From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>, <zanussi@kernel.org>,
stable@vger.kernel.org, Zheng Yejian <zhengyejian1@huawei.com>
Subject: [for-next][PATCH 15/25] tracing/hist: Fix out-of-bound write on action_data.var_ref_idx
Date: Sat, 10 Dec 2022 08:58:05 -0500 [thread overview]
Message-ID: <20221210135825.551404522@goodmis.org> (raw)
In-Reply-To: 20221210135750.425719934@goodmis.org
From: Zheng Yejian <zhengyejian1@huawei.com>
When generate a synthetic event with many params and then create a trace
action for it [1], kernel panic happened [2].
It is because that in trace_action_create() 'data->n_params' is up to
SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'
keeps indices into array 'hist_data->var_refs' for each synthetic event
param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX
(current value is 16), so out-of-bound write happened when 'data->n_params'
more than 16. In this case, 'data->match_data.event' is overwritten and
eventually cause the panic.
To solve the issue, adjust the length of 'data->var_ref_idx' to be
SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.
[1]
# cd /sys/kernel/tracing/
# echo "my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\
int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\
int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\
int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\
int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\
int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\
int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\
int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\
int v63" >> synthetic_events
# echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="bash"' >> \
events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid)" >> events/sched/sched_switch/trigger
[2]
BUG: unable to handle page fault for address: ffff91c900000000
PGD 61001067 P4D 61001067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Call Trace:
<TASK>
__find_event_file+0x55/0x90
action_create+0x76c/0x1060
event_hist_trigger_parse+0x146d/0x2060
? event_trigger_write+0x31/0xd0
trigger_process_regex+0xbb/0x110
event_trigger_write+0x6b/0xd0
vfs_write+0xc8/0x3e0
? alloc_fd+0xc0/0x160
? preempt_count_add+0x4d/0xa0
? preempt_count_add+0x70/0xa0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d1d0cf077
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e
fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74
RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077
RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001
RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142
R10: 000056392639c017 R11: 0000000000000246 R12: 0000000000000143
R13: 00007f1d1d1ae6a0 R14: 00007f1d1d1aa4a0 R15: 00007f1d1d1a98a0
</TASK>
Modules linked in:
CR2: ffff91c900000000
---[ end trace 0000000000000000 ]---
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Link: https://lore.kernel.org/linux-trace-kernel/20221207035143.2278781-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Cc: stable@vger.kernel.org
Fixes: d380dcde9a07 ("tracing: Fix now invalid var_ref_vals assumption in trace action")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
kernel/trace/trace_events_hist.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index b4ad86c22b43..8264b28d5a57 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -621,7 +621,7 @@ struct action_data {
* event param, and is passed to the synthetic event
* invocation.
*/
- unsigned int var_ref_idx[TRACING_MAP_VARS_MAX];
+ unsigned int var_ref_idx[SYNTH_FIELDS_MAX];
struct synth_event *synth_event;
bool use_trace_keyword;
char *synth_event_name;
@@ -2186,7 +2186,9 @@ static struct hist_field *create_var_ref(struct hist_trigger_data *hist_data,
return ref_field;
}
}
-
+ /* Sanity check to avoid out-of-bound write on 'hist_data->var_refs' */
+ if (hist_data->n_var_refs >= TRACING_MAP_VARS_MAX)
+ return NULL;
ref_field = create_hist_field(var_field->hist_data, NULL, flags, NULL);
if (ref_field) {
if (init_var_ref(ref_field, var_field, system, event_name)) {
@@ -3946,6 +3948,10 @@ static int trace_action_create(struct hist_trigger_data *hist_data,
lockdep_assert_held(&event_mutex);
+ /* Sanity check to avoid out-of-bound write on 'data->var_ref_idx' */
+ if (data->n_params > SYNTH_FIELDS_MAX)
+ return -EINVAL;
+
if (data->use_trace_keyword)
synth_event_name = data->synth_event_name;
else
--
2.35.1
next prev parent reply other threads:[~2022-12-10 13:58 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-10 13:57 [for-next][PATCH 00/25] tracing: Updates for 6.2 Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 01/25] tracing/user_events: Fix call print_fmt leak Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 02/25] tracing: Update MAINTAINERS file for new patchwork and mailing list Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 03/25] ftrace/x86: Add back ftrace_expected for ftrace bug reports Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 04/25] tracing: Allow multiple hitcount values in histograms Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 05/25] tracing: Add .percent suffix option to histogram values Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 06/25] tracing: Add .graph suffix option to histogram value Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 07/25] tracing: Add nohitcount option for suppressing display of raw hitcount Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 08/25] tracing: docs: Update histogram doc for .percent/.graph and nohitcount Steven Rostedt
2022-12-10 13:57 ` [for-next][PATCH 09/25] trace/kprobe: remove duplicated calls of ring_buffer_event_data Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 10/25] tracing/probes: Handle system names with hyphens Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 11/25] tracing: Fix complicated dependency of CONFIG_TRACER_MAX_TRACE Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 12/25] x86/mm/kmmio: Switch to arch_spin_lock() Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 13/25] x86/mm/kmmio: Use rcu_read_lock_sched_notrace() Steven Rostedt
2022-12-10 17:47 ` Paul E. McKenney
2022-12-10 18:34 ` Steven Rostedt
2022-12-10 21:34 ` Paul E. McKenney
2022-12-10 22:32 ` Steven Rostedt
2022-12-11 5:52 ` Paul E. McKenney
2022-12-10 23:30 ` Thomas Gleixner
2022-12-10 23:55 ` Steven Rostedt
2022-12-12 10:51 ` Thomas Gleixner
2022-12-12 15:42 ` Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 14/25] tracing/hist: Fix wrong return value in parse_action_params() Steven Rostedt
2022-12-10 13:58 ` Steven Rostedt [this message]
2022-12-10 13:58 ` [for-next][PATCH 16/25] tracing: Fix issue of missing one synthetic field Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 17/25] tracing/hist: Fix issue of losting command info in error_log Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 18/25] ring-buffer: Handle resize in early boot up Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 19/25] tracing: remove unnecessary trace_trigger ifdef Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 20/25] tracing/osnoise: Make osnoise_options static Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 21/25] tracing: Fix some checker warnings Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 22/25] Documentation/osnoise: Escape underscore of NO_ prefix Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 23/25] tracing/osnoise: Add PANIC_ON_STOP option Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 24/25] tracing/osnoise: Add preempt and/or irq disabled options Steven Rostedt
2022-12-10 13:58 ` [for-next][PATCH 25/25] Documentation/osnoise: Add osnoise/options documentation Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221210135825.551404522@goodmis.org \
--to=rostedt@goodmis.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zanussi@kernel.org \
--cc=zhengyejian1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.