On Sun, 7 Aug 2022 23:21:20 +0100 Alan Maguire alan.maguire@oracle.com wrote:
The following (wrong) use of tracepoint filtering was enough to trigger a null-pointer dereference crash:
cd /sys/kernel/debug/tracing echo "saddr_v6 == 0x0100007f" > tcp/tcp_receive_reset/filter echo 1 > tcp/tcp_receive_reset/enable wget https://localhost
This works fine if saddr - a 4-byte array representing the source address - is used instead.
The patch series is a new feature so it would need to go into the next merge window. But this patch looks to be a bug fix, so I'll pull this one in separately, and tag it for stable.
Thanks,
-- Steve
Fix is to handle case where we encounter an unexpected size.
Signed-off-by: Alan Maguire alan.maguire@oracle.com
kernel/trace/trace_events_filter.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 4b1057ab9d96..65e01c8d48d9 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1490,6 +1490,11 @@ static int parse_pred(const char *str, void *data, else { pred->fn = select_comparison_fn(pred->op, field->size, field->is_signed);
if (!pred->fn) {parse_error(pe, FILT_ERR_ILLEGAL_FIELD_OP,pos + i);goto err_free;} if (pred->op == OP_NE) pred->not = 1;