Linux Trace Kernel
 help / color / mirror / Atom feed
From: Steven Rostedt <rostedt@goodmis.org>
To: Jeongjun Park <aha310510@gmail.com>
Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org,
	syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] tracing: fix oob write in trace_seq_to_buffer()
Date: Mon, 21 Apr 2025 11:41:03 -0400	[thread overview]
Message-ID: <20250421114103.3c006379@gandalf.local.home> (raw)
In-Reply-To: <20250421152850.15387-1-aha310510@gmail.com>

On Tue, 22 Apr 2025 00:28:50 +0900
Jeongjun Park <aha310510@gmail.com> wrote:

> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -6784,7 +6784,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp,
>  	};
>  	ssize_t ret;
>  	size_t rem;
> -	unsigned int i;
> +	unsigned int i, copy_len;

FYI, I don't care for variables to be on the same line unless they are
related. As "i" and "copy_len" are not related, the should be separate
declarations.

	unsigned int copy_len;
	unsigned int i;

>  
>  	if (splice_grow_spd(pipe, &spd))
>  		return -ENOMEM;
> @@ -6818,16 +6818,18 @@ static ssize_t tracing_splice_read_pipe(struct file *filp,
>  
>  		rem = tracing_fill_pipe_page(rem, iter);
>  
> +		copy_len = trace_seq_used(&iter->seq);

Why not have the min here?

		copy_len = min(trace_seq_used(&iter->seq), PAGE_SIZE);

??

> +
>  		/* Copy the data into the page, so we can start over. */
>  		ret = trace_seq_to_buffer(&iter->seq,
>  					  page_address(spd.pages[i]),
> -					  trace_seq_used(&iter->seq));
> +					  min(copy_len, PAGE_SIZE));
>  		if (ret < 0) {
>  			__free_page(spd.pages[i]);
>  			break;
>  		}
>  		spd.partial[i].offset = 0;
> -		spd.partial[i].len = trace_seq_used(&iter->seq);
> +		spd.partial[i].len = min(copy_len, PAGE_SIZE);

And actually, len should equal ret as that's how much was copied.

-- Steve


>  
>  		trace_seq_init(&iter->seq);
>  	}
> --


      reply	other threads:[~2025-04-21 15:39 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-21 15:28 [PATCH v2] tracing: fix oob write in trace_seq_to_buffer() Jeongjun Park
2025-04-21 15:41 ` Steven Rostedt [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250421114103.3c006379@gandalf.local.home \
    --to=rostedt@goodmis.org \
    --cc=aha310510@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox