linux/kernel/trace
Steven Rostedt (Red Hat) 59643d1535 ring-buffer: Prevent overflow of size in ring_buffer_resize()
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318da ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2016-05-13 16:44:20 -04:00
..
blktrace.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
bpf_trace.c bpf: prevent kprobe+bpf deadlocks 2016-03-08 15:28:30 -05:00
ftrace.c Nothing major this round. Mostly small clean ups and fixes. 2016-03-24 10:52:25 -07:00
Kconfig Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-11-10 18:11:41 -08:00
Makefile bpf: Fix the build on BPF_SYSCALL=y && !CONFIG_TRACING kernels, make it more configurable 2015-04-02 16:28:06 +02:00
power-traces.c cpufreq: powernv/tracing: Add powernv_throttle tracepoint 2016-02-05 02:38:02 +01:00
ring_buffer_benchmark.c ring_buffer: Remove unneeded smp_wmb() before wakeup of reader benchmark 2015-11-03 16:19:02 -05:00
ring_buffer.c ring-buffer: Prevent overflow of size in ring_buffer_resize() 2016-05-13 16:44:20 -04:00
rpm-traces.c PM / Runtime: Introduce trace points for tracing rpm_* functions 2011-09-27 22:53:27 +02:00
trace_benchmark.c tracing: Only benchmark the time tracepoints take if tracing is on 2015-11-02 13:34:58 -05:00
trace_benchmark.h tracing: Add tracepoint benchmark tracepoint 2014-05-29 22:49:54 -04:00
trace_branch.c tracing: Remove {start,stop}_branch_trace 2015-10-21 10:10:09 -04:00
trace_clock.c tracing: Export tracing clock functions 2015-05-12 15:56:57 -04:00
trace_entries.h tracing: %pF is only for function pointers 2015-03-25 08:57:22 -04:00
trace_event_perf.c Not much new with tracing for this release. Mostly just clean ups and 2016-01-12 20:04:15 -08:00
trace_events_filter_test.h
trace_events_filter.c tracing: Make ftrace_event_field checking functions available 2016-03-08 11:19:29 -05:00
trace_events_trigger.c tracing: Use flags instead of bool in trigger structure 2016-03-08 11:19:36 -05:00
trace_events.c tracing: Don't display trigger file for events that can't be enabled 2016-05-03 12:59:30 -04:00
trace_export.c tracing: ftrace_event_is_function() can return boolean 2015-11-02 14:28:05 -05:00
trace_functions_graph.c arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections 2016-03-25 16:37:42 -07:00
trace_functions.c tracing: Make tracer_flags use the right set_flag callback 2016-03-08 11:19:08 -05:00
trace_irqsoff.c tracing: Remove redundant reset per-CPU buff in irqsoff tracer 2016-03-18 16:39:11 -04:00
trace_kdb.c tracing: Move trace_flags from global to a trace_array field 2015-09-30 15:22:55 -04:00
trace_kprobe.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
trace_mmiotrace.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
trace_nop.c tracing: Fix typoes in code comment and printk in trace_nop.c 2016-03-08 11:23:57 -05:00
trace_output.c tracing: Record and show NMI state 2016-03-22 18:04:10 -04:00
trace_output.h tracing: Turn seq_print_user_ip() into a static function 2015-09-28 10:16:12 -04:00
trace_printk.c tracing: Fix trace_printk() to print when not using bprintk() 2016-03-22 18:02:40 -04:00
trace_probe.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
trace_probe.h kernel/trace_probe: is_good_name can be boolean 2015-09-22 13:11:30 -04:00
trace_sched_switch.c sched/core: Fix trace_sched_switch() 2015-10-06 17:08:15 +02:00
trace_sched_wakeup.c Most of the changes are clean ups and small fixes. Some of them have 2015-11-06 13:30:20 -08:00
trace_selftest_dynamic.c
trace_selftest.c Seems that Peter Zijlstra added a new check that is making old 2014-10-12 07:28:55 -04:00
trace_seq.c tracing: use %*pb[l] to print bitmaps including cpumasks and nodemasks 2015-02-13 21:21:37 -08:00
trace_stack.c tracing, kasan: Silence Kasan warning in check_stack of stack_tracer 2016-02-19 12:36:44 -05:00
trace_stat.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
trace_stat.h
trace_syscalls.c Nothing major this round. Mostly small clean ups and fixes. 2016-03-24 10:52:25 -07:00
trace_uprobe.c kernel/...: convert pr_warning to pr_warn 2016-03-22 15:36:02 -07:00
trace.c Nothing major this round. Mostly small clean ups and fixes. 2016-03-24 10:52:25 -07:00
trace.h tracing: Record and show NMI state 2016-03-22 18:04:10 -04:00