Re: [PATCH v2] tracing: Add test for user space strings when filtering on string pointers
From: Steven Rostedt
Date: Mon Jan 10 2022 - 19:21:10 EST
On Mon, 10 Jan 2022 22:03:20 +0000
David Laight <David.Laight@xxxxxxxxxx> wrote:
> > Only root has access to the information read here. All tracing requires
> > root or those explicitly given access to the tracing data, which pretty
> > much allows all access to kernel internals (including all memory). So
> > nothing to worry about here ;-)
>
> Is this filtering trace using a filename passed to a system call by a user program?
> In which case a user program can set up a system call that normally fails
> (because the copy_from_user() errors) but if root tries to run a system
> call event trace on that process can read arbitrary addresses and
> thus crash the system?
>
> While unlikely root might be persuaded to try to run the trace.
Yes. That's exactly what the code does today, and why it's a bug.
This patch instead uses copy_from_user_nofault/copy_from_kernel_nofault and
copies it into a temp buffer and then compares against that.
If a user passes in a crazy pointer, the copy_from_user/kernel_nofault()
will not read it, and the filter simply fails to match. Nothing bad will
happen.
-- Steve