From: Mathieu Desnoyers Date: Tue, 6 Sep 2022 15:59:17 +0000 (-0400) Subject: Fix: notification capture: handle userspace strings X-Git-Tag: v2.13.6~10 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=9c16adb2f6a64da85be28e1d2d1c552809ce4f99;p=lttng-modules.git Fix: notification capture: handle userspace strings The "user" attribute (copy from userspace) is not applied to string field capture within event notifications. This leads to copy of strings from user-space (e.g. `filename` field from sys_open) to end up using strlen/memcpy on user-space data. This can cause kernel OOPS due to unhandled page faults, and it also allows reading kernel memory through the event notification capture mechanism. As a result, the users within the `tracing` group can read arbitrary kernel memory. Signed-off-by: Mathieu Desnoyers Change-Id: I3241b144fea849004a3f0a19276506c9f1b0d5e5 --- diff --git a/src/lttng-event-notifier-notification.c b/src/lttng-event-notifier-notification.c index 811dc50a..054d3339 100644 --- a/src/lttng-event-notifier-notification.c +++ b/src/lttng-event-notifier-notification.c @@ -283,7 +283,11 @@ int notification_append_capture( } break; case LTTNG_INTERPRETER_TYPE_STRING: - ret = lttng_msgpack_write_str(writer, output->u.str.str); + if (output->u.str.user) { + ret = lttng_msgpack_write_user_str(writer, output->u.str.user_str); + } else { + ret = lttng_msgpack_write_str(writer, output->u.str.str); + } if (ret) { WARN_ON_ONCE(1); goto end;