提交 1aa54bca 编写于 作者: M Marcin Slusarz 提交者: Steven Rostedt

tracing: Sanitize value returned from write(trace_marker, "...", len)

When userspace code writes non-new-line-terminated string to trace_marker
file, write handler appends new-line and returns number of bytes written
to trace buffer, so
write(fd, "abc", 3) will return 4

That's unexpected and unfortunately it confuses glibc's fprintf function.

Example:
int main() {
  fprintf(stderr, "abc");
  return 0;
}

$ gcc test.c -o test
$ echo mmiotrace > /sys/kernel/debug/tracing/current_tracer
$ ./test 2>/sys/kernel/debug/tracing/trace_marker

results in infinite loop:
write(fd, "abc", 3) = 4
write(fd, "", 1) = 0
write(fd, "", 1) = 0
write(fd, "", 1) = 0
write(fd, "", 1) = 0
write(fd, "", 1) = 0
write(fd, "", 1) = 0
write(fd, "", 1) = 0
(...)

...and kernel trace buffer full of empty markers.

Fix it by sanitizing write return value.
Signed-off-by: NMarcin Slusarz <marcin.slusarz@gmail.com>
LKML-Reference: <20100727231801.GB2826@joi.lan>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
上级 2a37a3df
...@@ -3498,6 +3498,7 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, ...@@ -3498,6 +3498,7 @@ tracing_mark_write(struct file *filp, const char __user *ubuf,
size_t cnt, loff_t *fpos) size_t cnt, loff_t *fpos)
{ {
char *buf; char *buf;
size_t written;
if (tracing_disabled) if (tracing_disabled)
return -EINVAL; return -EINVAL;
...@@ -3519,11 +3520,15 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, ...@@ -3519,11 +3520,15 @@ tracing_mark_write(struct file *filp, const char __user *ubuf,
} else } else
buf[cnt] = '\0'; buf[cnt] = '\0';
cnt = mark_printk("%s", buf); written = mark_printk("%s", buf);
kfree(buf); kfree(buf);
*fpos += cnt; *fpos += written;
return cnt; /* don't tell userspace we wrote more - it might confuse them */
if (written > cnt)
written = cnt;
return written;
} }
static int tracing_clock_show(struct seq_file *m, void *v) static int tracing_clock_show(struct seq_file *m, void *v)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册