Re: [PATCH] tracing/kprobes: fix NULL pointer dereference in trace_kprobe_create()

[Masami Hiramatsu <mhiramat@kernel.org>]

Hi Andrea,

On Thu, 10 Jan 2019 18:39:47 +0100
Andrea Righi <righi.andrea@gmail.com> wrote:

> It is possible to trigger a NULL pointer dereference by writing an
> incorrectly formatted string to krpobe_events (omitting the symbol).
> 
> Example:
> 
>  echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events
> 
> That triggers this:
> 
>  BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
>  #PF error: [normal kernel read fault]
>  PGD 0 P4D 0
>  Oops: 0000 [#1] SMP PTI
>  CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
>  Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
>  RIP: 0010:kstrtoull+0x2/0x20
>  Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
>  RSP: 0018:ffffb5d482e57cb8 EFLAGS: 00010246
>  RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff82b12720
>  RDX: ffffb5d482e57cf8 RSI: 0000000000000000 RDI: 0000000000000000
>  RBP: ffffb5d482e57d70 R08: ffffa0c05e5a7080 R09: ffffa0c05e003980
>  R10: 0000000000000000 R11: 0000000040000000 R12: ffffa0c04fe87b08
>  R13: 0000000000000001 R14: 000000000000000b R15: ffffa0c058d749e1
>  FS:  00007f137c7f7740(0000) GS:ffffa0c05e580000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000000000000 CR3: 0000000497d46004 CR4: 00000000003606e0
>  Call Trace:
>   ? trace_kprobe_create+0xb6/0x840
>   ? _cond_resched+0x19/0x40
>   ? _cond_resched+0x19/0x40
>   ? __kmalloc+0x62/0x210
>   ? argv_split+0x8f/0x140
>   ? trace_kprobe_create+0x840/0x840
>   ? trace_kprobe_create+0x840/0x840
>   create_or_delete_trace_kprobe+0x11/0x30
>   trace_run_command+0x50/0x90
>   trace_parse_run_command+0xc1/0x160
>   probes_write+0x10/0x20
>   __vfs_write+0x3a/0x1b0
>   ? apparmor_file_permission+0x1a/0x20
>   ? security_file_permission+0x31/0xf0
>   ? _cond_resched+0x19/0x40
>   vfs_write+0xb1/0x1a0
>   ksys_write+0x55/0xc0
>   __x64_sys_write+0x1a/0x20
>   do_syscall_64+0x5a/0x120
>   entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Fix by doing the proper argument check when a NULL symbol is passed in
> trace_kprobe_create().
> 

Oops! It is my fault on commit 6212dd29683e ("tracing/kprobes: Use dyn_event
framework for kprobe events")

Previously, we have following check, but it is removed 

-       if (argc < 2) {
-               pr_info("Probe point is not specified.\n");
-               return -EINVAL;
-       }

and check it only for kprobe event but not kretprobe event.

        /* argc must be >= 1 */
        if (argv[0][0] == 'r') {
                is_return = true;
                flags |= TPARG_FL_RETURN;
        } else if (argv[0][0] != 'p' || argc < 2)
                return -ECANCELED;

I would like to recover above if block instead of adding new check.

Could you do it with Fixed: and Cc: stable@vger.kernel.org tags?

Thank you,

> Signed-off-by: Andrea Righi <righi.andrea@gmail.com>
> ---
>  kernel/trace/trace_kprobe.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
> index 5c19b8c41c7e..76410ceeff50 100644
> --- a/kernel/trace/trace_kprobe.c
> +++ b/kernel/trace/trace_kprobe.c
> @@ -644,6 +644,8 @@ static int trace_kprobe_create(int argc, const char *argv[])
>  
>  	/* try to parse an address. if that fails, try to read the
>  	 * input as a symbol. */
> +	if (!argv[1])
> +		return -EINVAL;
>  	if (kstrtoul(argv[1], 0, (unsigned long *)&addr)) {
>  		/* Check whether uprobe event specified */
>  		if (strchr(argv[1], '/') && strchr(argv[1], ':'))
> -- 
> 2.17.1
> 


-- 
Masami Hiramatsu <mhiramat@kernel.org>