From nobody Sun Oct  5 09:06:16 2025
Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com
 [45.249.212.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CDA254431;
	Wed,  6 Aug 2025 06:57:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=45.249.212.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1754463474; cv=none;
 b=fLFyP1gmqcXVhtkZ0EuETeNtdoX0yGhnHXGxoUvTKAJUuiml3h2hfZpPQWubi74JbwA//t20F8rjHNpcqG+iWgYujJ76XTxVbBg4NL0OXuM57zQZ6p6FbazUdw8TNBU/uLfDKDyclbnnSHxB5d/ST6nkSmN4CutghUSV47xZUzM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1754463474; c=relaxed/simple;
	bh=2jYIU+XRvLJDbG7/RHlYFG1mX5xPXlzCIJa6FWLLdkg=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=UXb0rO7rFKvI6C5lbP+s8c9NtCIUvm3NNSjM98gpz4L9I17sAeLPQOaGAPRJMrhHPuaFhX69awK1sXlAhXX/jUh6SYshcus76ZlnAYcqfYdrnqlNOZF+dA8TEHQkz/k1jw7HVoqCpvLE7rF0HbCTKtFkA3MDs1OJ8I9DZ05WL9Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=huaweicloud.com;
 spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=huaweicloud.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=huaweicloud.com
Received: from mail.maildlp.com (unknown [172.19.163.216])
	by dggsgout11.his.huawei.com (SkyGuard) with ESMTPS id 4bxh250NmszYQtHC;
	Wed,  6 Aug 2025 14:57:49 +0800 (CST)
Received: from mail02.huawei.com (unknown [10.116.40.128])
	by mail.maildlp.com (Postfix) with ESMTP id B13411A154F;
	Wed,  6 Aug 2025 14:57:47 +0800 (CST)
Received: from ultra.huawei.com (unknown [10.90.53.71])
	by APP4 (Coremail) with SMTP id gCh0CgCHTg_p_JJokoH5Cg--.33530S2;
	Wed, 06 Aug 2025 14:57:46 +0800 (CST)
From: Pu Lehui <pulehui@huaweicloud.com>
To: rostedt@goodmis.org,
	mhiramat@kernel.org,
	mathieu.desnoyers@efficios.com
Cc: linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org,
	pulehui@huawei.com
Subject: [PATCH v2] tracing: Limit access to parser->buffer when
 trace_get_user failed
Date: Wed,  6 Aug 2025 07:01:09 +0000
Message-Id: <20250806070109.1320165-1-pulehui@huaweicloud.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: gCh0CgCHTg_p_JJokoH5Cg--.33530S2
X-Coremail-Antispam: 1UD129KBjvJXoWxJw13Xw45GFyxZw1DGw13twb_yoWrJFykpF
	W3Krs7GwsFqF4IyF4rZr18CF95X393JryUGF4kJw1Yvr9xtr1q9rWxuFnF9w1fKryrG3y3
	AFWYvrW8Kr1jvaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUyEb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k2
	6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4
	vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7Cj
	xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x
	0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG
	6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV
	Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JMxkF7I0En4kS14v26r126r1DMxAIw28IcxkI
	7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxV
	Cjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY
	6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6x
	AIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY
	1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU80fO7UUUUU==
X-CM-SenderInfo: psxovxtxl6x35dzhxuhorxvhhfrp/
Content-Type: text/plain; charset="utf-8"

From: Pu Lehui <pulehui@huawei.com>

When the length of the string written to set_ftrace_filter exceeds
FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:

BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0
Read of size 1 at addr ffff0000d00bd5ba by task ash/165

CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x34/0x50 (C)
 dump_stack_lvl+0xa0/0x158
 print_address_description.constprop.0+0x88/0x398
 print_report+0xb0/0x280
 kasan_report+0xa4/0xf0
 __asan_report_load1_noabort+0x20/0x30
 strsep+0x18c/0x1b0
 ftrace_process_regex.isra.0+0x100/0x2d8
 ftrace_regex_release+0x484/0x618
 __fput+0x364/0xa58
 ____fput+0x28/0x40
 task_work_run+0x154/0x278
 do_notify_resume+0x1f0/0x220
 el0_svc+0xec/0xf0
 el0t_64_sync_handler+0xa0/0xe8
 el0t_64_sync+0x1ac/0x1b0

The reason is that trace_get_user will fail when processing a string
longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.
Then an OOB access will be triggered in ftrace_regex_release->
ftrace_process_regex->strsep->strpbrk. We can solve this problem by
limiting access to parser->buffer when trace_get_user failed.

Fixes: 8c9af478c06b ("ftrace: Handle commands when closing set_ftrace_filte=
r file")
Signed-off-by: Pu Lehui <pulehui@huawei.com>
---

v2:
- Add `fail` field to struct trace_parser to indicate parsing failed.

v1:
https://lore.kernel.org/all/20250805151203.1214790-1-pulehui@huaweicloud.co=
m/

 kernel/trace/trace.c | 20 ++++++++++++++------
 kernel/trace/trace.h |  3 ++-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 4283ed4e8f59..138212f4ecde 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1814,9 +1814,11 @@ int trace_get_user(struct trace_parser *parser, cons=
t char __user *ubuf,
 	if (!*ppos)
 		trace_parser_clear(parser);
=20
+	parser->fail =3D false;
+
 	ret =3D get_user(ch, ubuf++);
 	if (ret)
-		return ret;
+		goto fail;
=20
 	read++;
 	cnt--;
@@ -1830,7 +1832,7 @@ int trace_get_user(struct trace_parser *parser, const=
 char __user *ubuf,
 		while (cnt && isspace(ch)) {
 			ret =3D get_user(ch, ubuf++);
 			if (ret)
-				return ret;
+				goto fail;
 			read++;
 			cnt--;
 		}
@@ -1848,12 +1850,14 @@ int trace_get_user(struct trace_parser *parser, con=
st char __user *ubuf,
 	while (cnt && !isspace(ch) && ch) {
 		if (parser->idx < parser->size - 1)
 			parser->buffer[parser->idx++] =3D ch;
-		else
-			return -EINVAL;
+		else {
+			ret =3D -EINVAL;
+			goto fail;
+		}
=20
 		ret =3D get_user(ch, ubuf++);
 		if (ret)
-			return ret;
+			goto fail;
 		read++;
 		cnt--;
 	}
@@ -1868,11 +1872,15 @@ int trace_get_user(struct trace_parser *parser, con=
st char __user *ubuf,
 		/* Make sure the parsed string always terminates with '\0'. */
 		parser->buffer[parser->idx] =3D 0;
 	} else {
-		return -EINVAL;
+		ret =3D -EINVAL;
+		goto fail;
 	}
=20
 	*ppos +=3D read;
 	return read;
+fail:
+	parser->fail =3D true;
+	return ret;
 }
=20
 /* TODO add a seq_buf_to_buffer() */
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 1dbf1d3cf2f1..5072bb25a860 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1292,6 +1292,7 @@ bool ftrace_event_is_function(struct trace_event_call=
 *call);
  */
 struct trace_parser {
 	bool		cont;
+	bool		fail;
 	char		*buffer;
 	unsigned	idx;
 	unsigned	size;
@@ -1299,7 +1300,7 @@ struct trace_parser {
=20
 static inline bool trace_parser_loaded(struct trace_parser *parser)
 {
-	return (parser->idx !=3D 0);
+	return !parser->fail && parser->idx !=3D 0;
 }
=20
 static inline bool trace_parser_cont(struct trace_parser *parser)
--=20
2.34.1