Commit 2d98f7a4 authored Jan 07, 2025 by Lizhi Xu Committed by Luo Gengkun Jan 07, 2025

tracing: Prevent bad count for tracing_cpumask_write

mainline inclusion
from mainline-v6.13-rc5
commit 98feccbf32cfdde8c722bc4587aaa60ee5ac33f0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBG2PO
CVE: CVE-2024-56763

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98feccbf32cfdde8c722bc4587aaa60ee5ac33f0

--------------------------------

If a large count is provided, it will trigger a warning in bitmap_parse_user.
Also check zero for it.

Cc: stable@vger.kernel.org
Fixes: 9e01c1b7 ("cpumask: convert kernel trace functions")
Link: https://lore.kernel.org/20241216073238.2573704-1-lizhi.xu@windriver.com


Reported-by:  <syzbot+0aecfd34fb878546f3fd@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=0aecfd34fb878546f3fd


Tested-by:  <syzbot+0aecfd34fb878546f3fd@syzkaller.appspotmail.com>
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Luo Gengkun <luogengkun2@huawei.com>

parent b21ca724

kernel/trace/trace.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -4869,6 +4869,9 @@ tracing_cpumask_write(struct file filp, const char __user ubuf,
		cpumask_var_t tracing_cpumask_new;
		int err;

		if (count == 0 \|\| count > KMALLOC_MAX_SIZE)
		return -EINVAL;

		if (!zalloc_cpumask_var(&tracing_cpumask_new, GFP_KERNEL))
		return -ENOMEM;