* [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching [not found] <cover.1782836943.git.hhhuang@smu.edu.sg> @ 2026-07-01 10:28 ` Ren Wei 2026-07-02 1:15 ` Masami Hiramatsu 0 siblings, 1 reply; 2+ messages in thread From: Ren Wei @ 2026-07-01 10:28 UTC (permalink / raw) To: linux-kernel, linux-trace-kernel Cc: rostedt, mhiramat, mathieu.desnoyers, akpm, namhyung, yuantan098, yifanwucs, tomapufckgml, zcliangcn, bird, hhhuang, n05ec From: Huihui Huang <hhhuang@smu.edu.sg> String event fields are not necessarily NUL-terminated, so the filter predicate functions (filter_pred_string(), filter_pred_strloc() and filter_pred_strrelloc()) pass the field length to the regex match callbacks, and the length-aware matchers honour it. regex_match_glob() was the exception: it ignored the length and called glob_match(), which scans the string until it hits a NUL byte. Some string fields are not NUL-terminated. One example is the dynamic char array of the xfs_* namespace tracepoints, which is copied without a trailing NUL. For such a field, glob matching reads past the end of the event field, causing a KASAN slab-out-of-bounds read in glob_match(), reached via regex_match_glob() and filter_match_preds() from the xfs_lookup tracepoint. Add a length-bounded glob_match_len() and use it from regex_match_glob() so glob matching always stops at the field boundary. The matching loop is factored into a shared helper so glob_match() keeps its behaviour. Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> --- include/linux/glob.h | 1 + kernel/trace/trace_events_filter.c | 6 ++---- lib/glob.c | 31 ++++++++++++++++++++++++++++-- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/include/linux/glob.h b/include/linux/glob.h index 861327b33e..91595e7509 100644 --- a/include/linux/glob.h +++ b/include/linux/glob.h @@ -6,5 +6,6 @@ #include <linux/compiler.h> /* For __pure */ bool __pure glob_match(char const *pat, char const *str); +bool __pure glob_match_len(char const *pat, char const *str, size_t len); #endif /* _LINUX_GLOB_H */ diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 609325f579..6385cd662d 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, struct regex *r, int len) return 0; } -static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused) +static int regex_match_glob(char *str, struct regex *r, int len) { - if (glob_match(r->pattern, str)) - return 1; - return 0; + return glob_match_len(r->pattern, str, len) ? 1 : 0; } /** diff --git a/lib/glob.c b/lib/glob.c index 7aca76c25b..c80d9dd736 100644 --- a/lib/glob.c +++ b/lib/glob.c @@ -11,6 +11,9 @@ MODULE_DESCRIPTION("glob(7) matching"); MODULE_LICENSE("Dual MIT/GPL"); +static bool __pure glob_match_str(char const *pat, char const *str, + char const *str_end); + /** * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0) * @pat: Shell-style pattern to match, e.g. "*.[ch]". @@ -40,6 +43,29 @@ MODULE_LICENSE("Dual MIT/GPL"); * An opening bracket without a matching close is matched literally. */ bool __pure glob_match(char const *pat, char const *str) +{ + return glob_match_str(pat, str, NULL); +} +EXPORT_SYMBOL(glob_match); + +/** + * glob_match_len - glob match against a length-bounded string + * @pat: Shell-style pattern to match. + * @str: String to match. Need not be NUL-terminated. + * @len: Number of bytes of @str that may be read. + * + * Like glob_match(), but @str is only read up to @len bytes, so it can be + * used on buffers that are not NUL-terminated (e.g. trace event fields). + * A NUL byte within @len still terminates the string. + */ +bool __pure glob_match_len(char const *pat, char const *str, size_t len) +{ + return glob_match_str(pat, str, str + len); +} +EXPORT_SYMBOL(glob_match_len); + +static bool __pure glob_match_str(char const *pat, char const *str, + char const *str_end) { /* * Backtrack to previous * on mismatch and retry starting one @@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat, char const *str) * on mismatch, or true after matching the trailing nul bytes. */ for (;;) { - unsigned char c = *str++; + unsigned char c = (str_end && str >= str_end) ? '\0' : *str; unsigned char d = *pat++; + str++; + switch (d) { case '?': /* Wildcard: anything but nul */ if (c == '\0') @@ -125,4 +153,3 @@ bool __pure glob_match(char const *pat, char const *str) } } } -EXPORT_SYMBOL(glob_match); -- 2.50.1 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching 2026-07-01 10:28 ` [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching Ren Wei @ 2026-07-02 1:15 ` Masami Hiramatsu 0 siblings, 0 replies; 2+ messages in thread From: Masami Hiramatsu @ 2026-07-02 1:15 UTC (permalink / raw) To: Ren Wei Cc: linux-kernel, linux-trace-kernel, rostedt, mhiramat, mathieu.desnoyers, akpm, namhyung, yuantan098, yifanwucs, tomapufckgml, zcliangcn, bird, hhhuang On Wed, 1 Jul 2026 18:28:46 +0800 Ren Wei <n05ec@lzu.edu.cn> wrote: > From: Huihui Huang <hhhuang@smu.edu.sg> > > String event fields are not necessarily NUL-terminated, so the filter > predicate functions (filter_pred_string(), filter_pred_strloc() and > filter_pred_strrelloc()) pass the field length to the regex match > callbacks, and the length-aware matchers honour it. > > regex_match_glob() was the exception: it ignored the length and called > glob_match(), which scans the string until it hits a NUL byte. Some > string fields are not NUL-terminated. One example is the dynamic char > array of the xfs_* namespace tracepoints, which is copied without a > trailing NUL. For such a field, glob matching reads past the end of > the event field, causing a KASAN slab-out-of-bounds read in > glob_match(), reached via regex_match_glob() and filter_match_preds() > from the xfs_lookup tracepoint. > > Add a length-bounded glob_match_len() and use it from regex_match_glob() > so glob matching always stops at the field boundary. The matching loop > is factored into a shared helper so glob_match() keeps its behaviour. > Looks good to me. Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Thank you, > Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching") > Cc: stable@vger.kernel.org > Reported-by: Yuan Tan <yuantan098@gmail.com> > Reported-by: Yifan Wu <yifanwucs@gmail.com> > Reported-by: Juefei Pu <tomapufckgml@gmail.com> > Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> > Reported-by: Xin Liu <bird@lzu.edu.cn> > Assisted-by: Codex:GPT-5.4 > Signed-off-by: Huihui Huang <hhhuang@smu.edu.sg> > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> > --- > include/linux/glob.h | 1 + > kernel/trace/trace_events_filter.c | 6 ++---- > lib/glob.c | 31 ++++++++++++++++++++++++++++-- > 3 files changed, 32 insertions(+), 6 deletions(-) > > diff --git a/include/linux/glob.h b/include/linux/glob.h > index 861327b33e..91595e7509 100644 > --- a/include/linux/glob.h > +++ b/include/linux/glob.h > @@ -6,5 +6,6 @@ > #include <linux/compiler.h> /* For __pure */ > > bool __pure glob_match(char const *pat, char const *str); > +bool __pure glob_match_len(char const *pat, char const *str, size_t len); > > #endif /* _LINUX_GLOB_H */ > diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c > index 609325f579..6385cd662d 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, struct regex *r, int len) > return 0; > } > > -static int regex_match_glob(char *str, struct regex *r, int len __maybe_unused) > +static int regex_match_glob(char *str, struct regex *r, int len) > { > - if (glob_match(r->pattern, str)) > - return 1; > - return 0; > + return glob_match_len(r->pattern, str, len) ? 1 : 0; > } > > /** > diff --git a/lib/glob.c b/lib/glob.c > index 7aca76c25b..c80d9dd736 100644 > --- a/lib/glob.c > +++ b/lib/glob.c > @@ -11,6 +11,9 @@ > MODULE_DESCRIPTION("glob(7) matching"); > MODULE_LICENSE("Dual MIT/GPL"); > > +static bool __pure glob_match_str(char const *pat, char const *str, > + char const *str_end); > + > /** > * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0) > * @pat: Shell-style pattern to match, e.g. "*.[ch]". > @@ -40,6 +43,29 @@ MODULE_LICENSE("Dual MIT/GPL"); > * An opening bracket without a matching close is matched literally. > */ > bool __pure glob_match(char const *pat, char const *str) > +{ > + return glob_match_str(pat, str, NULL); > +} > +EXPORT_SYMBOL(glob_match); > + > +/** > + * glob_match_len - glob match against a length-bounded string > + * @pat: Shell-style pattern to match. > + * @str: String to match. Need not be NUL-terminated. > + * @len: Number of bytes of @str that may be read. > + * > + * Like glob_match(), but @str is only read up to @len bytes, so it can be > + * used on buffers that are not NUL-terminated (e.g. trace event fields). > + * A NUL byte within @len still terminates the string. > + */ > +bool __pure glob_match_len(char const *pat, char const *str, size_t len) > +{ > + return glob_match_str(pat, str, str + len); > +} > +EXPORT_SYMBOL(glob_match_len); > + > +static bool __pure glob_match_str(char const *pat, char const *str, > + char const *str_end) > { > /* > * Backtrack to previous * on mismatch and retry starting one > @@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat, char const *str) > * on mismatch, or true after matching the trailing nul bytes. > */ > for (;;) { > - unsigned char c = *str++; > + unsigned char c = (str_end && str >= str_end) ? '\0' : *str; > unsigned char d = *pat++; > > + str++; > + > switch (d) { > case '?': /* Wildcard: anything but nul */ > if (c == '\0') > @@ -125,4 +153,3 @@ bool __pure glob_match(char const *pat, char const *str) > } > } > } > -EXPORT_SYMBOL(glob_match); > -- > 2.50.1 > -- Masami Hiramatsu (Google) <mhiramat@kernel.org> ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-02 1:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1782836943.git.hhhuang@smu.edu.sg>
2026-07-01 10:28 ` [PATCH 1/1] tracing: Prevent out-of-bounds read in glob matching Ren Wei
2026-07-02 1:15 ` Masami Hiramatsu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox