ftrace: Fix invalid address access in lookup_rec() when index is 0

mainline inclusion from mainline-v6.3-rc2 commit ee92fa44 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6NJNA CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee92fa443358 -------------------------------- KASAN reported follow problem: BUG: KASAN: use-after-free in lookup_rec Read of size 8 at addr ffff000199270ff0 by task modprobe CPU: 2 Comm: modprobe Call trace: kasan_report __asan_load8 lookup_rec ftrace_location arch_check_ftrace_location check_kprobe_address_safe register_kprobe When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a pg which is newly added to ftrace_pages_start in ftrace_process_locs(). Before the first pg->index++, index is 0 and accessing pg->records[-1].ip will cause this problem. Don't check the ip when pg->index is 0. Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com Cc: stable@vger.kernel.org Fixes: 9644302e ("ftrace: Speed up search by skipping pages by address") Suggested-by: N Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: N Chen Zhongjin <chenzhongjin@huawei.com> Signed-off-by: N Steven Rostedt (Google) <rostedt@goodmis.org> Reviewed-by: N Zheng Yejian <zhengyejian1@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

ftrace: Fix invalid address access in lookup_rec() when index is 0
mainline inclusion from mainline-v6.3-rc2 commit ee92fa44 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6NJNA CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee92fa443358 -------------------------------- KASAN reported follow problem: BUG: KASAN: use-after-free in lookup_rec Read of size 8 at addr ffff000199270ff0 by task modprobe CPU: 2 Comm: modprobe Call trace: kasan_report __asan_load8 lookup_rec ftrace_location arch_check_ftrace_location check_kprobe_address_safe register_kprobe When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a pg which is newly added to ftrace_pages_start in ftrace_process_locs(). Before the first pg->index++, index is 0 and accessing pg->records[-1].ip will cause this problem. Don't check the ip when pg->index is 0. Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com Cc: stable@vger.kernel.org Fixes: 9644302e ("ftrace: Speed up search by skipping pages by address") Suggested-by: N Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: N Chen Zhongjin <chenzhongjin@huawei.com> Signed-off-by: N Steven Rostedt (Google) <rostedt@goodmis.org> Reviewed-by: N Zheng Yejian <zhengyejian1@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
0dda9467 · Chen Zhongjin · Jialin Zhang · 060210a9 · 0dda9467
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

kernel/trace/ftrace.c kernel/trace/ftrace.c +2 -1

未找到文件。
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1538,7 +1538,8 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end)
 	key.flags = end;	/* overload flags, as it is unsigned long */

 	for (pg = ftrace_pages_start; pg; pg = pg->next) {
-		if (end < pg->records[0].ip ||
+		if (pg->index == 0 ||
+		    end < pg->records[0].ip ||
 		    start >= (pg->records[pg->index - 1].ip + MCOUNT_INSN_SIZE))
 			continue;
 		rec = bsearch(&key, pg->records, pg->index,