diff options
| author |   Masami Hiramatsu <mhiramat@kernel.org> | 2021-12-01 23:45:50 +0900 |
|---|---|---|
| committer |   Steven Rostedt (VMware) <rostedt@goodmis.org> | 2021-12-01 21:04:34 -0500 |
| commit | 6bbfa44116689469267f1a6e3d233b52114139d2 (patch) | |
| tree | f4efdc55d15d0e54f9ee1b53d996f1c55278fdfc /kernel/kprobes.c | |
| parent | tracing: Fix a kmemleak false positive in tracing_map (diff) | |
| download | linux-dev-6bbfa44116689469267f1a6e3d233b52114139d2.tar.xz linux-dev-6bbfa44116689469267f1a6e3d233b52114139d2.zip | |
kprobes: Limit max data_size of the kretprobe instances
The 'kprobe::data_size' is unsigned, thus it can not be negative. But if
user sets it enough big number (e.g. (size_t)-8), the result of 'data_size
+ sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct
kretprobe_instance) or zero. In result, the kretprobe_instance are
allocated without enough memory, and kretprobe accesses outside of
allocated memory.
To avoid this issue, introduce a max limitation of the
kretprobe::data_size. 4KB per instance should be OK.
Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2
Cc: stable@vger.kernel.org
Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler")
Reported-by: zhangyue <zhangyue1@kylinos.cn>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Diffstat (limited to 'kernel/kprobes.c')
| -rw-r--r-- | kernel/kprobes.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/kprobes.c b/kernel/kprobes.c index e9db0c810554..21eccc961bba 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp) } } + if (rp->data_size > KRETPROBE_MAX_DATA_SIZE) + return -E2BIG; + rp->kp.pre_handler = pre_handler_kretprobe; rp->kp.post_handler = NULL; |