github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 13:37:36 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e1b45baa2e
linux/include/trace/events
History
JP Kobryn 0590874226 9p: prevent read overrun in protocol dump tracepoint 
commit a931c68160 upstream.

An out of bounds read can occur within the tracepoint 9p_protocol_dump. In
the fast assign, there is a memcpy that uses a constant size of 32 (macro
named P9_PROTO_DUMP_SZ). When the copy is invoked, the source buffer is not
guaranteed match this size.  It was found that in some cases the source
buffer size is less than 32, resulting in a read that overruns.

The size of the source buffer seems to be known at the time of the
tracepoint being invoked. The allocations happen within p9_fcall_init(),
where the capacity field is set to the allocated size of the payload
buffer. This patch tries to fix the overrun by changing the fixed array to
a dynamically sized array and using the minimum of the capacity value or
P9_PROTO_DUMP_SZ as its length. The trace log statement is adjusted to
account for this. Note that the trace log no longer splits the payload on
the first 16 bytes. The full payload is now logged to a single line.

To repro the orignal problem, operations to a plan 9 managed resource can
be used. The simplest approach might just be mounting a shared filesystem
(between host and guest vm) using the plan 9 protocol while the tracepoint
is enabled.

mount -t 9p -o trans=virtio <mount_tag> <mount_path>

The bpftrace program below can be used to show the out of bounds read.
Note that a recent version of bpftrace is needed for the raw tracepoint
support. The script was tested using v0.19.0.

/* from include/net/9p/9p.h */
struct p9_fcall {
    u32 size;
    u8 id;
    u16 tag;
    size_t offset;
    size_t capacity;
    struct kmem_cache *cache;
    u8 *sdata;
    bool zc;
};

tracepoint:9p:9p_protocol_dump
{
    /* out of bounds read can happen when this tracepoint is enabled */
}

rawtracepoint:9p_protocol_dump
{
    $pdu = (struct p9_fcall *)arg1;
    $dump_sz = (uint64)32;

    if ($dump_sz > $pdu->capacity) {
        printf("reading %zu bytes from src buffer of %zu bytes\n",
            $dump_sz, $pdu->capacity);
    }
}

Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
Message-ID: <20231204202321.22730-1-inwardvessel@gmail.com>
Fixes: 60ece0833b ("net/9p: allocate appropriate reduced message buffers")
Cc: stable@vger.kernel.org
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-01 12:42:43 +00:00
..
9p.h 9p: prevent read overrun in protocol dump tracepoint 2024-01-01 12:42:43 +00:00
afs.h afs: Fix access after dec in put functions 2022-08-02 18:21:29 +01:00
alarmtimer.h
asoc.h ASoC: soc-core: tidyup jack.h 2020-11-30 12:54:01 +00:00
avc.h
bcache.h block: remove superfluous param in blk_fill_rwbs() 2021-02-22 06:37:41 -07:00
block.h fs: add CONFIG_BUFFER_HEAD 2023-08-02 09:13:09 -06:00
bpf_test_run.h
bridge.h net: bridge: Add a tracepoint for MDB overflows 2023-02-06 08:48:25 +00:00
btrfs.h btrfs: remove v0 extent handling 2023-08-21 14:54:48 +02:00
cachefiles.h fscache,cachefiles: add prepare_ondemand_read() callback 2022-12-07 10:56:29 +08:00
cgroup.h cgroup: Trace event cgroup id fields should be u64 2021-12-01 07:23:35 -10:00
clk.h clk: Add trace events for rate requests 2022-12-07 13:54:09 -08:00
cma.h trace: cma: remove unnecessary event class cma_alloc_class 2023-04-05 19:42:58 -07:00
compaction.h mm: compaction: add trace event for fast freepages isolation 2023-06-09 16:25:43 -07:00
context_tracking.h
cpuhp.h
csd.h trace,smp: Add tracepoints for scheduling remotelly called functions 2023-06-16 22:08:09 +02:00
damon.h mm/damon: hide kernel pointer from tracepoint event 2022-01-15 16:30:33 +02:00
devfreq.h PM / devfreq: Add tracepoint for frequency changes 2020-10-26 10:52:37 +09:00
devlink.h devlink: Fix TP_STRUCT_entry in trace of devlink health report 2023-02-15 19:15:44 -08:00
dlm.h fs: dlm: add plock dev tracepoints 2023-08-10 10:33:03 -05:00
dma_fence.h treewide: Add missing semicolons to __assign_str uses 2021-06-30 09:19:14 -04:00
erofs.h erofs: adapt folios for z_erofs_read_folio() 2023-08-23 23:47:33 +08:00
error_report.h panic: use error_report_end tracepoint on warnings 2022-01-20 08:52:55 +02:00
ext4.h ext4: Give symbolic names to mballoc criterias 2023-06-26 19:34:56 -04:00
f2fs.h f2fs: add async reset zone command support 2023-06-12 13:04:09 -07:00
fib.h net: Replace strlcpy with strscpy 2023-07-04 19:40:16 +01:00
fib6.h net: Replace strlcpy with strscpy 2023-07-04 19:40:16 +01:00
filelock.h
filemap.h filemap: Convert tracing of page cache operations to folio 2022-01-04 13:15:33 -05:00
fs_dax.h
fscache.h fscache: Fix oops due to race with cookie_lru and use_cookie 2022-12-07 11:49:18 -08:00
fsi_master_aspeed.h fsi: Add trace events in initialization path 2022-02-21 19:38:54 +10:30
fsi_master_ast_cf.h
fsi_master_gpio.h
fsi_master_i2cr.h fsi: Add IBM I2C Responder virtual FSI master 2023-08-11 13:32:14 +09:30
fsi.h fsi: core: Add trace events for scan and unregister 2023-08-09 15:43:28 +09:30
gpio.h
gpu_mem.h
habanalabs.h habanalabs: define events to trace PCI LBW access 2023-01-26 11:52:11 +02:00
handshake.h net/handshake: Trace events for TLS Alert helpers 2023-07-28 14:07:59 -07:00
host1x.h
huge_memory.h mm/khugepaged: skip shmem with userfaultfd 2023-04-18 16:29:52 -07:00
hwmon.h
i2c_slave.h i2c: add tracepoints for I2C slave events 2022-03-20 00:11:05 +01:00
i2c.h
ib_mad.h IB/mad: Don't call to function that might sleep while in atomic context 2022-11-10 10:57:15 +02:00
ib_umad.h
initcall.h
intel_ifs.h trace: platform/x86/intel/ifs: Add trace point to track Intel IFS operations 2022-05-12 15:35:29 +02:00
intel_ish.h
intel-sst.h
io_uring.h io_uring: rename trace_io_uring_submit_sqe() tracepoint 2023-04-03 07:16:15 -06:00
iocost.h blk-iocost: Trace vtime_base_rate instead of vtime_rate 2022-12-01 07:44:12 -07:00
iommu.h iommu: Remove detach_dev callback 2023-01-13 16:39:18 +01:00
ipi.h trace: Add trace_ipi_send_cpu() 2023-03-24 11:01:29 +01:00
irq_matrix.h
irq.h softirq: Add trace points for tasklet entry/exit 2023-04-15 10:17:16 +02:00
iscsi.h scsi: iscsi: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
jbd2.h jbd2: remove journal_clean_one_cp_list() 2023-07-10 23:09:21 -04:00
kmem.h mm: convert mm's rss stats into percpu_counter 2022-11-30 15:58:40 -08:00
ksm.h mm: add tracepoints to ksm 2023-03-28 16:20:08 -07:00
kvm.h KVM: x86/mmu: rename trace function name for asynchronous page fault 2022-08-10 15:08:26 -04:00
kyber.h kyber: Replace strlcpy with strscpy 2023-07-17 08:18:17 -06:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-17 16:30:03 +09:00
lock.h locking/mutex: Make contention tracepoints more consistent wrt adaptive spinning 2022-04-05 10:24:36 +02:00
maple_tree.h Maple Tree: add new data structure 2022-09-26 19:46:13 -07:00
mce.h
mctp.h mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control 2022-02-09 12:00:11 +00:00
mdio.h
migrate.h mm/migration: add trace events for base page and HugeTLB migrations 2022-03-24 19:06:45 -07:00
mlxsw.h
mmap_lock.h mm: mmap_lock: use DECLARE_EVENT_CLASS and DEFINE_EVENT_FN 2021-11-06 13:30:36 -07:00
mmap.h mm: mmap: remove newline at the end of the trace 2023-03-23 17:18:36 -07:00
mmc.h
mmflags.h mm: compaction: remove compaction result helpers 2023-06-09 16:25:36 -07:00
module.h
mptcp.h mptcp: dump infinite_map field in mptcp_dump_mpext 2022-04-23 11:51:05 +01:00
napi.h
nbd.h
neigh.h neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section 2023-10-18 11:16:43 +01:00
net_probe_common.h
net.h net: fix net_dev_start_xmit trace event vs skb_transport_offset() 2023-07-03 09:13:23 +01:00
netfs.h netfs: Add a function to consolidate beginning a read 2022-03-18 09:29:05 +00:00
netlink.h netlink: add tracepoint at NL_SET_ERR_MSG 2021-02-04 18:05:59 -08:00
nilfs2.h fs/nilfs2: Use the enum req_op and blk_opf_t types 2022-07-14 12:14:33 -06:00
nmi.h
notifier.h notifiers: add tracepoints to the notifiers infrastructure 2023-04-08 13:45:38 -07:00
objagg.h
oom.h
osnoise.h tracing: Fix spelling in osnoise tracer "interferences" -> "interference" 2021-06-28 14:12:27 -04:00
page_isolation.h
page_pool.h page_pool: split types and declarations from page_pool.h 2023-08-07 13:05:19 -07:00
page_ref.h mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) 2021-09-08 11:50:24 -07:00
pagemap.h mm/lru: Convert __pagevec_lru_add_fn to take a folio 2021-10-18 07:49:40 -04:00
percpu.h include/trace/events/percpu.h: cleanup for "percpu: improve percpu_alloc_percpu event trace" 2022-05-25 10:47:48 -07:00
power_cpu_migrate.h
power.h cpuidle: Add cpu_idle_miss trace event 2022-08-03 17:50:58 +02:00
preemptirq.h
printk.h
pwc.h
pwm.h pwm/tracing: Also record trace events for failed API calls 2022-12-06 12:46:23 +01:00
qdisc.h net: Print hashed skb addresses for all net and qdisc events 2022-06-27 11:57:06 +01:00
qla.h scsi: qla2xxx: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
qrtr.h net: qrtr: correct types of trace event parameters 2023-04-04 18:58:43 -07:00
rcu.h RCU Changes for 6.4: 2023-04-24 12:16:14 -07:00
rdma_core.h
regulator.h
rpcgss.h SUNRPC: Record gss_wrap() errors in svcauth_gss_wrap_priv() 2023-02-20 09:20:25 -05:00
rpcrdma.h svcrdma: trace cc_release calls 2023-06-17 13:18:06 -04:00
rpm.h
rseq.h tracing/rseq: Add mm_cid field to rseq_update 2022-12-27 12:52:15 +01:00
rtc.h
rv.h rv/monitor: Add the wwnr monitor 2022-07-30 14:01:30 -04:00
rwmmio.h asm-generic/io: Add _RET_IP_ to MMIO trace for more accurate debug info 2022-11-21 22:02:10 +01:00
rxrpc.h rxrpc: Fix RTT determination to use any ACK as a source 2023-12-03 07:33:02 +01:00
sched.h sched/tracing: Append prev_state to tp args instead 2022-05-12 00:37:11 +02:00
scmi.h include: trace: Add platform and channel instance references 2023-01-20 11:40:57 +00:00
scsi.h scsi: core: Trace SCSI sense data 2023-05-31 11:05:34 -04:00
sctp.h
signal.h
siox.h
skb.h net: add location to trace_consume_skb() 2023-02-20 08:28:49 +00:00
smbus.h
sock.h inet: preserve const qualifier in inet_sk() 2023-03-17 08:56:37 +00:00
sof_intel.h ASoC: SOF: Intel: replace dev_vdbg with tracepoints 2022-09-19 15:44:06 +01:00
sof.h ASoC: SOF: replace ipc4-loader dev_vdbg with tracepoints 2022-09-19 15:44:08 +01:00
spi.h spi: Fix spelling typos and acronyms capitalization 2023-07-11 14:14:32 +01:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-07-24 16:16:44 +02:00
sunrpc.h SUNRPC: Move trace_svc_xprt_enqueue 2023-08-29 17:45:22 -04:00
sunvnet.h
swiotlb.h swiotlb: make the swiotlb_init interface more useful 2022-04-18 07:21:11 +02:00
syscalls.h
target.h
task.h tracing: Replace strlcpy with strscpy in trace/events/task.h 2023-09-01 21:00:00 -04:00
tcp.h tcp: add missing family to tcp_set_ca_state() tracepoint 2023-08-09 13:45:19 -07:00
tegra_apb_dma.h
thermal_pressure.h arch_topology: Trace the update thermal pressure 2022-05-06 09:57:38 +02:00
thp.h powerpc/book3s64/mm: enable transparent pud hugepage 2023-08-18 10:12:55 -07:00
timer.h tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). 2023-06-19 09:09:14 +02:00
tlb.h
udp.h
ufs.h scsi: ufs: core: Add trace event for MCQ 2023-03-16 23:16:18 -04:00
v4l2.h
vb2.h
vmalloc.h mm: vmalloc: add free_vmap_area_noflush trace event 2022-11-08 17:37:17 -08:00
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-05-19 14:08:55 -07:00
vsock_virtio_transport_common.h virtio/vsock: update trace event for SEQPACKET 2021-06-11 13:32:47 -07:00
watchdog.h watchdog: Add tracing events for the most usual watchdog events 2022-10-12 09:47:02 +02:00
wbt.h blk-wbt: Replace strlcpy with strscpy 2023-07-17 08:18:17 -06:00
workqueue.h workqueue: Fix type of cpu in trace event 2022-06-07 07:09:47 -10:00
writeback.h writeback: fix dereferencing NULL mapping->host on writeback_page_template 2023-06-19 13:19:31 -07:00
xdp.h net: invert the netdevice.h vs xdp.h dependency 2023-08-03 08:38:07 -07:00
xen.h x86/xen: move paravirt lazy code 2023-09-19 07:04:49 +02:00