From: Sam Moelius <sam.moelius@trailofbits.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Samuel Moelius <sam.moelius@trailofbits.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
Subject: [PATCH] tracing: Reject tracefs buffer size values that overflow bytes
Date: Tue, 2 Jun 2026 18:43:34 +0000 [thread overview]
Message-ID: <20260602184335.1554470-1-sam.moelius@trailofbits.com> (raw)
From: Samuel Moelius <sam.moelius@trailofbits.com>
`tracing_entries_write()` accepts a `buffer_size_kb` value as
`unsigned long`, checks only for zero, then shifts left by 10. On
64-bit, writing `18014398509481984` KB wraps the byte count to zero
and the ring buffer resize path accepts it as a tiny buffer instead
of rejecting an impossible huge size.
The fix also adds the same pre-scale overflow check to
`buffer_subbuf_size_write()`.
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
kernel/trace/trace.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 6eb4d3097a4d..79da29c3d525 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5735,7 +5735,7 @@ tracing_entries_write(struct file *filp, const char __user *ubuf,
return ret;
/* must have at least 1 entry */
- if (!val)
+ if (!val || val > ULONG_MAX >> 10)
return -EINVAL;
/* value is in KB */
@@ -8206,6 +8206,9 @@ buffer_subbuf_size_write(struct file *filp, const char __user *ubuf,
if (ret)
return ret;
+ if (!val || val > ULONG_MAX / 1024)
+ return -EINVAL;
+
val *= 1024; /* value passed in is in KB */
pages = DIV_ROUND_UP(val, PAGE_SIZE);
--
2.43.0
next reply other threads:[~2026-06-02 18:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 18:43 Sam Moelius [this message]
2026-06-02 20:03 ` [PATCH] tracing: Reject tracefs buffer size values that overflow bytes Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602184335.1554470-1-sam.moelius@trailofbits.com \
--to=sam.moelius@trailofbits.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.