[thirdparty/kernel/stable-queue.git] / pending-5.1 / tracing-uprobe-fix-null-pointer-dereference-in-trace_uprobe_create.patch

From f01098c74b5219f3969d4750eeed1a36bfc038e3 Mon Sep 17 00:00:00 2001
From: Eiichi Tsukata <devel@etsukata.com>
Date: Fri, 14 Jun 2019 16:40:25 +0900
Subject: tracing/uprobe: Fix NULL pointer dereference in trace_uprobe_create()

From: Eiichi Tsukata <devel@etsukata.com>

commit f01098c74b5219f3969d4750eeed1a36bfc038e3 upstream.

Just like the case of commit 8b05a3a7503c ("tracing/kprobes: Fix NULL
pointer dereference in trace_kprobe_create()"), writing an incorrectly
formatted string to uprobe_events can trigger NULL pointer dereference.

Reporeducer:

  # echo r > /sys/kernel/debug/tracing/uprobe_events

dmesg:

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 8000000079d12067 P4D 8000000079d12067 PUD 7b7ab067 PMD 0
  Oops: 0000 [#1] PREEMPT SMP PTI
  CPU: 0 PID: 1903 Comm: bash Not tainted 5.2.0-rc3+ #15
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
  RIP: 0010:strchr+0x0/0x30
  Code: c0 eb 0d 84 c9 74 18 48 83 c0 01 48 39 d0 74 0f 0f b6 0c 07 3a 0c 06 74 ea 19 c0 83 c8 01 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 <0f> b6 07 89 f2 40 38 f0 75 0e eb 13 0f b6 47 01 48 83 c
  RSP: 0018:ffffb55fc0403d10 EFLAGS: 00010293

  RAX: ffff993ffb793400 RBX: 0000000000000000 RCX: ffffffffa4852625
  RDX: 0000000000000000 RSI: 000000000000002f RDI: 0000000000000000
  RBP: ffffb55fc0403dd0 R08: ffff993ffb793400 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
  R13: ffff993ff9cc1668 R14: 0000000000000001 R15: 0000000000000000
  FS:  00007f30c5147700(0000) GS:ffff993ffda00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 000000007b628000 CR4: 00000000000006f0
  Call Trace:
   trace_uprobe_create+0xe6/0xb10
   ? __kmalloc_track_caller+0xe6/0x1c0
   ? __kmalloc+0xf0/0x1d0
   ? trace_uprobe_create+0xb10/0xb10
   create_or_delete_trace_uprobe+0x35/0x90
   ? trace_uprobe_create+0xb10/0xb10
   trace_run_command+0x9c/0xb0
   trace_parse_run_command+0xf9/0x1eb
   ? probes_open+0x80/0x80
   __vfs_write+0x43/0x90
   vfs_write+0x14a/0x2a0
   ksys_write+0xa2/0x170
   do_syscall_64+0x7f/0x200
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

Link: http://lkml.kernel.org/r/20190614074026.8045-1-devel@etsukata.com

Cc: stable@vger.kernel.org
Fixes: 0597c49c69d5 ("tracing/uprobes: Use dyn_event framework for uprobe events")
Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_uprobe.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -434,10 +434,17 @@ static int trace_uprobe_create(int argc,
 	ret = 0;
 	ref_ctr_offset = 0;
 
-	/* argc must be >= 1 */
-	if (argv[0][0] == 'r')
+	switch (argv[0][0]) {
+	case 'r':
 		is_return = true;
-	else if (argv[0][0] != 'p' || argc < 2)
+		break;
+	case 'p':
+		break;
+	default:
+		return -ECANCELED;
+	}
+
+	if (argc < 2)
 		return -ECANCELED;
 
 	if (argv[0][1] == ':')
Commit	Line	Data
452f9198 GKH	1	From f01098c74b5219f3969d4750eeed1a36bfc038e3 Mon Sep 17 00:00:00 2001
	2	From: Eiichi Tsukata <devel@etsukata.com>
	3	Date: Fri, 14 Jun 2019 16:40:25 +0900
	4	Subject: tracing/uprobe: Fix NULL pointer dereference in trace_uprobe_create()
	5
	6	From: Eiichi Tsukata <devel@etsukata.com>
	7
	8	commit f01098c74b5219f3969d4750eeed1a36bfc038e3 upstream.
	9
	10	Just like the case of commit 8b05a3a7503c ("tracing/kprobes: Fix NULL
	11	pointer dereference in trace_kprobe_create()"), writing an incorrectly
	12	formatted string to uprobe_events can trigger NULL pointer dereference.
	13
	14	Reporeducer:
	15
	16	# echo r > /sys/kernel/debug/tracing/uprobe_events
	17
	18	dmesg:
	19
	20	BUG: kernel NULL pointer dereference, address: 0000000000000000
	21	#PF: supervisor read access in kernel mode
	22	#PF: error_code(0x0000) - not-present page
	23	PGD 8000000079d12067 P4D 8000000079d12067 PUD 7b7ab067 PMD 0
	24	Oops: 0000 [#1] PREEMPT SMP PTI
	25	CPU: 0 PID: 1903 Comm: bash Not tainted 5.2.0-rc3+ #15
	26	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
	27	RIP: 0010:strchr+0x0/0x30
	28	Code: c0 eb 0d 84 c9 74 18 48 83 c0 01 48 39 d0 74 0f 0f b6 0c 07 3a 0c 06 74 ea 19 c0 83 c8 01 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 <0f> b6 07 89 f2 40 38 f0 75 0e eb 13 0f b6 47 01 48 83 c
	29	RSP: 0018:ffffb55fc0403d10 EFLAGS: 00010293
	30
	31	RAX: ffff993ffb793400 RBX: 0000000000000000 RCX: ffffffffa4852625
	32	RDX: 0000000000000000 RSI: 000000000000002f RDI: 0000000000000000
	33	RBP: ffffb55fc0403dd0 R08: ffff993ffb793400 R09: 0000000000000000
	34	R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
	35	R13: ffff993ff9cc1668 R14: 0000000000000001 R15: 0000000000000000
	36	FS: 00007f30c5147700(0000) GS:ffff993ffda00000(0000) knlGS:0000000000000000
	37	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	38	CR2: 0000000000000000 CR3: 000000007b628000 CR4: 00000000000006f0
	39	Call Trace:
	40	trace_uprobe_create+0xe6/0xb10
	41	? __kmalloc_track_caller+0xe6/0x1c0
	42	? __kmalloc+0xf0/0x1d0
	43	? trace_uprobe_create+0xb10/0xb10
	44	create_or_delete_trace_uprobe+0x35/0x90
	45	? trace_uprobe_create+0xb10/0xb10
	46	trace_run_command+0x9c/0xb0
	47	trace_parse_run_command+0xf9/0x1eb
	48	? probes_open+0x80/0x80
	49	__vfs_write+0x43/0x90
	50	vfs_write+0x14a/0x2a0
	51	ksys_write+0xa2/0x170
	52	do_syscall_64+0x7f/0x200
	53	entry_SYSCALL_64_after_hwframe+0x49/0xbe
	54
	55	Link: http://lkml.kernel.org/r/20190614074026.8045-1-devel@etsukata.com
	56
	57	Cc: stable@vger.kernel.org
	58	Fixes: 0597c49c69d5 ("tracing/uprobes: Use dyn_event framework for uprobe events")
	59	Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
	60	Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
	61	Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
	62	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	63
	64	---
65	kernel/trace/trace_uprobe.c \| 13 ++++++++++---
66	1 file changed, 10 insertions(+), 3 deletions(-)
67
68	--- a/kernel/trace/trace_uprobe.c
69	+++ b/kernel/trace/trace_uprobe.c
70	@@ -434,10 +434,17 @@ static int trace_uprobe_create(int argc,
71	ret = 0;
72	ref_ctr_offset = 0;
73
74	- /* argc must be >= 1 */
75	- if (argv[0][0] == 'r')
76	+ switch (argv[0][0]) {
77	+ case 'r':
78	is_return = true;
79	- else if (argv[0][0] != 'p' \|\| argc < 2)
80	+ break;
81	+ case 'p':
82	+ break;
83	+ default:
84	+ return -ECANCELED;
85	+ }
86	+
87	+ if (argc < 2)
88	return -ECANCELED;
89
90	if (argv[0][1] == ':')