[PATCH] kprobes: Limit max data_size of the kretprobe instances
From: Masami Hiramatsu
Date: Wed Dec 01 2021 - 09:46:22 EST
The kretprobe::data_size is unsigned (size_t) but it is
used as 'data_size + sizeof(struct kretprobe_instance)'.
Thus, it can be smaller than sizeof(struct kretprobe_instance)
while allocating memory for the kretprobe_instance.
To avoid this issue, introduce a max limitation of the
kretprobe::data_size. 4KB per instance should be OK.
Reported-by: zhangyue <zhangyue1@xxxxxxxxxx>
Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
---
include/linux/kprobes.h | 2 ++
kernel/kprobes.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index e974caf39d3e..8c8f7a4d93af 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -153,6 +153,8 @@ struct kretprobe {
struct kretprobe_holder *rph;
};
+#define KRETPROBE_MAX_DATA_SIZE 4096
+
struct kretprobe_instance {
union {
struct freelist_node freelist;
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index e9db0c810554..21eccc961bba 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp)
}
}
+ if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)
+ return -E2BIG;
+
rp->kp.pre_handler = pre_handler_kretprobe;
rp->kp.post_handler = NULL;