summaryrefslogtreecommitdiff
path: root/kernel
diff options
context:
space:
mode:
authorMasami Hiramatsu <mhiramat@kernel.org>2021-12-01 23:45:50 +0900
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-12-08 09:01:10 +0100
commitc2e2ccaac3d9f31e711ac141f95fecf352cff4c2 (patch)
tree017260f13a62aa9caf469d288c5089120c2a68c2 /kernel
parent03ee5e8c63c3d0d5150699b570b6dcf74e2759b3 (diff)
kprobes: Limit max data_size of the kretprobe instances
commit 6bbfa44116689469267f1a6e3d233b52114139d2 upstream. The 'kprobe::data_size' is unsigned, thus it can not be negative. But if user sets it enough big number (e.g. (size_t)-8), the result of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance are allocated without enough memory, and kretprobe accesses outside of allocated memory. To avoid this issue, introduce a max limitation of the kretprobe::data_size. 4KB per instance should be OK. Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2 Cc: stable@vger.kernel.org Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler") Reported-by: zhangyue <zhangyue1@kylinos.cn> Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/kprobes.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 1668439b269d..c93340bae3ac 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2003,6 +2003,9 @@ int register_kretprobe(struct kretprobe *rp)
}
}
+ if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)
+ return -E2BIG;
+
rp->kp.pre_handler = pre_handler_kretprobe;
rp->kp.post_handler = NULL;
rp->kp.fault_handler = NULL;