github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
3f6ba7f88d
linux/kernel
History
Steven Rostedt (Red Hat) 3f6ba7f88d tracing/filter: Do not allow infix to exceed end of string 
commit 6b88f44e16 upstream.

While debugging a WARN_ON() for filtering, I found that it is possible
for the filter string to be referenced after its end. With the filter:

 # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter

The filter_parse() function can call infix_get_op() which calls
infix_advance() that updates the infix filter pointers for the cnt
and tail without checking if the filter is already at the end, which
will put the cnt to zero and the tail beyond the end. The loop then calls
infix_next() that has

	ps->infix.cnt--;
	return ps->infix.string[ps->infix.tail++];

The cnt will now be below zero, and the tail that is returned is
already passed the end of the filter string. So far the allocation
of the filter string usually has some buffer that is zeroed out, but
if the filter string is of the exact size of the allocated buffer
there's no guarantee that the charater after the nul terminating
character will be zero.

Luckily, only root can write to the filter.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-08-03 09:29:45 -07:00
..
cpu sched, idle: Fix the idle polling state logic 2013-11-29 11:11:42 -08:00
debug kdb: fix incorrect counts in KDB summary command output 2015-03-06 14:40:52 -08:00
events perf: Fix irq_work 'tail' recursion 2015-04-13 14:02:12 +02:00
gcov
irq genirq: Sanitize spurious interrupt detection of threaded irqs 2014-06-30 20:09:45 -07:00
power PM / QoS: remove duplicate call to pm_qos_update_target 2015-03-18 13:22:28 +01:00
sched printk: rename printk_sched to printk_deferred 2014-08-07 14:30:26 -07:00
time ntp: Fixup adjtimex freq validation on 32-bit systems 2015-03-06 14:40:52 -08:00
trace tracing/filter: Do not allow infix to exceed end of string 2015-08-03 09:29:45 -07:00
.gitignore kernel/hz.bc: ignore. 2013-04-22 07:09:06 -07:00
acct.c fs: Fix hang with BSD accounting on frozen filesystem 2013-05-04 14:57:58 -04:00
async.c async: rename and redefine async_func_ptr 2013-03-12 13:59:14 -07:00
audit_tree.c audit: keep inode pinned 2014-11-21 09:22:52 -08:00
audit_watch.c
audit.c CAPABILITIES: remove undefined caps from all processes 2014-09-17 09:03:57 -07:00
audit.h audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record 2013-12-04 10:57:03 -08:00
auditfilter.c auditfilter.c: fix kernel-doc warnings 2013-05-24 16:22:52 -07:00
auditsc.c auditsc: audit_krule mask accesses need bounds checking 2014-06-16 13:42:53 -07:00
backtracetest.c
bounds.c
capability.c CAPABILITIES: remove undefined caps from all processes 2014-09-17 09:03:57 -07:00
cgroup_freezer.c
cgroup.c move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:34:00 +02:00
compat.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2013-05-01 07:21:43 -07:00
configs.c proc: Supply PDE attribute setting accessor functions 2013-05-01 17:29:18 -04:00
context_tracking.c Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-06-20 08:18:35 -10:00
cpu_pm.c
cpu.c sched: Fix hotplug vs. set_cpus_allowed_ptr() 2014-06-11 12:03:24 -07:00
cpuset.c cpuset,mempolicy: fix sleeping function called from invalid context 2014-07-17 15:58:00 -07:00
crash_dump.c
cred.c
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c introduce for_each_thread() to replace the buggy while_each_thread() 2014-10-05 14:54:15 -07:00
extable.c extable: Flip the sorting message 2013-04-15 13:25:16 +02:00
fork.c perf: fix perf bug in fork() 2014-10-09 12:18:42 -07:00
freezer.c freezer: Do not freeze tasks killed by OOM killer 2014-11-14 08:47:58 -08:00
futex_compat.c
futex.c futex: Make lookup_pi_state more robust 2014-06-07 13:25:41 -07:00
groups.c userns: Don't allow setgroups until a gid mapping has been setablished 2015-01-08 09:58:16 -08:00
hrtimer.c hrtimer: Set expiry time before switch_hrtimer_base() 2014-06-07 13:25:31 -07:00
hung_task.c
irq_work.c
itimer.c
jump_label.c
kallsyms.c kernel: kallsyms: memory override issue, need check destination buffer length 2013-04-15 15:17:26 +09:30
kcmp.c kcmp: fix standard comparison bug 2014-10-05 14:54:13 -07:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks locking/mutex: Disable optimistic spinning on some architectures 2014-07-28 08:00:07 -07:00
Kconfig.preempt
kexec.c PCI: Disable Bus Master only on kexec reboot 2013-12-20 07:45:08 -08:00
kmod.c usermodehelper: check subprocess_info->path != NULL 2013-05-16 12:01:11 -07:00
kprobes.c kprobes: Fix to free gone and unused optprobes 2013-05-28 10:37:59 +02:00
ksysfs.c
kthread.c kthread: implement probe_kthread_data() 2013-04-30 17:04:02 -07:00
latencytop.c
lglock.c
lockdep_internals.h
lockdep_proc.c
lockdep_states.h
lockdep.c Merge branch 'for-3.10/drivers' of git://git.kernel.dk/linux-block 2013-05-08 11:51:05 -07:00
Makefile We get rid of the general module prefix confusion with a binary config option, 2013-05-05 10:58:06 -07:00
modsign_certificate.S CONFIG_SYMBOL_PREFIX: cleanup. 2013-03-15 15:09:43 +10:30
modsign_pubkey.c
module_signing.c
module-internal.h
module.c modules, lock around setting of MODULE_STATE_UNFORMED 2014-11-14 08:47:55 -08:00
mutex-debug.c
mutex-debug.h
mutex.c mutex: Back out architecture specific check for negative mutex count 2013-04-19 09:33:36 +02:00
mutex.h
notifier.c
nsproxy.c proc: Split the namespace stuff out into linux/proc_ns.h 2013-05-01 17:29:39 -04:00
padata.c
panic.c dump_stack: implement arch-specific hardware description in task dumps 2013-04-30 17:04:02 -07:00
params.c params: Fix potential memory leak in add_sysfs_param() 2013-03-18 11:40:21 +00:00
pid_namespace.c pid_namespace: pidns_get() should check task_active_pid_ns() != NULL 2014-04-26 17:15:34 -07:00
pid.c exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting 2015-01-08 09:58:17 -08:00
posix-cpu-timers.c posix_timers: Fix pre-condition to stop the tick on full dynticks 2013-04-22 19:59:25 +02:00
posix-timers.c posix-timers: Fix stack info leak in timer_create() 2014-11-14 08:48:00 -08:00
printk.c console: Fix console name size mismatch 2015-04-19 10:10:51 +02:00
profile.c proc: Supply PDE attribute setting accessor functions 2013-05-01 17:29:18 -04:00
ptrace.c __ptrace_may_access() should not deny sub-threads 2015-07-03 19:48:08 -07:00
range.c range: Do not add new blank slot with add_range_with_merge 2013-06-18 11:32:10 -05:00
rcu.h
rcupdate.c
rcutiny_plugin.h
rcutiny.c
rcutorture.c
rcutree_plugin.h rcu: Don't allocate bootmem from rcu_init() 2013-05-15 10:41:12 -07:00
rcutree_trace.c rcutrace: single_open() leaks 2013-05-05 00:16:35 -04:00
rcutree.c rcu: Fix deadlock with CPU hotplug, RCU GP init, and timer migration 2013-06-10 13:37:12 -07:00
rcutree.h rcu: Don't call wakeup() with rcu_node structure ->lock held 2013-06-10 13:37:11 -07:00
relay.c Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block 2013-05-08 10:13:35 -07:00
res_counter.c
resource.c mem hotunplug: fix kfree() of bootmem memory 2013-04-29 15:54:40 -07:00
rtmutex_common.h
rtmutex-debug.c
rtmutex-debug.h rtmutex: Handle deadlock detection smarter 2014-07-17 15:58:04 -07:00
rtmutex-tester.c locking/rtmutex/tester: Set correct permissions on sysfs files 2013-04-10 14:48:37 +02:00
rtmutex.c rtmutex: Plug slow unlock race 2014-07-17 15:58:04 -07:00
rtmutex.h rtmutex: Handle deadlock detection smarter 2014-07-17 15:58:04 -07:00
rwsem.c Revert "rw_semaphore: remove up/down_read_non_owner" 2013-03-23 15:53:52 -07:00
seccomp.c seccomp: allow BPF_XOR based ALU instructions. 2013-03-26 11:07:19 +11:00
semaphore.c semaphore: use `bool' type for semaphore_waiter's up 2013-04-30 17:04:08 -07:00
signal.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-05-01 14:08:52 -07:00
smp.c kernel/smp.c:on_each_cpu_cond(): fix warning in fallback path 2014-09-17 09:03:57 -07:00
smpboot.c smpboot: Add missing get_online_cpus() in smpboot_register_percpu_thread() 2015-02-11 14:48:17 +08:00
smpboot.h
softirq.c revert "softirq: Add support for triggering softirq work on softirqs" 2015-05-17 09:51:33 -07:00
spinlock.c
srcu.c
stacktrace.c
stop_machine.c stop_machine: Mark per cpu stopper enabled early 2013-02-26 22:25:17 +01:00
sys_ni.c unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE 2013-05-09 13:46:38 -04:00
sys.c reboot: rigrate shutdown/reboot to boot cpu 2013-06-12 16:29:44 -07:00
sysctl_binary.c switch compat_sys_sysctl to COMPAT_SYSCALL_DEFINE 2013-05-09 14:53:20 -04:00
sysctl.c perf: Enforce 1 as lower limit for perf_event_max_sample_rate 2014-06-11 12:03:27 -07:00
task_work.c
taskstats.c
test_kprobes.c kernel/: rename random32() to prandom_u32() 2013-04-29 18:28:42 -07:00
time.c time: settimeofday: Validate the values of tv from user 2015-01-29 17:40:56 -08:00
timeconst.bc
timer.c timer: Prevent overflow in apply_slack 2014-06-07 13:25:30 -07:00
tracepoint.c tracepoint: Do not waste memory on mods with no tracepoints 2014-05-30 21:52:11 -07:00
tsacct.c
uid16.c groups: Consolidate the setgroups permission checks 2015-01-08 09:58:16 -08:00
up.c
user_namespace.c userns: Allow setting gid_maps without privilege when setgroups is disabled 2015-01-08 09:58:17 -08:00
user-return-notifier.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
user.c userns: Add a knob to disable setgroups on a per user namespace basis 2015-01-08 09:58:16 -08:00
utsname_sysctl.c kernel/utsname_sysctl.c: put get/get_uts() into CONFIG_PROC_SYSCTL code block 2013-02-27 19:10:22 -08:00
utsname.c proc: Split the namespace stuff out into linux/proc_ns.h 2013-05-01 17:29:39 -04:00
wait.c
watchdog.c watchdog: Add comments to explain the watchdog_disabled variable 2013-03-14 08:24:05 +01:00
workqueue_internal.h workqueue: include workqueue info when printing debug dump of a worker task 2013-04-30 17:04:02 -07:00
workqueue.c workqueue: fix hang involving racing cancel[_delayed]_work_sync()'s for PREEMPT_NONE 2015-03-26 15:00:58 +01:00