!12798 uprobe: avoid out-of-bounds memory access of fetching args (645dfd83) · Commits · EulixOS / Software / Kernel

kernel/trace/trace_uprobe.c

+9 −3

Original line number	Diff line number	Diff line
		@@ -857,6 +857,7 @@ struct uprobe_cpu_buffer {
		};
		static struct uprobe_cpu_buffer __percpu *uprobe_cpu_buffer;
		static int uprobe_buffer_refcnt;
		#define MAX_UCB_BUFFER_SIZE PAGE_SIZE

		static int uprobe_buffer_init(void)
		{
		@@ -957,9 +958,6 @@ static void __uprobe_trace_func(struct trace_uprobe *tu,

		WARN_ON(call != trace_file->event_call);

		if (WARN_ON_ONCE(tu->tp.size + dsize > PAGE_SIZE))
		return;

		if (trace_trigger_soft_disabled(trace_file))
		return;

		@@ -1502,6 +1500,10 @@ static int uprobe_dispatcher(struct uprobe_consumer con, struct pt_regs regs)
		esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));

		ucb = uprobe_buffer_get();

		if (WARN_ON_ONCE(tu->tp.size + dsize > MAX_UCB_BUFFER_SIZE))
		dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;

		store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);

		if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
		@@ -1537,6 +1539,10 @@ static int uretprobe_dispatcher(struct uprobe_consumer *con,
		esize = SIZEOF_TRACE_ENTRY(is_ret_probe(tu));

		ucb = uprobe_buffer_get();

		if (WARN_ON_ONCE(tu->tp.size + dsize > MAX_UCB_BUFFER_SIZE))
		dsize = MAX_UCB_BUFFER_SIZE - tu->tp.size;

		store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);

		if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))