torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-04-14 10:19:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c58a812c8e49ad688f94f4b050ad5c5b388fc5d2
linux/kernel
History
Edward Adam Davis c58a812c8e ring-buffer: Fix overflow in __rb_map_vma 
An overflow occurred when performing the following calculation:

   nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff;

Add a check before the calculation to avoid this problem.

syzbot reported this as a slab-out-of-bounds in __rb_map_vma:

BUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058
Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836

CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058
 ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138
 tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482
 call_mmap include/linux/fs.h:2183 [inline]
 mmap_file mm/internal.h:124 [inline]
 __mmap_new_file_vma mm/vma.c:2291 [inline]
 __mmap_new_vma mm/vma.c:2355 [inline]
 __mmap_region+0x1786/0x2670 mm/vma.c:2456
 mmap_region+0x127/0x320 mm/mmap.c:1348
 do_mmap+0xc00/0xfc0 mm/mmap.c:496
 vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580
 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The reproducer for this bug is:

------------------------8<-------------------------
 #include <fcntl.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <asm/types.h>
 #include <sys/mman.h>

 int main(int argc, char **argv)
 {
	int page_size = getpagesize();
	int fd;
	void *meta;

	system("echo 1 > /sys/kernel/tracing/buffer_size_kb");
	fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);

	meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);
 }
------------------------>8-------------------------

Cc: stable@vger.kernel.org
Fixes: 117c39200d ("ring-buffer: Introducing ring-buffer mapping functions")
Link: https://lore.kernel.org/tencent_06924B6674ED771167C23CC336C097223609@qq.com
Reported-by: syzbot+345e4443a21200874b18@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=345e4443a21200874b18
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2024-12-18 14:15:10 -05:00
..
bpf
bpf: Avoid deadlock caused by nested kprobe and fentry bpf programs
2024-12-14 09:49:27 -08:00
cgroup
Merge tag 'cgroup-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
2024-11-20 09:54:49 -08:00
configs
configs/debug: make sure PROVE_RCU_LIST=y takes effect
2024-10-28 10:21:09 -07:00
debug
kdb: fix ctrl+e/a/f/b/d/p/n broken in keyboard mode
2024-11-18 15:20:22 +00:00
dma
dma-debug: fix physical address calculation for struct dma_debug_entry
2024-11-28 10:19:16 +01:00
entry
sched: Add TIF_NEED_RESCHED_LAZY infrastructure
2024-11-05 12:55:37 +01:00
events
Merge tag 'mm-nonmm-stable-2024-11-24-02-05' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-25 16:09:48 -08:00
futex
futex: fix user access on powerpc
2024-12-09 10:00:25 -08:00
gcov
gcov: add support for GCC 14
2024-06-15 10:43:06 -07:00
irq
genirq/proc: Add missing space separator back
2024-12-03 14:59:34 +01:00
kcsan
kcsan: Remove redundant call of kallsyms_lookup_name()
2024-10-14 16:44:56 +02:00
livepatch
livepatch: Replace snprintf() with sysfs_emit()
2024-07-02 16:56:18 +02:00
locking
locking: rtmutex: Fix wake_q logic in task_blocks_on_rt_mutex
2024-12-02 12:01:29 +01:00
module
module: Convert symbol namespace to string literal
2024-12-02 11:34:44 -08:00
power
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
2024-11-23 16:00:50 -08:00
printk
Merge tag 'printk-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux
2024-11-20 09:21:11 -08:00
rcu
Merge tag 'irq-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-11-19 15:54:19 -08:00
sched
Merge tag 'sched_urgent_for_v6.13_rc3-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-12-15 09:38:03 -08:00
time
clocksource: Make negative motion detection more robust
2024-12-05 16:03:24 +01:00
trace
ring-buffer: Fix overflow in __rb_map_vma
2024-12-18 14:15:10 -05:00
.gitignore
acct.c
kernel misc: Remove the now superfluous sentinel elements from ctl_table array
2024-04-24 09:43:53 +02:00
async.c
async: Use a dedicated unbound workqueue with raised min_active
2024-02-09 11:13:59 -10:00
audit_fsnotify.c
audit_tree.c
fsnotify: create a wrapper fsnotify_find_inode_mark()
2024-04-04 16:24:16 +02:00
audit_watch.c
fsnotify: create a wrapper fsnotify_find_inode_mark()
2024-04-04 16:24:16 +02:00
audit.c
Merge tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm
2024-11-18 17:34:05 -08:00
audit.h
audit: change context data from secid to lsm_prop
2024-10-11 14:34:16 -04:00
auditfilter.c
audit: change context data from secid to lsm_prop
2024-10-11 14:34:16 -04:00
auditsc.c
audit: workaround a GCC bug triggered by task comm changes
2024-12-04 22:57:46 -05:00
backtracetest.c
backtracetest: add MODULE_DESCRIPTION()
2024-06-24 22:24:55 -07:00
bounds.c
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
2024-04-29 08:29:29 -07:00
capability.c
lsm: constify the 'target' parameter in security_capget()
2023-08-08 16:48:47 -04:00
cfi.c
compat.c
configs.c
context_tracking.c
context_tracking, rcu: Rename rcu_dyntick trace event into rcu_watching
2024-08-15 21:30:43 +05:30
cpu_pm.c
cpu.c
Merge tag 'driver-core-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2024-11-29 11:43:29 -08:00
crash_core.c
kexec/crash: no crash update when kexec in progress
2024-11-05 17:12:27 -08:00
crash_reserve.c
crash: fix crash memory reserve exceed system memory bug
2024-09-01 20:43:30 -07:00
cred.c
cred: Add a light version of override/revert_creds()
2024-11-11 10:45:04 +01:00
delayacct.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
dma.c
elfcorehdr.c
crash: remove dependency of FA_DUMP on CRASH_DUMP
2024-02-23 17:48:22 -08:00
exec_domain.c
exit.c
remove pointless includes of <linux/fdtable.h>
2024-10-07 13:34:41 -04:00
exit.h
exit: add internal include file with helpers
2023-09-21 12:03:50 -06:00
extable.c
fail_function.c
fork.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
freezer.c
sched/fair: Fix external p->on_rq users
2024-10-14 09:14:35 +02:00
gen_kheaders.sh
kheaders: use command -v to test for existence of cpio
2024-05-30 01:13:20 +09:00
groups.c
groups: Convert group_info.usage to refcount_t
2023-09-29 11:28:39 -07:00
hung_task.c
hung_task: add detect count for hung tasks
2024-11-11 17:17:03 -08:00
iomem.c
kernel/iomem.c: remove __weak ioremap_cache helper
2023-08-21 13:37:28 -07:00
irq_work.c
jump_label.c
jump_label: Fix static_key_slow_dec() yet again
2024-09-10 11:57:27 +02:00
kallsyms_internal.h
kallsyms: get rid of code for absolute kallsyms
2024-07-20 16:33:21 +09:00
kallsyms_selftest.c
kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
2024-08-15 09:33:35 -07:00
kallsyms_selftest.h
kallsyms.c
kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
2024-08-15 09:33:35 -07:00
kcmp.c
get rid of ...lookup...fdget_rcu() family
2024-10-07 13:34:41 -04:00
Kconfig.freezer
Kconfig.hz
Kconfig.kexec
crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32
2024-11-14 22:43:48 -08:00
Kconfig.locks
Kconfig.preempt
sched: No PREEMPT_RT=y for all{yes,mod}config
2024-11-07 15:25:05 +01:00
kcov.c
Merge tag 'x86-build-2024-09-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-09-17 12:40:34 +02:00
kexec_core.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
kexec_elf.c
kexec_file.c
kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y
2024-09-01 17:59:01 -07:00
kexec_internal.h
kexec: use atomic_try_cmpxchg_acquire() in kexec_trylock()
2024-09-01 20:43:23 -07:00
kexec.c
crash: add a new kexec flag for hotplug support
2024-04-23 14:59:01 +10:00
kheaders.c
kprobes.c
kprobes: Use struct_size() in __get_insn_slot()
2024-10-31 11:00:58 +09:00
ksyms_common.c
ksysfs.c
profiling: remove prof_cpu_mask
2024-07-29 10:45:54 -07:00
kthread.c
get rid of __get_task_comm()
2024-11-05 17:12:28 -08:00
latencytop.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
Makefile
mm: move kernel/numa.c to mm/
2024-09-03 21:15:26 -07:00
module_signature.c
notifier.c
reboot: move reboot_notifier_list to kernel/reboot.c
2024-11-05 17:12:31 -08:00
nsproxy.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
padata.c
padata: Clean up in padata_do_multithreaded()
2024-11-10 11:50:54 +08:00
panic.c
Merge tag 'drm-next-2024-09-19' of https://gitlab.freedesktop.org/drm/kernel
2024-09-19 10:18:15 +02:00
params.c
params: Fix multi-line comment style
2023-12-01 09:51:44 -08:00
pid_namespace.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
pid_sysctl.h
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
pid.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
profile.c
profiling: remove profile=sleep support
2024-08-04 13:36:28 -07:00
ptrace.c
ptrace_attach: shift send(SIGSTOP) into ptrace_set_stopped()
2024-02-22 15:38:52 -08:00
range.c
reboot.c
kernel/reboot: replace sprintf() with sysfs_emit()
2024-11-11 17:17:05 -08:00
regset.c
regset: use kvzalloc() for regset_get_alloc()
2024-04-25 21:07:03 -07:00
relay.c
[tree-wide] finally take no_llseek out
2024-09-27 08:18:43 -07:00
resource_kunit.c
resource, kunit: fix user-after-free in resource_test_region_intersects()
2024-10-09 12:47:19 -07:00
resource.c
module: Convert symbol namespace to string literal
2024-12-02 11:34:44 -08:00
rseq.c
scftorture.c
scftorture: Handle NULL argument passed to scf_add_to_free_list().
2024-11-14 16:09:51 -08:00
scs.c
seccomp.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
signal.c
posix-timers: Target group sigqueue to current task only if not exiting
2024-11-29 13:19:09 +01:00
smp.c
locking/csd-lock: Switch from sched_clock() to ktime_get_mono_fast_ns()
2024-10-11 09:31:21 -07:00
smpboot.c
kthread: add kthread_stop_put
2023-10-04 10:41:57 -07:00
smpboot.h
softirq.c
softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel
2024-12-02 12:01:27 +01:00
stackleak.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
stacktrace.c
stacktrace: fix kernel-doc typo
2023-12-29 12:22:29 -08:00
static_call_inline.c
static_call: Replace pointless WARN_ON() in static_call_module_notify()
2024-09-06 16:29:22 +02:00
static_call.c
stop_machine.c
rcu: Rename rcu_momentary_dyntick_idle() into rcu_momentary_eqs()
2024-08-15 21:30:42 +05:30
sys_ni.c
Merge tag 'probes-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
2024-07-18 12:19:20 -07:00
sys.c
Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
2024-11-18 18:10:37 -08:00
sysctl-test.c
sysctl: Add module description to sysctl-testing
2024-06-03 15:20:37 +02:00
sysctl.c
sysctl: Reorganize kerneldoc parameter names
2024-10-23 15:28:40 +02:00
task_work.c
sched/core: Disable page allocation in task_tick_mm_cid()
2024-10-11 10:49:32 +02:00
taskstats.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
torture.c
torture: Add MODULE_DESCRIPTION()
2024-05-30 15:31:38 -07:00
tracepoint.c
tracing: Fix syscall tracepoint use-after-free
2024-11-01 14:37:31 -04:00
tsacct.c
tsacct: replace strncpy() with strscpy()
2024-07-12 16:39:53 -07:00
ucount.c
Merge tag 'sysctl-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl
2024-11-22 20:36:11 -08:00
uid16.c
uid16.h
umh.c
remove pointless includes of <linux/fdtable.h>
2024-10-07 13:34:41 -04:00
up.c
smp: Change function signatures to use call_single_data_t
2023-09-13 14:59:24 +02:00
user_namespace.c
user_namespace: use kmemdup_array() instead of kmemdup() for multiple allocation
2024-09-09 16:47:42 -07:00
user-return-notifier.c
user.c
uidgid: make sure we fit into one cacheline
2024-09-12 12:16:09 +02:00
usermode_driver.c
utsname_sysctl.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
utsname.c
vhost_task.c
vhost_task: Handle SIGKILL by flushing work and exiting
2024-05-22 08:31:15 -04:00
vmcore_info.c
mm: support only one page_type per page
2024-09-03 21:15:43 -07:00
watch_queue.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
watchdog_buddy.c
watchdog_perf.c
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
2024-07-17 21:11:34 -07:00
watchdog.c
Merge tag 'mm-nonmm-stable-2024-11-24-02-05' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-25 16:09:48 -08:00
workqueue_internal.h
workqueue: Drop the special locking rule for worker->flags and worker_pool->flags
2023-08-07 15:57:22 -10:00
workqueue.c
workqueue: Reduce expensive locks for unbound workqueue
2024-11-15 06:43:39 -10:00