Re: [PATCH 2/2] tracing: Add a verifier to check string pointers for trace events
From: Steven Rostedt
Date: Fri Jun 04 2021 - 22:50:11 EST
On Fri, 4 Jun 2021 22:28:30 -0400
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> What you described to me does not sound like a false positive, and
> converting to __string() is not a workaround but an actual fix, and
> would also need to be backported to stable.
If the event you are talking about is kvm_nested_vmenter_failed, which
records a pointer to the message, then, yes, that is unsafe and buggy.
If that event is defined by the kvm module, and used in kvm_intel. If
you have this:
# echo 1 > /sys/kernel/tracing/events/kvm/kvm_nested_vmenter_failed
# do_whatever_causes_that_to_trigger
# rmmod kvm_intel
# cat trace
Then that pointer to the string will point to some random memory.
Before this patch, it could even possibly crash the kernel!
There's two fixes you can do with this. One is to covert that to use
__string, the other is to do what RCU does, and use the
tracepoint_string() functionality.
RCU has:
#define TPS(x) tracepoint_string(x)
And wrap all strings with that TPS(), like in nested_vmx_reflect_vmexit():
if (unlikely(vmx->fail)) {
trace_kvm_nested_vmenter_failed(
- "hardware VM-instruction error: ",
+ TPS("hardware VM-instruction error: "),
vmcs_read32(VM_INSTRUCTION_ERROR));
exit_intr_info = 0;
exit_qual = 0;
goto reflect_vmexit;
}
What the tracepoint_string does is to save the string into core kernel
memory (there's logic to use the same string if it is already
available), and it wont free it when the module is unloaded.
This makes the string safe to use by the trace event directly.
Not only is the TPS safe, it also allows userspace tools to know what
the string is, as it is exported in printk_formats. Otherwise trace-cmd
and perf will only display a pointer hex value as it has no idea what
its pointing to (both TPS and __string fixes this).
-- Steve