Commit 161671a6 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'probes-fixes-v6.8-rc5' of... 

Merge tag 'probes-fixes-v6.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull fprobe fix from Masami Hiramatsu:

 - allocate entry_data_size buffer for each rethook instance.

   This fixes a buffer overrun bug (which leads a kernel crash)
   when fprobe user uses its entry_data in the entry_handler.

* tag 'probes-fixes-v6.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  fprobe: Fix to allocate entry_data_size buffer with rethook instances
parents 2f03fc34 65727860

kernel/trace/fprobe.c

+6 −8
Original line number Diff line number Diff line
@@ -189,9 +189,6 @@ static int fprobe_init_rethook(struct fprobe *fp, int num) 
{

	int size;



	if (num <= 0)

		return -EINVAL;



	if (!fp->exit_handler) {

		fp->rethook = NULL;

		return 0;
@@ -199,15 +196,16 @@ static int fprobe_init_rethook(struct fprobe *fp, int num) 


	/* Initialize rethook if needed */

	if (fp->nr_maxactive)

		size = fp->nr_maxactive;

		num = fp->nr_maxactive;

	else

		size = num * num_possible_cpus() * 2;

	if (size <= 0)

		num *= num_possible_cpus() * 2;

	if (num <= 0)

		return -EINVAL;



	size = sizeof(struct fprobe_rethook_node) + fp->entry_data_size;



	/* Initialize rethook */

	fp->rethook = rethook_alloc((void *)fp, fprobe_exit_handler,

				sizeof(struct fprobe_rethook_node), size);

	fp->rethook = rethook_alloc((void *)fp, fprobe_exit_handler, size, num);

	if (IS_ERR(fp->rethook))

		return PTR_ERR(fp->rethook);