e24d2>] ftrace_event_write+0x72/0x130
./kernel/trace/trace_events.c:572
[<ffffffff8128c497>] vfs_write+0x127/0x2f0 ??:0
[<ffffffff8128d572>] SyS_write+0x72/0xd0 ??:0
[<ffffffff818423d2>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
The buggy address ffff8800205f0e40 is located 0 bytes to the right
of 128-byte region [ffff8800205f0dc0, ffff8800205f0e40)
Memory state around the buggy address:
ffff8800205f0900: rrrrrrrr rrrrrrrr rrrrrrrr rrrrrrrr
ffff8800205f0a00: rrrrrrrr ........ ........ rrrrrrrr
ffff8800205f0b00: rrrrrrrr rrrrrrrr rrrrrrrr rrrrrrrr
ffff8800205f0c00: ........ .......5 rrrrrrrr rrrrrrrr
ffff8800205f0d00: rrrrrrrr rrrrrrrr rrrrrrrr ........
>ffff8800205f0e00: ........ rrrrrrrr rrrrrrrr rrrrrrrr
^
ffff8800205f0f00: rrrrrrrr rrrrrrrr rrrrrrrr rrrrrrrr
ffff8800205f1000: ........ ........ ........ ........
ffff8800205f1100: ........ ........ ........ ........
ffff8800205f1200: ........ ........ ........ ........
ffff8800205f1300: ........ ........ ........ ........
Legend:
f - 8 freed bytes
r - 8 redzone bytes
. - 8 allocated bytes
x=1..7 - x allocated bytes + (8-x) redzone bytes
This time it was caused by 'parser.buffer[parser.idx] = 0;' in
'ftrace_event_write()', which calls 'trace_get_user()' right before
the bad assignment.
So I still think that the bug is in 'trage_get_user()':
Checking that 'parser->idx < parser->size - 1' is not performed in 'if
(isspace(ch))' section, so 'parser->idx' becomes equal to
'parser->size' after 'parser->buffer[parser->idx++] = ch;'.
(However in 'while (cnt && !isspace(ch))' loop checking is performed.)
next prev parent reply other threads:[~2013-10-09 10:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAAeHK+w+8=DGvFeuMAwS50RRvAGw1KkWHcivja5q-wmX8GtH2w@mail.gmail.com>
2013-10-02 18:38 ` Fwd: Potential out-of-bounds in ftrace_regex_release Andrey Konovalov
2013-10-02 18:57 ` Dave Jones
2013-10-02 19:06 ` Andrey Konovalov
2013-10-02 20:18 ` Steven Rostedt
2013-10-02 22:34 ` Dave Jones
2013-10-09 10:05 ` Andrey Konovalov [this message]
2013-10-10 2:23 ` Steven Rostedt
2013-10-14 8:29 ` Andrey Konovalov
2013-10-18 19:09 ` Steven Rostedt
2013-10-21 7:33 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAeHK+wTs3THbh+EVoTm0wqQH8cg2VbT8aKYBX67A385+ohq0w@mail.gmail.com \
--to=andreyknvl@google.com \
--cc=davej@redhat.com \
--cc=dvyukov@google.com \
--cc=fweisbec@gmail.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.