From: Steven Rostedt <rostedt@goodmis.org>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: "Dave Jones" <davej@redhat.com>,
linux-kernel@vger.kernel.org,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
mingo@redhat.com, "Dmitry Vyukov" <dvyukov@google.com>,
"Kostya Serebryany" <kcc@google.com>
Subject: Re: Potential out-of-bounds in ftrace_regex_release
Date: Fri, 18 Oct 2013 15:09:03 -0400 [thread overview]
Message-ID: <20131018150903.22f75457@gandalf.local.home> (raw)
In-Reply-To: <CAAeHK+zdgEFHkOYgqs2FT0a3KBumQ3NUjftoNzzVic+tjf29RQ@mail.gmail.com>
On Mon, 14 Oct 2013 12:29:13 +0400
Andrey Konovalov <andreyknvl@google.com> wrote:
> Testing now with your patch.
> I've seen this report only twice, so it will be difficult to say if
> it's not happening any more or just not triggered.
Can I assume that this is fixed? I'll put it in for 3.12 and mark it
for stable too.
-- Steve
>
> On Thu, Oct 10, 2013 at 6:23 AM, Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Wed, 9 Oct 2013 14:05:26 +0400
> > Andrey Konovalov <andreyknvl@google.com> wrote:
> >time cat trace > /tmp/trace
> >> So I still think that the bug is in 'trage_get_user()':
> >> Checking that 'parser->idx < parser->size - 1' is not performed in 'if
> >> (isspace(ch))' section, so 'parser->idx' becomes equal to
> >> 'parser->size' after 'parser->buffer[parser->idx++] = ch;'.
> >> (However in 'while (cnt && !isspace(ch))' loop checking is performed.)
> >
> > Yep, you are correct. I put in some printk's and did same writing to
> > the set_events file and was able to prove that I could get that "0"
> > written into the +1 overflow boundary.
> >
> > Can you try this patch to see if it fixes it for you.
> >
> > Thanks,
> >
> > -- Steve
> >
> > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> > index d5f7c4d..063a92b 100644
> > --- a/kernel/trace/trace.c
> > +++ b/kernel/trace/trace.c
> > @@ -843,9 +843,12 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
> > if (isspace(ch)) {
> > parser->buffer[parser->idx] = 0;
> > parser->cont = false;
> > - } else {
> > + } else if (parser->idx < parser->size - 1) {
> > parser->cont = true;
> > parser->buffer[parser->idx++] = ch;
> > + } else {
> > + ret = -EINVAL;
> > + goto out;
> > }
> >
> > *ppos += read;
> >
next prev parent reply other threads:[~2013-10-18 19:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAAeHK+w+8=DGvFeuMAwS50RRvAGw1KkWHcivja5q-wmX8GtH2w@mail.gmail.com>
2013-10-02 18:38 ` Fwd: Potential out-of-bounds in ftrace_regex_release Andrey Konovalov
2013-10-02 18:57 ` Dave Jones
2013-10-02 19:06 ` Andrey Konovalov
2013-10-02 20:18 ` Steven Rostedt
2013-10-02 22:34 ` Dave Jones
2013-10-09 10:05 ` Andrey Konovalov
2013-10-10 2:23 ` Steven Rostedt
2013-10-14 8:29 ` Andrey Konovalov
2013-10-18 19:09 ` Steven Rostedt [this message]
2013-10-21 7:33 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131018150903.22f75457@gandalf.local.home \
--to=rostedt@goodmis.org \
--cc=andreyknvl@google.com \
--cc=davej@redhat.com \
--cc=dvyukov@google.com \
--cc=fweisbec@gmail.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).