All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vincent Donnefort <vdonnefort@google.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
	linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
	mathieu.desnoyers@efficios.com, mhiramat@kernel.org,
	syzbot+345e4443a21200874b18@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com,
	Jeongjun Park <aha310510@gmail.com>,
	david@redhat.com
Subject: Re: [PATCH] ring-buffer: Fix a oob in __rb_map_vma
Date: Wed, 18 Dec 2024 09:13:43 +0000	[thread overview]
Message-ID: <Z2KSR5QrAWYDEBVh@google.com> (raw)
In-Reply-To: <20241217194015.7a4f0dc8@gandalf.local.home>

On Tue, Dec 17, 2024 at 07:40:15PM -0500, Steven Rostedt wrote:
> On Wed, 18 Dec 2024 07:43:46 +0800
> Edward Adam Davis <eadavis@qq.com> wrote:
> 
> > > 
> > > A proper fix is being discussed here:  
> > First, my fix is the first one.
> 
> Yes I saw that.
> 
> > Second, the root cause of the problem is an overflow when calculating nr_pages.
> > > 
> > > https://lore.kernel.org/linux-trace-kernel/20241216164931.57323-1-aha310510@gmail.com/
> > > 
> > > Thank you,
> > > 
> > > -- Steve
> > >   
> > The calculation of nr_pages below overflows because the pgoff value is 8,
> > the nr_subbufs value is 3, and the subbuf_order value is 0.
> 
> So basically you are saying that passing in the the mmap with the pgoff is
> what's causing it.
> 
> > > >  	nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */
> > > >  
> > > >  	nr_vma_pages = vma_pages(vma);  
> 
> 
> Thanks, I believe I now have a reproducer. And yes, I'll take your patch.
> (If Vincent is OK with it).

I wanted to look at the reproducer sent by Jeongjung yesterday but got
preempted. My bad.

To avoid repeating the (nr_subbufs + 1) << subbuf_order How about?

-       nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */
+       nr_pages = ((nr_subbufs + 1) << subbuf_order); /* + meta-page */
+
+       if (pgoff > nr_pages)
+               return -EINVAL;
+
+       nr_pages -= pgoff;


And probably also 

Fixes: 117c39200d9d ("ring-buffer: Introducing ring-buffer mapping functions")

> 
> Here's the reproducer:
> 
> ------------------------8<-------------------------
> #include <fcntl.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <asm/types.h>
> #include <sys/mman.h>
> 
> int main(int argc, char **argv)
> {
> 	int page_size = getpagesize();
> 	int fd;
> 	void *meta;
> 
> 	system("echo 1 > /sys/kernel/tracing/buffer_size_kb");
> 	fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);
> 
> 	meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);
> }
> ------------------------>8-------------------------
> 
> Thanks,
> 
> 
> -- Steve

  parent reply	other threads:[~2024-12-18  9:13 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-16  8:23 [syzbot] [trace?] KASAN: use-after-free Read in ring_buffer_map syzbot
2024-12-16 13:42 ` Edward Adam Davis
2024-12-16 13:43   ` syzbot
2024-12-16 13:44 ` Edward Adam Davis
2024-12-16 14:06   ` syzbot
2024-12-16 14:07 ` [PATCH] ring-buffer: Fix a oob in __rb_map_vma Edward Adam Davis
2024-12-17 17:46   ` Steven Rostedt
2024-12-17 23:43     ` Edward Adam Davis
2024-12-18  0:40       ` Steven Rostedt
2024-12-18  1:23         ` Jeongjun Park
2024-12-18  9:13         ` Vincent Donnefort [this message]
2024-12-18 11:42           ` [PATCH V2] ring-buffer: fix overflow " Edward Adam Davis
2024-12-18 13:18             ` Steven Rostedt
2024-12-18 13:36               ` [PATCH V3] " Edward Adam Davis
2024-12-18 13:24             ` [PATCH V2] " Steven Rostedt
2024-12-18 13:19           ` [PATCH] ring-buffer: Fix a oob " Steven Rostedt
2024-12-18 14:31             ` Vincent Donnefort
2024-12-18 14:33               ` Steven Rostedt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z2KSR5QrAWYDEBVh@google.com \
    --to=vdonnefort@google.com \
    --cc=aha310510@gmail.com \
    --cc=david@redhat.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mhiramat@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=syzbot+345e4443a21200874b18@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.