* [PATCH] kprobes: Limit max data_size of the kretprobe instances
@ 2021-12-01 14:45 Masami Hiramatsu
2021-12-01 16:19 ` Steven Rostedt
0 siblings, 1 reply; 3+ messages in thread
From: Masami Hiramatsu @ 2021-12-01 14:45 UTC (permalink / raw)
To: Steven Rostedt
Cc: LKML, zhangyue, naveen.n.rao, anil.s.keshavamurthy, davem, mhiramat
The kretprobe::data_size is unsigned (size_t) but it is
used as 'data_size + sizeof(struct kretprobe_instance)'.
Thus, it can be smaller than sizeof(struct kretprobe_instance)
while allocating memory for the kretprobe_instance.
To avoid this issue, introduce a max limitation of the
kretprobe::data_size. 4KB per instance should be OK.
Reported-by: zhangyue <zhangyue1@kylinos.cn>
Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
---
include/linux/kprobes.h | 2 ++
kernel/kprobes.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index e974caf39d3e..8c8f7a4d93af 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -153,6 +153,8 @@ struct kretprobe {
struct kretprobe_holder *rph;
};
+#define KRETPROBE_MAX_DATA_SIZE 4096
+
struct kretprobe_instance {
union {
struct freelist_node freelist;
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index e9db0c810554..21eccc961bba 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp)
}
}
+ if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)
+ return -E2BIG;
+
rp->kp.pre_handler = pre_handler_kretprobe;
rp->kp.post_handler = NULL;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances
2021-12-01 14:45 [PATCH] kprobes: Limit max data_size of the kretprobe instances Masami Hiramatsu
@ 2021-12-01 16:19 ` Steven Rostedt
2021-12-02 0:13 ` Masami Hiramatsu
0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2021-12-01 16:19 UTC (permalink / raw)
To: Masami Hiramatsu
Cc: LKML, zhangyue, naveen.n.rao, anil.s.keshavamurthy, davem
On Wed, 1 Dec 2021 23:45:50 +0900
Masami Hiramatsu <mhiramat@kernel.org> wrote:
> The kretprobe::data_size is unsigned (size_t) but it is
> used as 'data_size + sizeof(struct kretprobe_instance)'.
> Thus, it can be smaller than sizeof(struct kretprobe_instance)
> while allocating memory for the kretprobe_instance.
The above doesn't make sense.
data_size is unsigned but it is used as
'data_size + sizeof(struct kretprobe_instance)'.
What does that mean?
What can be smaller than sizeof(struct kretprobe_instance) and why does it
matter?
-- Steve
>
> To avoid this issue, introduce a max limitation of the
> kretprobe::data_size. 4KB per instance should be OK.
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances
2021-12-01 16:19 ` Steven Rostedt
@ 2021-12-02 0:13 ` Masami Hiramatsu
0 siblings, 0 replies; 3+ messages in thread
From: Masami Hiramatsu @ 2021-12-02 0:13 UTC (permalink / raw)
To: Steven Rostedt; +Cc: LKML, zhangyue, naveen.n.rao, anil.s.keshavamurthy, davem
On Wed, 1 Dec 2021 11:19:22 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:
> On Wed, 1 Dec 2021 23:45:50 +0900
> Masami Hiramatsu <mhiramat@kernel.org> wrote:
>
> > The kretprobe::data_size is unsigned (size_t) but it is
> > used as 'data_size + sizeof(struct kretprobe_instance)'.
> > Thus, it can be smaller than sizeof(struct kretprobe_instance)
> > while allocating memory for the kretprobe_instance.
>
> The above doesn't make sense.
>
> data_size is unsigned but it is used as
> 'data_size + sizeof(struct kretprobe_instance)'.
>
> What does that mean?
>
> What can be smaller than sizeof(struct kretprobe_instance) and why does it
> matter?
OK, what about this ?
The 'kprobe::data_size' is unsigned, thus it can not be negative.
But if user sets it enough big number (e.g. (size_t)-8), the result
of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than
sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance
are allocated without enough memory, and kretprobe accesses outside of
allocated memory.
Thank you,
--
Masami Hiramatsu <mhiramat@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-02 0:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-01 14:45 [PATCH] kprobes: Limit max data_size of the kretprobe instances Masami Hiramatsu
2021-12-01 16:19 ` Steven Rostedt
2021-12-02 0:13 ` Masami Hiramatsu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).