diff options
| author | Masami Hiramatsu <mhiramat@kernel.org> | 2021-12-01 17:45:50 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-08 10:46:54 +0300 |
| commit | 2f16a42930c06e87807663dde2e9b3a77f5da6c8 (patch) | |
| tree | 98409f3275bec6df810445b3c15d4cdf4e972b75 /include | |
| parent | 95d61f9fd20fbab3c06bb78e3a9d31f28a444c2a (diff) | |
| download | linux-2f16a42930c06e87807663dde2e9b3a77f5da6c8.tar.xz | |
kprobes: Limit max data_size of the kretprobe instances
commit 6bbfa44116689469267f1a6e3d233b52114139d2 upstream.
The 'kprobe::data_size' is unsigned, thus it can not be negative. But if
user sets it enough big number (e.g. (size_t)-8), the result of 'data_size
+ sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct
kretprobe_instance) or zero. In result, the kretprobe_instance are
allocated without enough memory, and kretprobe accesses outside of
allocated memory.
To avoid this issue, introduce a max limitation of the
kretprobe::data_size. 4KB per instance should be OK.
Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2
Cc: stable@vger.kernel.org
Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler")
Reported-by: zhangyue <zhangyue1@kylinos.cn>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/kprobes.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h index be7a49f437ea..019444c04f58 100644 --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -193,6 +193,8 @@ struct kretprobe { raw_spinlock_t lock; }; +#define KRETPROBE_MAX_DATA_SIZE 4096 + struct kretprobe_instance { struct hlist_node hlist; struct kretprobe *rp; |