Fix: notification capture: handle userspace strings
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tue, 6 Sep 2022 15:59:17 +0000 (11:59 -0400)
committerMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Wed, 7 Sep 2022 20:07:38 +0000 (16:07 -0400)
The "user" attribute (copy from userspace) is not applied to string
field capture within event notifications. This leads to copy of strings
from user-space (e.g. `filename` field from sys_open) to end up using
strlen/memcpy on user-space data. This can cause kernel OOPS due to
unhandled page faults, and it also allows reading kernel memory through
the event notification capture mechanism. As a result, the users within
the `tracing` group can read arbitrary kernel memory.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I3241b144fea849004a3f0a19276506c9f1b0d5e5

src/lttng-event-notifier-notification.c

index 811dc50ad8dc93ea7230a71a8c106d9fb6316da4..054d33393f459832fac3906e81ba634cfe8c41f9 100644 (file)
@@ -283,7 +283,11 @@ int notification_append_capture(
                }
                break;
        case LTTNG_INTERPRETER_TYPE_STRING:
-               ret = lttng_msgpack_write_str(writer, output->u.str.str);
+               if (output->u.str.user) {
+                       ret = lttng_msgpack_write_user_str(writer, output->u.str.user_str);
+               } else {
+                       ret = lttng_msgpack_write_str(writer, output->u.str.str);
+               }
                if (ret) {
                        WARN_ON_ONCE(1);
                        goto end;
This page took 0.02705 seconds and 4 git commands to generate.