kprobes: Limit max data_size of the kretprobe instances

mhiramat · rostedt · commit 6bbfa4411668 · 2021-12-01T21:04:34.000-05:00
The 'kprobe::data_size' is unsigned, thus it can not be negative. But if user sets it enough big number (e.g. (size_t)-8), the result of 'data_size + sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct kretprobe_instance) or zero. In result, the kretprobe_instance are allocated without enough memory, and kretprobe accesses outside of allocated memory. To avoid this issue, introduce a max limitation of the kretprobe::data_size. 4KB per instance should be OK. Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2 Cc: stable@vger.kernel.org Fixes: f47cd9b ("kprobes: kretprobe user entry-handler") Reported-by: zhangyue <zhangyue1@kylinos.cn> Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
@@ -153,6 +153,8 @@ struct kretprobe {
 	struct kretprobe_holder *rph;
 };
 
+#define KRETPROBE_MAX_DATA_SIZE	4096
+
 struct kretprobe_instance {
 	union {
 		struct freelist_node freelist;
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
@@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp)
 		}
 	}
 
+	if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)
+		return -E2BIG;
+
 	rp->kp.pre_handler = pre_handler_kretprobe;
 	rp->kp.post_handler = NULL;
 

Original file line number	Diff line number	Diff line change
`@@ -2086,6 +2086,9 @@ int register_kretprobe(struct kretprobe *rp)`
`2086`	`2086`	`}`
`2087`	`2087`	`}`
`2088`	`2088`
	`2089`	`+ if (rp->data_size > KRETPROBE_MAX_DATA_SIZE)`
	`2090`	`+ return -E2BIG;`
	`2091`	`+`
`2089`	`2092`	`rp->kp.pre_handler = pre_handler_kretprobe;`
`2090`	`2093`	`rp->kp.post_handler = NULL;`
`2091`	`2094`