Re: [PATCH v5 12/12] user_events: Validate user payloads for size and null termination

From: Beau Belgrave
Date: Tue Nov 16 2021 - 16:11:57 EST


On Mon, Nov 15, 2021 at 04:50:47PM -0800, Beau Belgrave wrote:
> +static int user_event_validate(struct user_event *user, void *data, int len)
> +{
> + struct list_head *head = &user->validators;
> + struct user_event_validator *validator;
> + void *pos, *end = data + len;
> + u16 *val, offset, size;
> +
> + list_for_each_entry(validator, head, link) {
> + pos = data + validator->offset;
> + val = pos;
> +
> + /* Already done min_size check, no bounds check here */
> + offset = *val++;
> + size = *val++;

I believe I have these backwards, size should come first for both dyn
and rel data. Is this correct?

> diff --git a/tools/testing/selftests/user_events/ftrace_test.c b/tools/testing/selftests/user_events/ftrace_test.c
> index 9d53717139e6..bea694e9df8c 100644
> --- a/tools/testing/selftests/user_events/ftrace_test.c
> +++ b/tools/testing/selftests/user_events/ftrace_test.c
> @@ -21,6 +21,11 @@ const char *status_file = "/sys/kernel/debug/tracing/user_events_status";
> const char *enable_file = "/sys/kernel/debug/tracing/events/user_events/__test_event/enable";
> const char *trace_file = "/sys/kernel/debug/tracing/trace";
>
> +struct rel_loc {
> + __u16 offset;
> + __u16 size;
> +} __packed;
> +

Same here.

Thanks,
-Beau