Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for uprobe events

From: Masami Hiramatsu
Date: Wed Jan 23 2019 - 22:03:48 EST

Next message: Herbert Xu: "[v2 PATCH] rhashtable: Still do rehash when we get EEXIST"
Previous message: Paul Elder: "[PATCH v7 2/6] usb: gadget: uvc: enqueue usb request in setup handler for control OUT"
In reply to: Steven Rostedt: "Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for uprobe events"
Next in thread: Masami Hiramatsu: "[PATCH v2 2/3] tracing: probeevent: Do not accumulate on ret variable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 23 Jan 2019 21:09:56 -0500
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:

> On Thu, 24 Jan 2019 10:43:22 +0900
> Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote:
>
> > > > kernel/trace/trace_uprobe.c | 15 +++++++++++++--
> > > > 1 file changed, 13 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> > > > index 3a1d5ab6b4ba..b07e498ccbc6 100644
> > > > --- a/kernel/trace/trace_uprobe.c
> > > > +++ b/kernel/trace/trace_uprobe.c
> > > > @@ -156,7 +156,10 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
> > > > if (unlikely(!maxlen))
> > > > return -ENOMEM;
> > > >
> > > > - ret = strncpy_from_user(dst, src, maxlen);
> > > > + if (addr == (unsigned long)current->comm)
> > > > + ret = strlcpy(dst, current->comm, maxlen);
> > >
> > > As user space (although only root) defines the size of the event being
> > > stored, and we could trick addr to be current->comm (although
> > > difficult), we could possibly leak data if maxlen is > TASK_COMM_LEN. I
> > > would feel better if we tested maxlen against TASK_COMM_LEN in this
> > > case.
> > >
> > > if (maxlen > TASK_COMM_LEN)
> > > maxlen = TASK_COMM_LEN;
> > >
> > > Or if we don't think it can happen, add a WARN_ON(maxlen >
> > > TASK_COMM_LEN).
> >
> > Hmm, I thought current->comm is null terminated, isn't it?
>
> Yes it is. I was thinking it was a memcpy (I blame conference fatigue ;-)
>
> > Anyway, if user can specify current->comm, he must be able to specify
> > current->comm + TASK_COMM_LEN too by kprobe_events.
> > Moreover, it can leak any data in kernel...
>
> But this is for uprobes, which I why I was concerned.

OK, what we will leak by this, is the address of current->comm to root
user for a specific application running instance.
Since they can try to write a data on a register and trace it like
"+0(%ax):string" and if rax register has hit the current->comm,
uprobe event will record comm, but other case, it will show "(fault)".
So they can trial and error on that (but leaking just a temporary
task instance address).

If you concern this, I can change it to store a special fixed value, like
(unsigned long)-EINVAL, instead of current->comm address. :-)

> > And also, maxlen is calculated by fetch_store_strlen, right before
> > this has been called.
> >
> > I rather concern the case that if we have shorter size of maxlen than
> > current->comm. Would we better show "(fault)" or tail-cut name ?
> > (of course this is very difficult to happen, since the length is
> > already checked.)
>
> Actually, it would still be OK, as strlcpy does guarantee to be nul
> terminated as long as it's greater than zero.

Ah, I meant that we can record a shorter name, like "shutdown" -> "sh".

> Hmm, strlcpy doesn't pad the rest if what is written is shorter than
> what is allocated. Could that leak data?

Even though, there should be a data that had been recorded on the ring
buffer.

Thank you,

--
Masami Hiramatsu <mhiramat@xxxxxxxxxx>

Next message: Herbert Xu: "[v2 PATCH] rhashtable: Still do rehash when we get EEXIST"
Previous message: Paul Elder: "[PATCH v7 2/6] usb: gadget: uvc: enqueue usb request in setup handler for control OUT"
In reply to: Steven Rostedt: "Re: [PATCH v2 1/3] tracing: uprobes: Re-enable $comm support for uprobe events"
Next in thread: Masami Hiramatsu: "[PATCH v2 2/3] tracing: probeevent: Do not accumulate on ret variable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]