Fix: notification capture: handle userspace strings

The "user" attribute (copy from userspace) is not applied to string
field capture within event notifications. This leads to copy of strings
from user-space (e.g. `filename` field from sys_open) to end up using
strlen/memcpy on user-space data. This can cause kernel OOPS due to
unhandled page faults, and it also allows reading kernel memory through
the event notification capture mechanism. As a result, the users within
the `tracing` group can read arbitrary kernel memory.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I3241b144fea849004a3f0a19276506c9f1b0d5e5

diff --git a/src/lttng-event-notifier-notification.c b/src/lttng-event-notifier-notification.c
index 811dc50ad8dc93ea7230a71a8c106d9fb6316da4..054d33393f459832fac3906e81ba634cfe8c41f9 100644 (file)
--- a/src/lttng-event-notifier-notification.c
+++ b/src/lttng-event-notifier-notification.c
@@ -283,7 +283,11 @@ int notification_append_capture(
                }
                break;
        case LTTNG_INTERPRETER_TYPE_STRING:
-               ret = lttng_msgpack_write_str(writer, output->u.str.str);
+               if (output->u.str.user) {
+                       ret = lttng_msgpack_write_user_str(writer, output->u.str.user_str);
+               } else {
+                       ret = lttng_msgpack_write_str(writer, output->u.str.str);
+               }
                if (ret) {
                        WARN_ON_ONCE(1);
                        goto end;