tracing: Fix regex_match_front() to not over compare the test string

rostedt · rostedt · commit dc432c3d7f9b · 2018-05-11T10:56:42.000-04:00
The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the pattern length from testing the entire test string. That is, it went from strncmp(str, r->pattern, len) to strcmp(str, r->pattern, r->len). The issue is that str is not guaranteed to be nul terminated, and if r->len is greater than the length of str, it can access more memory than is allocated. The solution is to add a simple test if (len < r->len) return 0. Cc: stable@vger.kernel.org Fixes: 285caad ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
@@ -762,6 +762,9 @@ static int regex_match_full(char *str, struct regex *r, int len)
 
 static int regex_match_front(char *str, struct regex *r, int len)
 {
+	if (len < r->len)
+		return 0;
+
 	if (strncmp(str, r->pattern, r->len) == 0)
 		return 1;
 	return 0;

Original file line number	Diff line number	Diff line change
`@@ -762,6 +762,9 @@ static int regex_match_full(char str, struct regex r, int len)`
`762`	`762`
`763`	`763`	`static int regex_match_front(char str, struct regex r, int len)`
`764`	`764`	`{`
	`765`	`+ if (len < r->len)`
	`766`	`+ return 0;`
	`767`	`+`
`765`	`768`	`if (strncmp(str, r->pattern, r->len) == 0)`
`766`	`769`	`return 1;`
`767`	`770`	`return 0;`