diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2013-11-07 19:41:57 +0100 |
|---|---|---|
| committer | Oleg Nesterov <oleg@redhat.com> | 2013-11-09 17:05:43 +0100 |
| commit | 2ded0980a6e4ae96bdd84bda66c7240967d86f3c (patch) | |
| tree | 126d757f23d6fa47c04ed695eccb2b8b9e0bb176 /tools/perf/ui | |
| parent | 70d7f98722a7a1df1a55d6a92d0ce959c7aba9fd (diff) | |
| download | linux-2ded0980a6e4ae96bdd84bda66c7240967d86f3c.tar.gz linux-2ded0980a6e4ae96bdd84bda66c7240967d86f3c.tar.bz2 linux-2ded0980a6e4ae96bdd84bda66c7240967d86f3c.zip | |
uprobes: Fix the memory out of bound overwrite in copy_insn()
1. copy_insn() doesn't look very nice, all calculations are
confusing and it is not immediately clear why do we read
the 2nd page first.
2. The usage of inode->i_size is wrong on 32-bit machines.
3. "Instruction at end of binary" logic is simply wrong, it
doesn't handle the case when uprobe->offset > inode->i_size.
In this case "bytes" overflows, and __copy_insn() writes to
the memory outside of uprobe->arch.insn.
Yes, uprobe_register() checks i_size_read(), but this file
can be truncated after that. All i_size checks are racy, we
do this only to catch the obvious mistakes.
Change copy_insn() to call __copy_insn() in a loop, simplify
and fix the bytes/nbytes calculations.
Note: we do not care if we read extra bytes after inode->i_size
if we got the valid page. This is fine because the task gets the
same page after page-fault, and arch_uprobe_analyze_insn() can't
know how many bytes were actually read anyway.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Diffstat (limited to 'tools/perf/ui')
0 files changed, 0 insertions, 0 deletions