[PATCH] kprobes: fix out-of-bounds in register_kretprobe

From: zhangyue
Date: Wed Dec 01 2021 - 00:49:25 EST

Next message: Nicholas Piggin: "Re: [PATCH v2 rebased 3/9] powerpc/mm: Remove CONFIG_PPC_MM_SLICES"
Previous message: JeffleXu: "Re: [PATCH 44/64] cachefiles: Implement key to filename encoding"
Next in thread: Masami Hiramatsu: "Re: [PATCH] kprobes: fix out-of-bounds in register_kretprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When the data 'rp->data_size' is negative, the code
'sizeof(struct kretprobe_instance)+rp->data_size'
is less than 'sizeof(struct kretprobe_instance)'

At this time, the pointer 'inst' may be out of
bound when it is in use.

Signed-off-by: zhangyue <zhangyue1@xxxxxxxxxx>
---
kernel/kprobes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 1cf8bca1ea86..71cf6bde299f 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1983,7 +1983,7 @@ int kprobe_on_func_entry(kprobe_opcode_t *addr, const char *sym, unsigned long o
int register_kretprobe(struct kretprobe *rp)
{
int ret;
- struct kretprobe_instance *inst;
+ struct kretprobe_instance *inst = NULL;
int i;
void *addr;

@@ -2024,7 +2024,8 @@ int register_kretprobe(struct kretprobe *rp)

rp->rph->rp = rp;
for (i = 0; i < rp->maxactive; i++) {
- inst = kzalloc(sizeof(struct kretprobe_instance) +
+ if (rp->data_size >= 0)
+ inst = kzalloc(sizeof(struct kretprobe_instance) +
rp->data_size, GFP_KERNEL);
if (inst == NULL) {
refcount_set(&rp->rph->ref, i);
--
2.30.0

Next message: Nicholas Piggin: "Re: [PATCH v2 rebased 3/9] powerpc/mm: Remove CONFIG_PPC_MM_SLICES"
Previous message: JeffleXu: "Re: [PATCH 44/64] cachefiles: Implement key to filename encoding"
Next in thread: Masami Hiramatsu: "Re: [PATCH] kprobes: fix out-of-bounds in register_kretprobe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]