mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-15 11:37:47 +00:00
ring-buffer fixes for v6.13:
- Fix possible overflow of mmapped ring buffer with bad offset If the mmap() to the ring buffer passes in a start address that is passed the end of the mmapped file, it is not caught and a slab-out-of-bounds is triggered. Add a check to make sure the start address is within the bounds - Do not use TP_printk() to boot mapped ring buffers As a boot mapped ring buffer's data may have pointers that map to the previous boot's memory map, it is unsafe to allow the TP_printk() to be used to read the boot mapped buffer's events. If a TP_printk() points to a static string from within the kernel it will not match the current kernel mapping if KASLR is active, and it can fault. Have it simply print out the raw fields. -----BEGIN PGP SIGNATURE----- iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCZ2QuXRQccm9zdGVkdEBn b29kbWlzLm9yZwAKCRAp5XQQmuv6qncvAQDf2s2WWsy4pYp2mpRtBXvAPf6tpBdi J9eceJQbwJVJHAEApQjEFfbUxLh2WgPU1Cn++PwDA+NLiru70+S0vtDLWwE= =OI+v -----END PGP SIGNATURE----- Merge tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull ring-buffer fixes from Steven Rostedt: - Fix possible overflow of mmapped ring buffer with bad offset If the mmap() to the ring buffer passes in a start address that is passed the end of the mmapped file, it is not caught and a slab-out-of-bounds is triggered. Add a check to make sure the start address is within the bounds - Do not use TP_printk() to boot mapped ring buffers As a boot mapped ring buffer's data may have pointers that map to the previous boot's memory map, it is unsafe to allow the TP_printk() to be used to read the boot mapped buffer's events. If a TP_printk() points to a static string from within the kernel it will not match the current kernel mapping if KASLR is active, and it can fault. Have it simply print out the raw fields. * tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers ring-buffer: Fix overflow in __rb_map_vma
This commit is contained in:
commit
5b83bcdea5
@ -7019,7 +7019,11 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer,
|
||||
lockdep_assert_held(&cpu_buffer->mapping_lock);
|
||||
|
||||
nr_subbufs = cpu_buffer->nr_pages + 1; /* + reader-subbuf */
|
||||
nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */
|
||||
nr_pages = ((nr_subbufs + 1) << subbuf_order); /* + meta-page */
|
||||
if (nr_pages <= pgoff)
|
||||
return -EINVAL;
|
||||
|
||||
nr_pages -= pgoff;
|
||||
|
||||
nr_vma_pages = vma_pages(vma);
|
||||
if (!nr_vma_pages || nr_vma_pages > nr_pages)
|
||||
|
@ -4206,6 +4206,15 @@ static enum print_line_t print_trace_fmt(struct trace_iterator *iter)
|
||||
if (event) {
|
||||
if (tr->trace_flags & TRACE_ITER_FIELDS)
|
||||
return print_event_fields(iter, event);
|
||||
/*
|
||||
* For TRACE_EVENT() events, the print_fmt is not
|
||||
* safe to use if the array has delta offsets
|
||||
* Force printing via the fields.
|
||||
*/
|
||||
if ((tr->text_delta || tr->data_delta) &&
|
||||
event->type > __TRACE_LAST_TYPE)
|
||||
return print_event_fields(iter, event);
|
||||
|
||||
return event->funcs->trace(iter, sym_flags, event);
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user