diff options
| author | Steven Rostedt (VMware) <rostedt@goodmis.org> | 2018-06-21 20:20:53 +0300 |
|---|---|---|
| committer | Steven Rostedt (VMware) <rostedt@goodmis.org> | 2018-06-21 22:12:42 +0300 |
| commit | 70303420b5721c38998cf987e6b7d30cc62d4ff1 (patch) | |
| tree | 38d63227ee4c7c8c9bd5fe49e7355ffa56b0ad37 /kernel/nsproxy.c | |
| parent | ce397d215ccd07b8ae3f71db689aedb85d56ab40 (diff) | |
| download | linux-70303420b5721c38998cf987e6b7d30cc62d4ff1.tar.xz | |
tracing: Check for no filter when processing event filters
The syzkaller detected a out-of-bounds issue with the events filter code,
specifically here:
prog[N].pred = NULL; /* #13 */
prog[N].target = 1; /* TRUE */
prog[N+1].pred = NULL;
prog[N+1].target = 0; /* FALSE */
-> prog[N-1].target = N;
prog[N-1].when_to_branch = false;
As that's the first reference to a "N-1" index, it appears that the code got
here with N = 0, which means the filter parser found no filter to parse
(which shouldn't ever happen, but apparently it did).
Add a new error to the parsing code that will check to make sure that N is
not zero before going into this part of the code. If N = 0, then -EINVAL is
returned, and a error message is added to the filter.
Cc: stable@vger.kernel.org
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
Reported-by: air icy <icytxw@gmail.com>
bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Diffstat (limited to 'kernel/nsproxy.c')
0 files changed, 0 insertions, 0 deletions