diff mbox series

tracing: Add size check when printing trace_marker output

Message ID	20231212084444.4619b8ce@gandalf.local.home
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Date: Tue, 12 Dec 2023 08:44:44 -0500 From: Steven Rostedt <rostedt@goodmis.org> To: LKML <linux-kernel@vger.kernel.org>, Linux Trace Kernel <linux-trace-kernel@vger.kernel.org> Cc: Masami Hiramatsu <mhiramat@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Subject: [PATCH] tracing: Add size check when printing trace_marker output Message-ID: <20231212084444.4619b8ce@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk
Series	tracing: Add size check when printing trace_marker output \| tracing: Add size check when printing trace_marker output

Commit Message

Steven Rostedt Dec. 12, 2023, 1:44 p.m. UTC

  From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

If for some reason the trace_marker write does not have a nul byte for the
string, it will overflow the print:

  trace_seq_printf(s, ": %s", field->buf);

The field->buf could be missing the nul byte. To prevent overflow, add the
max size that the buf can be by using the event size and the field
location.

  int max = iter->ent_size - offsetof(struct print_entry, buf);

  trace_seq_printf(s, ": %*s", max, field->buf);

Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/trace_output.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Mathieu Desnoyers Dec. 12, 2023, 2:23 p.m. UTC | #1

On 2023-12-12 08:44, Steven Rostedt wrote:
> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> 
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:

Does this result in leaking kernel memory to userspace ? If so, it
should state "Fixes..." and CC stable.

Thanks,

Mathieu

> 
>    trace_seq_printf(s, ": %s", field->buf);
> 
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
> 
>    int max = iter->ent_size - offsetof(struct print_entry, buf);
> 
>    trace_seq_printf(s, ": %*s", max, field->buf);
> 
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
>   kernel/trace/trace_output.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
>   {
>   	struct print_entry *field;
>   	struct trace_seq *s = &iter->seq;
> +	int max = iter->ent_size - offsetof(struct print_entry, buf);
>   
>   	trace_assign_type(field, iter->ent);
>   
>   	seq_print_ip_sym(s, field->ip, flags);
> -	trace_seq_printf(s, ": %s", field->buf);
> +	trace_seq_printf(s, ": %*s", max, field->buf);
>   
>   	return trace_handle_return(s);
>   }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
>   					 struct trace_event *event)
>   {
>   	struct print_entry *field;
> +	int max = iter->ent_size - offsetof(struct print_entry, buf);
>   
>   	trace_assign_type(field, iter->ent);
>   
> -	trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> +	trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>   
>   	return trace_handle_return(&iter->seq);
>   }

Steven Rostedt Dec. 12, 2023, 3:28 p.m. UTC | #2

On Tue, 12 Dec 2023 09:23:54 -0500
Mathieu Desnoyers <mathieu.desnoyers@efficios.com> wrote:

> On 2023-12-12 08:44, Steven Rostedt wrote:
> > From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> > 
> > If for some reason the trace_marker write does not have a nul byte for the
> > string, it will overflow the print:  
> 
> Does this result in leaking kernel memory to userspace ? If so, it
> should state "Fixes..." and CC stable.

No, it was triggered because of a bug elsewhere ;-)

  https://lore.kernel.org/linux-trace-kernel/20231212072558.61f76493@gandalf.local.home/

Which does have a Cc stable and Fixes tag.

The event truncated the trace_marker output and caused the buffer overflow
here. The trace_marker always adds a '\0', but that got dropped due to the
other bug. This is just hardening the kernel.

Note, this can only happen with the new code that allows trace_marker to
use the max size of the buffer, which is for the next kernel release.

-- Steve

Masami Hiramatsu (Google) Dec. 12, 2023, 10:47 p.m. UTC | #3

On Tue, 12 Dec 2023 08:44:44 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:

> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> 
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
> 
>   trace_seq_printf(s, ": %s", field->buf);
> 
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
> 
>   int max = iter->ent_size - offsetof(struct print_entry, buf);
> 
>   trace_seq_printf(s, ": %*s", max, field->buf);
> 

This looks good to me.

Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Thanks!

> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
>  kernel/trace/trace_output.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
>  {
>  	struct print_entry *field;
>  	struct trace_seq *s = &iter->seq;
> +	int max = iter->ent_size - offsetof(struct print_entry, buf);
>  
>  	trace_assign_type(field, iter->ent);
>  
>  	seq_print_ip_sym(s, field->ip, flags);
> -	trace_seq_printf(s, ": %s", field->buf);
> +	trace_seq_printf(s, ": %*s", max, field->buf);
>  
>  	return trace_handle_return(s);
>  }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
>  					 struct trace_event *event)
>  {
>  	struct print_entry *field;
> +	int max = iter->ent_size - offsetof(struct print_entry, buf);
>  
>  	trace_assign_type(field, iter->ent);
>  
> -	trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> +	trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>  
>  	return trace_handle_return(&iter->seq);
>  }
> -- 
> 2.42.0
>

Steven Rostedt Dec. 13, 2023, 3:10 a.m. UTC | #4

On Tue, 12 Dec 2023 08:44:44 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:

> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> 
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
> 
>   trace_seq_printf(s, ": %s", field->buf);
> 
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
> 
>   int max = iter->ent_size - offsetof(struct print_entry, buf);
> 
>   trace_seq_printf(s, ": %*s", max, field->buf);

Bah, this needs to be:

   trace_seq_printf(s, ": %.*s", max, field->buf);

Note the '.' between % and *. Otherwise it right aligns the output.

This did fail the selftest for trace_printk(), but I modified the new one
to add " *" to accommodate it :-p

Sending out v2.

-- Steve

diff mbox series

Patch

diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index d8b302d01083..e11fb8996286 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1587,11 +1587,12 @@  static enum print_line_t trace_print_print(struct trace_iterator *iter,
 {
 	struct print_entry *field;
 	struct trace_seq *s = &iter->seq;
+	int max = iter->ent_size - offsetof(struct print_entry, buf);
 
 	trace_assign_type(field, iter->ent);
 
 	seq_print_ip_sym(s, field->ip, flags);
-	trace_seq_printf(s, ": %s", field->buf);
+	trace_seq_printf(s, ": %*s", max, field->buf);
 
 	return trace_handle_return(s);
 }
@@ -1600,10 +1601,11 @@  static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
 					 struct trace_event *event)
 {
 	struct print_entry *field;
+	int max = iter->ent_size - offsetof(struct print_entry, buf);
 
 	trace_assign_type(field, iter->ent);
 
-	trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
+	trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
 
 	return trace_handle_return(&iter->seq);
 }