Linux Trace Kernel
 help / color / mirror / Atom feed
* [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching
       [not found] <cover.1782836943.git.hhhuang@smu.edu.sg>
@ 2026-07-01 10:28 ` Ren Wei
  2026-07-02  1:15   ` Masami Hiramatsu
  0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-07-01 10:28 UTC (permalink / raw)
  To: linux-kernel, linux-trace-kernel
  Cc: rostedt, mhiramat, mathieu.desnoyers, akpm, namhyung, yuantan098,
	yifanwucs, tomapufckgml, zcliangcn, bird, hhhuang, n05ec

From: Huihui Huang <hhhuang@smu.edu.sg>

String event fields are not necessarily NUL-terminated, so the filter
predicate functions (filter_pred_string(), filter_pred_strloc() and
filter_pred_strrelloc()) pass the field length to the regex match
callbacks, and the length-aware matchers honour it.

regex_match_glob() was the exception: it ignored the length and called
glob_match(), which scans the string until it hits a NUL byte. Some
string fields are not NUL-terminated. One example is the dynamic char
array of the xfs_* namespace tracepoints, which is copied without a
trailing NUL. For such a field, glob matching reads past the end of
the event field, causing a KASAN slab-out-of-bounds read in
glob_match(), reached via regex_match_glob() and filter_match_preds()
from the xfs_lookup tracepoint.

Add a length-bounded glob_match_len() and use it from regex_match_glob()
so glob matching always stops at the field boundary. The matching loop
is factored into a shared helper so glob_match() keeps its behaviour.

Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 include/linux/glob.h               |  1 +
 kernel/trace/trace_events_filter.c |  6 ++----
 lib/glob.c                         | 31 ++++++++++++++++++++++++++++--
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/include/linux/glob.h b/include/linux/glob.h
index 861327b33e..91595e7509 100644
--- a/include/linux/glob.h
+++ b/include/linux/glob.h
@@ -6,5 +6,6 @@
 #include <linux/compiler.h>	/* For __pure */
 
 bool __pure glob_match(char const *pat, char const *str);
+bool __pure glob_match_len(char const *pat, char const *str, size_t len);
 
 #endif	/* _LINUX_GLOB_H */
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 609325f579..6385cd662d 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, struct regex *r, int len)
 	return 0;
 }
 
-static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused)
+static int regex_match_glob(char *str, struct regex *r, int len)
 {
-	if (glob_match(r->pattern, str))
-		return 1;
-	return 0;
+	return glob_match_len(r->pattern, str, len) ? 1 : 0;
 }
 
 /**
diff --git a/lib/glob.c b/lib/glob.c
index 7aca76c25b..c80d9dd736 100644
--- a/lib/glob.c
+++ b/lib/glob.c
@@ -11,6 +11,9 @@
 MODULE_DESCRIPTION("glob(7) matching");
 MODULE_LICENSE("Dual MIT/GPL");
 
+static bool __pure glob_match_str(char const *pat, char const *str,
+				  char const *str_end);
+
 /**
  * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0)
  * @pat: Shell-style pattern to match, e.g. "*.[ch]".
@@ -40,6 +43,29 @@ MODULE_LICENSE("Dual MIT/GPL");
  * An opening bracket without a matching close is matched literally.
  */
 bool __pure glob_match(char const *pat, char const *str)
+{
+	return glob_match_str(pat, str, NULL);
+}
+EXPORT_SYMBOL(glob_match);
+
+/**
+ * glob_match_len - glob match against a length-bounded string
+ * @pat: Shell-style pattern to match.
+ * @str: String to match.  Need not be NUL-terminated.
+ * @len: Number of bytes of @str that may be read.
+ *
+ * Like glob_match(), but @str is only read up to @len bytes, so it can be
+ * used on buffers that are not NUL-terminated (e.g. trace event fields).
+ * A NUL byte within @len still terminates the string.
+ */
+bool __pure glob_match_len(char const *pat, char const *str, size_t len)
+{
+	return glob_match_str(pat, str, str + len);
+}
+EXPORT_SYMBOL(glob_match_len);
+
+static bool __pure glob_match_str(char const *pat, char const *str,
+				  char const *str_end)
 {
 	/*
 	 * Backtrack to previous * on mismatch and retry starting one
@@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat, char const *str)
 	 * on mismatch, or true after matching the trailing nul bytes.
 	 */
 	for (;;) {
-		unsigned char c = *str++;
+		unsigned char c = (str_end && str >= str_end) ? '\0' : *str;
 		unsigned char d = *pat++;
 
+		str++;
+
 		switch (d) {
 		case '?':	/* Wildcard: anything but nul */
 			if (c == '\0')
@@ -125,4 +153,3 @@ bool __pure glob_match(char const *pat, char const *str)
 		}
 	}
 }
-EXPORT_SYMBOL(glob_match);
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching
  2026-07-01 10:28 ` [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching Ren Wei
@ 2026-07-02  1:15   ` Masami Hiramatsu
  0 siblings, 0 replies; 2+ messages in thread
From: Masami Hiramatsu @ 2026-07-02  1:15 UTC (permalink / raw)
  To: Ren Wei
  Cc: linux-kernel, linux-trace-kernel, rostedt, mhiramat,
	mathieu.desnoyers, akpm, namhyung, yuantan098, yifanwucs,
	tomapufckgml, zcliangcn, bird, hhhuang

On Wed,  1 Jul 2026 18:28:46 +0800
Ren Wei <n05ec@lzu.edu.cn> wrote:

> From: Huihui Huang <hhhuang@smu.edu.sg>
> 
> String event fields are not necessarily NUL-terminated, so the filter
> predicate functions (filter_pred_string(), filter_pred_strloc() and
> filter_pred_strrelloc()) pass the field length to the regex match
> callbacks, and the length-aware matchers honour it.
> 
> regex_match_glob() was the exception: it ignored the length and called
> glob_match(), which scans the string until it hits a NUL byte. Some
> string fields are not NUL-terminated. One example is the dynamic char
> array of the xfs_* namespace tracepoints, which is copied without a
> trailing NUL. For such a field, glob matching reads past the end of
> the event field, causing a KASAN slab-out-of-bounds read in
> glob_match(), reached via regex_match_glob() and filter_match_preds()
> from the xfs_lookup tracepoint.
> 
> Add a length-bounded glob_match_len() and use it from regex_match_glob()
> so glob matching always stops at the field boundary. The matching loop
> is factored into a shared helper so glob_match() keeps its behaviour.
> 

Looks good to me.

Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Thank you,

> Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  include/linux/glob.h               |  1 +
>  kernel/trace/trace_events_filter.c |  6 ++----
>  lib/glob.c                         | 31 ++++++++++++++++++++++++++++--
>  3 files changed, 32 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/glob.h b/include/linux/glob.h
> index 861327b33e..91595e7509 100644
> --- a/include/linux/glob.h
> +++ b/include/linux/glob.h
> @@ -6,5 +6,6 @@
>  #include <linux/compiler.h>	/* For __pure */
>  
>  bool __pure glob_match(char const *pat, char const *str);
> +bool __pure glob_match_len(char const *pat, char const *str, size_t len);
>  
>  #endif	/* _LINUX_GLOB_H */
> diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
> index 609325f579..6385cd662d 100644
> --- a/kernel/trace/trace_events_filter.c
> +++ b/kernel/trace/trace_events_filter.c
> @@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, struct regex *r, int len)
>  	return 0;
>  }
>  
> -static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused)
> +static int regex_match_glob(char *str, struct regex *r, int len)
>  {
> -	if (glob_match(r->pattern, str))
> -		return 1;
> -	return 0;
> +	return glob_match_len(r->pattern, str, len) ? 1 : 0;
>  }
>  
>  /**
> diff --git a/lib/glob.c b/lib/glob.c
> index 7aca76c25b..c80d9dd736 100644
> --- a/lib/glob.c
> +++ b/lib/glob.c
> @@ -11,6 +11,9 @@
>  MODULE_DESCRIPTION("glob(7) matching");
>  MODULE_LICENSE("Dual MIT/GPL");
>  
> +static bool __pure glob_match_str(char const *pat, char const *str,
> +				  char const *str_end);
> +
>  /**
>   * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0)
>   * @pat: Shell-style pattern to match, e.g. "*.[ch]".
> @@ -40,6 +43,29 @@ MODULE_LICENSE("Dual MIT/GPL");
>   * An opening bracket without a matching close is matched literally.
>   */
>  bool __pure glob_match(char const *pat, char const *str)
> +{
> +	return glob_match_str(pat, str, NULL);
> +}
> +EXPORT_SYMBOL(glob_match);
> +
> +/**
> + * glob_match_len - glob match against a length-bounded string
> + * @pat: Shell-style pattern to match.
> + * @str: String to match.  Need not be NUL-terminated.
> + * @len: Number of bytes of @str that may be read.
> + *
> + * Like glob_match(), but @str is only read up to @len bytes, so it can be
> + * used on buffers that are not NUL-terminated (e.g. trace event fields).
> + * A NUL byte within @len still terminates the string.
> + */
> +bool __pure glob_match_len(char const *pat, char const *str, size_t len)
> +{
> +	return glob_match_str(pat, str, str + len);
> +}
> +EXPORT_SYMBOL(glob_match_len);
> +
> +static bool __pure glob_match_str(char const *pat, char const *str,
> +				  char const *str_end)
>  {
>  	/*
>  	 * Backtrack to previous * on mismatch and retry starting one
> @@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat, char const *str)
>  	 * on mismatch, or true after matching the trailing nul bytes.
>  	 */
>  	for (;;) {
> -		unsigned char c = *str++;
> +		unsigned char c = (str_end && str >= str_end) ? '\0' : *str;
>  		unsigned char d = *pat++;
>  
> +		str++;
> +
>  		switch (d) {
>  		case '?':	/* Wildcard: anything but nul */
>  			if (c == '\0')
> @@ -125,4 +153,3 @@ bool __pure glob_match(char const *pat, char const *str)
>  		}
>  	}
>  }
> -EXPORT_SYMBOL(glob_match);
> -- 
> 2.50.1
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-02  1:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <cover.1782836943.git.hhhuang@smu.edu.sg>
2026-07-01 10:28 ` [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching Ren Wei
2026-07-02  1:15   ` Masami Hiramatsu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox