mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	stable@vger.kernel.org, Masami Hiramatsu <mhiramat@kernel.org>,
	Tom Zanussi <zanussi@kernel.org>,
	Pingfan Liu <kernelfans@gmail.com>
Subject: [for-next][PATCH 14/31] tracing: Add test for user space strings when filtering on string pointers
Date: Tue, 11 Jan 2022 12:30:45 -0500	[thread overview]
Message-ID: <20220111173115.817658520@goodmis.org> (raw)
In-Reply-To: <20220111173030.999527342@goodmis.org>

From: Steven Rostedt <rostedt@goodmis.org>

Pingfan reported that the following causes a fault:

  echo "filename ~ \"cpu\"" > events/syscalls/sys_enter_openat/filter
  echo 1 > events/syscalls/sys_enter_at/enable

The reason is that trace event filter treats the user space pointer
defined by "filename" as a normal pointer to compare against the "cpu"
string. If the string is not loaded into memory yet, it will trigger a
fault in kernel space:

 kvm-03-guest16 login: [72198.026181] BUG: unable to handle page fault for address: 00007fffaae8ef60
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0001) - permissions violation
 PGD 80000001008b7067 P4D 80000001008b7067 PUD 2393f1067 PMD 2393ec067 PTE 8000000108f47867
 Oops: 0001 [#1] PREEMPT SMP PTI
 CPU: 1 PID: 1 Comm: systemd Kdump: loaded Not tainted 5.14.0-32.el9.x86_64 #1
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:strlen+0x0/0x20
 Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11
       48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8
       48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31
 RSP: 0018:ffffb5b900013e48 EFLAGS: 00010246
 RAX: 0000000000000018 RBX: ffff8fc1c49ede00 RCX: 0000000000000000
 RDX: 0000000000000020 RSI: ffff8fc1c02d601c RDI: 00007fffaae8ef60
 RBP: 00007fffaae8ef60 R08: 0005034f4ddb8ea4 R09: 0000000000000000
 R10: ffff8fc1c02d601c R11: 0000000000000000 R12: ffff8fc1c8a6e380
 R13: 0000000000000000 R14: ffff8fc1c02d6010 R15: ffff8fc1c00453c0
 FS:  00007fa86123db40(0000) GS:ffff8fc2ffd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fffaae8ef60 CR3: 0000000102880001 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  filter_pred_pchar+0x18/0x40
  filter_match_preds+0x31/0x70
  ftrace_syscall_enter+0x27a/0x2c0
  syscall_trace_enter.constprop.0+0x1aa/0x1d0
  do_syscall_64+0x16/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fa861d88664

To be even more robust, test both kernel and user space strings. If the
string fails to read, then simply have the filter fail.

Link: https://lore.kernel.org/all/20220107044951.22080-1-kernelfans@gmail.com/
Link: https://lkml.kernel.org/r/20220110115532.536088fd@gandalf.local.home

Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Reported-by: Pingfan Liu <kernelfans@gmail.com>
Fixes: 87a342f5db69d ("tracing/filters: Support filtering for char * strings")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
 Documentation/trace/events.rst     | 10 +++++
 kernel/trace/trace_events_filter.c | 59 ++++++++++++++++++++++++++++--
 2 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/Documentation/trace/events.rst b/Documentation/trace/events.rst
index 8ddb9b09451c..45e66a60a816 100644
--- a/Documentation/trace/events.rst
+++ b/Documentation/trace/events.rst
@@ -230,6 +230,16 @@ Currently the caret ('^') for an error always appears at the beginning of
 the filter string; the error message should still be useful though
 even without more accurate position info.
 
+5.2.1 Filter limitations
+------------------------
+
+If a filter is placed on a string pointer ``(char *)`` that does not point
+to a string on the ring buffer, but instead points to kernel or user space
+memory, then, for safety reasons, at most 1024 bytes of the content is
+copied onto a temporary buffer to do the compare. If the copy of the memory
+faults (the pointer points to memory that should not be accessed), then the
+string compare will be treated as not matching.
+
 5.3 Clearing filters
 --------------------
 
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 996920ed1812..91352a64be09 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -5,6 +5,7 @@
  * Copyright (C) 2009 Tom Zanussi <tzanussi@gmail.com>
  */
 
+#include <linux/uaccess.h>
 #include <linux/module.h>
 #include <linux/ctype.h>
 #include <linux/mutex.h>
@@ -654,6 +655,40 @@ DEFINE_EQUALITY_PRED(32);
 DEFINE_EQUALITY_PRED(16);
 DEFINE_EQUALITY_PRED(8);
 
+/* user space strings temp buffer */
+#define USTRING_BUF_SIZE	1024
+
+struct ustring_buffer {
+	char		buffer[USTRING_BUF_SIZE];
+};
+
+static __percpu struct ustring_buffer *ustring_per_cpu;
+
+static __always_inline char *test_string(char *str)
+{
+	struct ustring_buffer *ubuf;
+	char __user *ustr;
+	char *kstr;
+
+	if (!ustring_per_cpu)
+		return NULL;
+
+	ubuf = this_cpu_ptr(ustring_per_cpu);
+	kstr = ubuf->buffer;
+
+	if (likely((unsigned long)str >= TASK_SIZE)) {
+		/* For safety, do not trust the string pointer */
+		if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE))
+			return NULL;
+	} else {
+		/* user space address? */
+		ustr = (char __user *)str;
+		if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE))
+			return NULL;
+	}
+	return kstr;
+}
+
 /* Filter predicate for fixed sized arrays of characters */
 static int filter_pred_string(struct filter_pred *pred, void *event)
 {
@@ -671,10 +706,16 @@ static int filter_pred_string(struct filter_pred *pred, void *event)
 static int filter_pred_pchar(struct filter_pred *pred, void *event)
 {
 	char **addr = (char **)(event + pred->offset);
+	char *str;
 	int cmp, match;
-	int len = strlen(*addr) + 1;	/* including tailing '\0' */
+	int len;
 
-	cmp = pred->regex.match(*addr, &pred->regex, len);
+	str = test_string(*addr);
+	if (!str)
+		return 0;
+
+	len = strlen(str) + 1;	/* including tailing '\0' */
+	cmp = pred->regex.match(str, &pred->regex, len);
 
 	match = cmp ^ pred->not;
 
@@ -1348,8 +1389,17 @@ static int parse_pred(const char *str, void *data,
 			pred->fn = filter_pred_strloc;
 		} else if (field->filter_type == FILTER_RDYN_STRING)
 			pred->fn = filter_pred_strrelloc;
-		else
+		else {
+
+			if (!ustring_per_cpu) {
+				/* Once allocated, keep it around for good */
+				ustring_per_cpu = alloc_percpu(struct ustring_buffer);
+				if (!ustring_per_cpu)
+					goto err_mem;
+			}
+
 			pred->fn = filter_pred_pchar;
+		}
 		/* go past the last quote */
 		i++;
 
@@ -1415,6 +1465,9 @@ static int parse_pred(const char *str, void *data,
 err_free:
 	kfree(pred);
 	return -EINVAL;
+err_mem:
+	kfree(pred);
+	return -ENOMEM;
 }
 
 enum {
-- 
2.33.0

  parent reply	other threads:[~2022-01-11 17:31 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-11 17:30 [for-next][PATCH 00/31] tracing: Final updates for 5.17 Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 01/31] tracing: Change event_command func() to parse() Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 02/31] tracing: Change event_trigger_ops func() to trigger() Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 03/31] tracing: Remove ops param from event_command reg()/unreg() callbacks Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 04/31] tracing: Add helper functions to simplify event_command.parse() callback handling Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 05/31] tracing: Have existing event_command.parse() implementations use helpers Steven Rostedt
2022-01-13 17:03   ` Daniel Bristot de Oliveira
2022-01-13 21:20     ` Steven Rostedt
2022-01-13 21:27       ` Steven Rostedt
2022-01-13 21:58       ` Tom Zanussi
2022-01-11 17:30 ` [for-next][PATCH 06/31] tracing: Remove redundant trigger_ops params Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 07/31] tracing: Account bottom half disabled sections Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 08/31] tracing/uprobes: Check the return value of kstrdup() for tu->filename Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 09/31] tracing/probes: check the return value of kstrndup() for pbuf Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 10/31] scripts: ftrace - move the sort-processing in ftrace_init Steven Rostedt
2022-01-15 20:36   ` Nathan Chancellor
2022-01-16  3:59     ` Steven Rostedt
2022-01-16  4:10       ` Nathan Chancellor
2022-01-17  6:23       ` [PATCH 0/1] fix initialization problems Yinan Liu
2022-01-17  6:23         ` [PATCH 1/1] script/sorttable: fix some " Yinan Liu
2022-01-17 22:56           ` Nathan Chancellor
2022-01-18  6:52       ` [PATCH v2] " Yinan Liu
2022-01-11 17:30 ` [for-next][PATCH 11/31] ftrace: Add test to make sure compiled time sorts work Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 12/31] tracing: Fix mismatched comment in __string_len Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 13/31] tracing: Have syscall trace events use trace_event_buffer_lock_reserve() Steven Rostedt
2022-01-11 17:30 ` Steven Rostedt [this message]
2022-01-11 17:30 ` [for-next][PATCH 15/31] tracing/kprobes: nmissed not showed correctly for kretprobe Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 16/31] rtla: Real-Time Linux Analysis tool Steven Rostedt
2022-01-12 11:15   ` Daniel Bristot de Oliveira
2022-01-12 16:21     ` Steven Rostedt
2022-01-12 16:30       ` Steven Rostedt
2022-01-12 16:32         ` Daniel Bristot de Oliveira
2022-01-12 17:14         ` Steven Rostedt
2022-01-12 17:16           ` Steven Rostedt
2022-01-12 17:21             ` Daniel Bristot de Oliveira
2022-01-11 17:30 ` [for-next][PATCH 17/31] rtla: Helper functions for rtla Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 18/31] rtla: Add osnoise tool Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 19/31] rtla/osnoise: Add osnoise top mode Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 20/31] rtla/osnoise: Add the hist mode Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 21/31] rtla: Add timerlat tool and timelart top mode Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 22/31] rtla/timerlat: Add timerlat hist mode Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 23/31] rtla: Add Documentation Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 24/31] rtla: Add rtla osnoise man page Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 25/31] rtla: Add rtla osnoise top documentation Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 26/31] rtla: Add rtla osnoise hist documentation Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 27/31] rtla: Add rtla timerlat documentation Steven Rostedt
2022-01-11 17:30 ` [for-next][PATCH 28/31] rtla: Add rtla timerlat top documentation Steven Rostedt
2022-01-11 17:31 ` [for-next][PATCH 29/31] rtla: Add rtla timerlat hist documentation Steven Rostedt
2022-01-11 17:31 ` [for-next][PATCH 30/31] tracing: Remove duplicate warnings when calling trace_create_file() Steven Rostedt
2022-01-11 17:31 ` [for-next][PATCH 31/31] tracing/osnoise: Properly unhook events if start_per_cpu_kthreads() fails Steven Rostedt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220111173115.817658520@goodmis.org \
    --to=rostedt@goodmis.org \
    --cc=akpm@linux-foundation.org \
    --cc=kernelfans@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=mingo@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zanussi@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome