kernel/trace/trace_output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
If for some reason the trace_marker write does not have a nul byte for the
string, it will overflow the print:
trace_seq_printf(s, ": %s", field->buf);
The field->buf could be missing the nul byte. To prevent overflow, add the
max size that the buf can be by using the event size and the field
location.
int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_seq_printf(s, ": %*s", max, field->buf);
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
kernel/trace/trace_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index d8b302d01083..e11fb8996286 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
{
struct print_entry *field;
struct trace_seq *s = &iter->seq;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
seq_print_ip_sym(s, field->ip, flags);
- trace_seq_printf(s, ": %s", field->buf);
+ trace_seq_printf(s, ": %*s", max, field->buf);
return trace_handle_return(s);
}
@@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
struct trace_event *event)
{
struct print_entry *field;
+ int max = iter->ent_size - offsetof(struct print_entry, buf);
trace_assign_type(field, iter->ent);
- trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
+ trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
return trace_handle_return(&iter->seq);
}
--
2.42.0On Tue, 12 Dec 2023 08:44:44 -0500 Steven Rostedt <rostedt@goodmis.org> wrote: > From: "Steven Rostedt (Google)" <rostedt@goodmis.org> > > If for some reason the trace_marker write does not have a nul byte for the > string, it will overflow the print: > > trace_seq_printf(s, ": %s", field->buf); > > The field->buf could be missing the nul byte. To prevent overflow, add the > max size that the buf can be by using the event size and the field > location. > > int max = iter->ent_size - offsetof(struct print_entry, buf); > > trace_seq_printf(s, ": %*s", max, field->buf); Bah, this needs to be: trace_seq_printf(s, ": %.*s", max, field->buf); Note the '.' between % and *. Otherwise it right aligns the output. This did fail the selftest for trace_printk(), but I modified the new one to add " *" to accommodate it :-p Sending out v2. -- Steve
On Tue, 12 Dec 2023 08:44:44 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:
> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
>
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
>
> trace_seq_printf(s, ": %s", field->buf);
>
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
>
> int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_seq_printf(s, ": %*s", max, field->buf);
>
This looks good to me.
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Thanks!
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
> kernel/trace/trace_output.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
> {
> struct print_entry *field;
> struct trace_seq *s = &iter->seq;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> seq_print_ip_sym(s, field->ip, flags);
> - trace_seq_printf(s, ": %s", field->buf);
> + trace_seq_printf(s, ": %*s", max, field->buf);
>
> return trace_handle_return(s);
> }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
> struct trace_event *event)
> {
> struct print_entry *field;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> - trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> + trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>
> return trace_handle_return(&iter->seq);
> }
> --
> 2.42.0
>
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>
On 2023-12-12 08:44, Steven Rostedt wrote:
> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
>
> If for some reason the trace_marker write does not have a nul byte for the
> string, it will overflow the print:
Does this result in leaking kernel memory to userspace ? If so, it
should state "Fixes..." and CC stable.
Thanks,
Mathieu
>
> trace_seq_printf(s, ": %s", field->buf);
>
> The field->buf could be missing the nul byte. To prevent overflow, add the
> max size that the buf can be by using the event size and the field
> location.
>
> int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_seq_printf(s, ": %*s", max, field->buf);
>
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
> kernel/trace/trace_output.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index d8b302d01083..e11fb8996286 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1587,11 +1587,12 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
> {
> struct print_entry *field;
> struct trace_seq *s = &iter->seq;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> seq_print_ip_sym(s, field->ip, flags);
> - trace_seq_printf(s, ": %s", field->buf);
> + trace_seq_printf(s, ": %*s", max, field->buf);
>
> return trace_handle_return(s);
> }
> @@ -1600,10 +1601,11 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
> struct trace_event *event)
> {
> struct print_entry *field;
> + int max = iter->ent_size - offsetof(struct print_entry, buf);
>
> trace_assign_type(field, iter->ent);
>
> - trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
> + trace_seq_printf(&iter->seq, "# %lx %*s", field->ip, max, field->buf);
>
> return trace_handle_return(&iter->seq);
> }
--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com
On Tue, 12 Dec 2023 09:23:54 -0500 Mathieu Desnoyers <mathieu.desnoyers@efficios.com> wrote: > On 2023-12-12 08:44, Steven Rostedt wrote: > > From: "Steven Rostedt (Google)" <rostedt@goodmis.org> > > > > If for some reason the trace_marker write does not have a nul byte for the > > string, it will overflow the print: > > Does this result in leaking kernel memory to userspace ? If so, it > should state "Fixes..." and CC stable. No, it was triggered because of a bug elsewhere ;-) https://lore.kernel.org/linux-trace-kernel/20231212072558.61f76493@gandalf.local.home/ Which does have a Cc stable and Fixes tag. The event truncated the trace_marker output and caused the buffer overflow here. The trace_marker always adds a '\0', but that got dropped due to the other bug. This is just hardening the kernel. Note, this can only happen with the new code that allows trace_marker to use the max size of the buffer, which is for the next kernel release. -- Steve
© 2016 - 2025 Red Hat, Inc.