Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances

From: Masami Hiramatsu
Date: Wed Dec 01 2021 - 19:14:57 EST

Next message: Bjorn Andersson: "Re: [PATCH 04/16] arm64: dts: qcom: sm8350: Specify clock-frequency for arch timer"
Previous message: Rob Herring: "Re: [PATCH 1/2] dt-bindings: clock: exynos850: Add bindings for Exynos850 sysreg clocks"
In reply to: Steven Rostedt: "Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 Dec 2021 11:19:22 -0500
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:

> On Wed, 1 Dec 2021 23:45:50 +0900
> Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote:
>
> > The kretprobe::data_size is unsigned (size_t) but it is
> > used as 'data_size + sizeof(struct kretprobe_instance)'.
> > Thus, it can be smaller than sizeof(struct kretprobe_instance)
> > while allocating memory for the kretprobe_instance.
>
> The above doesn't make sense.
>
> data_size is unsigned but it is used as
> 'data_size + sizeof(struct kretprobe_instance)'.
>
> What does that mean?
>
> What can be smaller than sizeof(struct kretprobe_instance) and why does it
> matter?

OK, what about this ?

The 'kprobe::data_size' is unsigned, thus it can not be negative.
But if user sets it enough big number (e.g. (size_t)-8), the result
of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than
sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance
are allocated without enough memory, and kretprobe accesses outside of
allocated memory.

Thank you,

--
Masami Hiramatsu <mhiramat@xxxxxxxxxx>

Next message: Bjorn Andersson: "Re: [PATCH 04/16] arm64: dts: qcom: sm8350: Specify clock-frequency for arch timer"
Previous message: Rob Herring: "Re: [PATCH 1/2] dt-bindings: clock: exynos850: Add bindings for Exynos850 sysreg clocks"
In reply to: Steven Rostedt: "Re: [PATCH] kprobes: Limit max data_size of the kretprobe instances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]