Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for uprobe events

[Masami Hiramatsu]

On Wed, 23 Jan 2019 03:40:05 -0500
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:

> On Fri, 18 Jan 2019 13:44:25 +0900
> Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote:
> 
> > Since commit 533059281ee5 ("tracing: probeevent: Introduce new
> > argument fetching code") dropped the $comm support from uprobe
> > events, this re-enables it.
> > 
> > For $comm support, uses strlcpy() instead of strncpy_from_user()
> > to copy current task's comm. Because it is in the kernel space,
> > strncpy_from_user() always fails to copy the comm.
> > This also uses strlen() instead of strnlen_user() to measure the
> > length of the comm.
> > 
> > Fixes: 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code")
> > Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
> > Reported-by: Andreas Ziegler <andreas.ziegler@xxxxxx>
> > Acked-by: Andreas Ziegler <andreas.ziegler@xxxxxx>
> > ---
> >  kernel/trace/trace_uprobe.c |   15 +++++++++++++--
> >  1 file changed, 13 insertions(+), 2 deletions(-)
> > 
> > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> > index 3a1d5ab6b4ba..b07e498ccbc6 100644
> > --- a/kernel/trace/trace_uprobe.c
> > +++ b/kernel/trace/trace_uprobe.c
> > @@ -156,7 +156,10 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
> >  	if (unlikely(!maxlen))
> >  		return -ENOMEM;
> >  
> > -	ret = strncpy_from_user(dst, src, maxlen);
> > +	if (addr == (unsigned long)current->comm)
> > +		ret = strlcpy(dst, current->comm, maxlen);
> 
> As user space (although only root) defines the size of the event being
> stored, and we could trick addr to be current->comm (although
> difficult), we could possibly leak data if maxlen is > TASK_COMM_LEN. I
> would feel better if we tested maxlen against TASK_COMM_LEN in this
> case.
> 
> 	if (maxlen > TASK_COMM_LEN)
> 		maxlen = TASK_COMM_LEN;
> 
> Or if we don't think it can happen, add a WARN_ON(maxlen >
> TASK_COMM_LEN).

Hmm, I thought current->comm is null terminated, isn't it?
Anyway, if user can specify current->comm, he must be able to specify 
current->comm + TASK_COMM_LEN too by kprobe_events.
Moreover, it can leak any data in kernel...

And also, maxlen is calculated by fetch_store_strlen, right before
this has been called.

I rather concern the case that if we have shorter size of maxlen than
current->comm. Would we better show "(fault)" or tail-cut name ?
(of course this is very difficult to happen, since the length is
already checked.)

Thank you,

> 
> -- Steve
> 
> 
> > +	else
> > +		ret = strncpy_from_user(dst, src, maxlen);
> >  	if (ret >= 0) {
> >  		if (ret == maxlen)
> >  			dst[ret - 1] = '\0';
> > @@ -180,7 +183,12 @@ fetch_store_strlen(unsigned long addr)
> >  	int len;
> >  	void __user *vaddr = (void __force __user *) addr;
> >  
> > -	len = strnlen_user(vaddr, MAX_STRING_SIZE);
> > +	if (addr == (unsigned long)current->comm) {
> > +		len = strlen(current->comm);
> > +		if (len)
> > +			len++;
> > +	} else
> > +		len = strnlen_user(vaddr, MAX_STRING_SIZE);
> >  
> >  	return (len > MAX_STRING_SIZE) ? 0 : len;
> >  }
> > @@ -220,6 +228,9 @@ process_fetch_insn(struct fetch_insn *code, struct pt_regs *regs, void *dest,
> >  	case FETCH_OP_IMM:
> >  		val = code->immediate;
> >  		break;
> > +	case FETCH_OP_COMM:
> > +		val = (unsigned long)current->comm;
> > +		break;
> >  	case FETCH_OP_FOFFS:
> >  		val = translate_user_vaddr(code->immediate);
> >  		break;
> 


-- 
Masami Hiramatsu <mhiramat@xxxxxxxxxx>