On Wed, 1 Jul 2026 18:28:46 +0800 Ren Wei <[email protected]> wrote: > From: Huihui Huang <[email protected]> > > String event fields are not necessarily NUL-terminated, so the filter > predicate functions (filter_pred_string(), filter_pred_strloc() and > filter_pred_strrelloc()) pass the field length to the regex match > callbacks, and the length-aware matchers honour it. > > regex_match_glob() was the exception: it ignored the length and called > glob_match(), which scans the string until it hits a NUL byte. Some > string fields are not NUL-terminated. One example is the dynamic char > array of the xfs_* namespace tracepoints, which is copied without a > trailing NUL. For such a field, glob matching reads past the end of > the event field, causing a KASAN slab-out-of-bounds read in > glob_match(), reached via regex_match_glob() and filter_match_preds() > from the xfs_lookup tracepoint. > > Add a length-bounded glob_match_len() and use it from regex_match_glob() > so glob matching always stops at the field boundary. The matching loop > is factored into a shared helper so glob_match() keeps its behaviour. >
Looks good to me. Acked-by: Masami Hiramatsu (Google) <[email protected]> Thank you, > Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching") > Cc: [email protected] > Reported-by: Yuan Tan <[email protected]> > Reported-by: Yifan Wu <[email protected]> > Reported-by: Juefei Pu <[email protected]> > Reported-by: Zhengchuan Liang <[email protected]> > Reported-by: Xin Liu <[email protected]> > Assisted-by: Codex:GPT-5.4 > Signed-off-by: Huihui Huang <[email protected]> > Signed-off-by: Ren Wei <[email protected]> > --- > include/linux/glob.h | 1 + > kernel/trace/trace_events_filter.c | 6 ++---- > lib/glob.c | 31 ++++++++++++++++++++++++++++-- > 3 files changed, 32 insertions(+), 6 deletions(-) > > diff --git a/include/linux/glob.h b/include/linux/glob.h > index 861327b33e..91595e7509 100644 > --- a/include/linux/glob.h > +++ b/include/linux/glob.h > @@ -6,5 +6,6 @@ > #include <linux/compiler.h> /* For __pure */ > > bool __pure glob_match(char const *pat, char const *str); > +bool __pure glob_match_len(char const *pat, char const *str, size_t len); > > #endif /* _LINUX_GLOB_H */ > diff --git a/kernel/trace/trace_events_filter.c > b/kernel/trace/trace_events_filter.c > index 609325f579..6385cd662d 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -1056,11 +1056,9 @@ static int regex_match_end(char *str, struct regex *r, > int len) > return 0; > } > > -static int regex_match_glob(char *str, struct regex *r, int len > __maybe_unused) > +static int regex_match_glob(char *str, struct regex *r, int len) > { > - if (glob_match(r->pattern, str)) > - return 1; > - return 0; > + return glob_match_len(r->pattern, str, len) ? 1 : 0; > } > > /** > diff --git a/lib/glob.c b/lib/glob.c > index 7aca76c25b..c80d9dd736 100644 > --- a/lib/glob.c > +++ b/lib/glob.c > @@ -11,6 +11,9 @@ > MODULE_DESCRIPTION("glob(7) matching"); > MODULE_LICENSE("Dual MIT/GPL"); > > +static bool __pure glob_match_str(char const *pat, char const *str, > + char const *str_end); > + > /** > * glob_match - Shell-style pattern matching, like !fnmatch(pat, str, 0) > * @pat: Shell-style pattern to match, e.g. "*.[ch]". > @@ -40,6 +43,29 @@ MODULE_LICENSE("Dual MIT/GPL"); > * An opening bracket without a matching close is matched literally. > */ > bool __pure glob_match(char const *pat, char const *str) > +{ > + return glob_match_str(pat, str, NULL); > +} > +EXPORT_SYMBOL(glob_match); > + > +/** > + * glob_match_len - glob match against a length-bounded string > + * @pat: Shell-style pattern to match. > + * @str: String to match. Need not be NUL-terminated. > + * @len: Number of bytes of @str that may be read. > + * > + * Like glob_match(), but @str is only read up to @len bytes, so it can be > + * used on buffers that are not NUL-terminated (e.g. trace event fields). > + * A NUL byte within @len still terminates the string. > + */ > +bool __pure glob_match_len(char const *pat, char const *str, size_t len) > +{ > + return glob_match_str(pat, str, str + len); > +} > +EXPORT_SYMBOL(glob_match_len); > + > +static bool __pure glob_match_str(char const *pat, char const *str, > + char const *str_end) > { > /* > * Backtrack to previous * on mismatch and retry starting one > @@ -55,9 +81,11 @@ bool __pure glob_match(char const *pat, char const *str) > * on mismatch, or true after matching the trailing nul bytes. > */ > for (;;) { > - unsigned char c = *str++; > + unsigned char c = (str_end && str >= str_end) ? '\0' : *str; > unsigned char d = *pat++; > > + str++; > + > switch (d) { > case '?': /* Wildcard: anything but nul */ > if (c == '\0') > @@ -125,4 +153,3 @@ bool __pure glob_match(char const *pat, char const *str) > } > } > } > -EXPORT_SYMBOL(glob_match); > -- > 2.50.1 > -- Masami Hiramatsu (Google) <[email protected]>
