Re: tracing: user events UAF crash report

2024-07-26 Thread Mathias Krause
On 26.07.24 01:06, Steven Rostedt wrote: > On Thu, 25 Jul 2024 23:32:30 +0200 > Mathias Krause wrote: > >> That was for a single run of >> tools/testing/selftests/user_events/ftrace_test with the read loop of >> /sys/kernel/tracing/events/user_events/__test_event/format in a >> different shell. >

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 23:32:30 +0200 Mathias Krause wrote: > That was for a single run of > tools/testing/selftests/user_events/ftrace_test with the read loop of > /sys/kernel/tracing/events/user_events/__test_event/format in a > different shell. > > > > > destroy_user_event() which is under even

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 22:41:23 +0200 Mathias Krause wrote: > > diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c > > index 6ef29eba90ce..5fbfa1c885de 100644 > > --- a/kernel/trace/trace_events.c > > +++ b/kernel/trace/trace_events.c > > @@ -1627,12 +1627,14 @@ static int f_show

Re: tracing: user events UAF crash report

2024-07-25 Thread Mathias Krause
On 25.07.24 22:15, Steven Rostedt wrote: > On Thu, 25 Jul 2024 21:42:41 +0200 > Mathias Krause wrote: > >> Right. But the point is, that 'event_call' is really some '&user->call'. >> With 'user' being free'd memory, what gives? Dereferencing 'event_call' >> is UB, so this function is doomed to fa

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 21:42:41 +0200 Mathias Krause wrote: > Right. But the point is, that 'event_call' is really some '&user->call'. > With 'user' being free'd memory, what gives? Dereferencing 'event_call' > is UB, so this function is doomed to fail because it cannot know if its > only argument p

Re: tracing: user events UAF crash report

2024-07-25 Thread Mathias Krause
On 25.07.24 21:05, Steven Rostedt wrote: > Here's the proper fix: > > diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c > index 6ef29eba90ce..3a2d2ff1625b 100644 > --- a/kernel/trace/trace_events.c > +++ b/kernel/trace/trace_events.c > @@ -3140,8 +3140,10 @@ EXPORT_SYMBOL_GPL(

Re: tracing: user events UAF crash report

2024-07-25 Thread Mathias Krause
On 25.07.24 21:05, Steven Rostedt wrote: > On Thu, 25 Jul 2024 20:12:33 +0200 > Mathias Krause wrote: @@ -973,6 +975,11 @@ size_t copy_nofault(void *addr, size_t bytes, struct iov_iter *i) static struct list_head *user_event_get_fields(struct trace_event_call *call) {

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 20:12:33 +0200 Mathias Krause wrote: > > > > >> + > >>if (WARN_ON_ONCE(!schedule_work(&user->put_work))) { > >>/* > >> * If we fail we must wait for an admin to attempt delete or > >> @@ -973,6 +975,11 @@ size_t copy_nofault(void *addr, size_t b

Re: tracing: user events UAF crash report

2024-07-25 Thread Mathias Krause
On 25.07.24 19:16, Steven Rostedt wrote: > On Thu, 25 Jul 2024 13:10:21 -0400 > Steven Rostedt wrote: >> >> diff --git a/kernel/trace/trace_events_user.c >> b/kernel/trace/trace_events_user.c >> index 3a2b46847c8b..e9ed2826ff46 100644 >> --- a/kernel/trace/trace_events_user.c >> +++ b/kernel/trac

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 13:10:21 -0400 Steven Rostedt wrote: > > diff --git a/kernel/trace/trace_events_user.c > b/kernel/trace/trace_events_user.c > index 3a2b46847c8b..e9ed2826ff46 100644 > --- a/kernel/trace/trace_events_user.c > +++ b/kernel/trace/trace_events_user.c > @@ -321,6 +321,8 @@ static

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 22:00:14 +0530 Ajay Kaher wrote: > Thread A (read event) Thread B (remove event) > > . worker_thread() > . delayed_destroy_user_event() > .

Re: tracing: user events UAF crash report

2024-07-25 Thread Steven Rostedt
On Thu, 25 Jul 2024 21:45:03 +0530 Ajay Kaher wrote: > On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote: > > > > On 22.07.24 13:13, Ajay Kaher wrote: > > > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause > > > wrote: > > >> > > >> I noticed, the user events ftrace selftest is crashing e

Re: tracing: user events UAF crash report

2024-07-25 Thread Ajay Kaher
On Thu, Jul 25, 2024 at 9:45 PM Ajay Kaher wrote: > > On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote: > > > > On 22.07.24 13:13, Ajay Kaher wrote: > > > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause > > > wrote: > > >> > > >> I noticed, the user events ftrace selftest is crashing every n

Re: tracing: user events UAF crash report

2024-07-25 Thread Ajay Kaher
On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote: > > On 22.07.24 13:13, Ajay Kaher wrote: > > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause > > wrote: > >> > >> I noticed, the user events ftrace selftest is crashing every now and > >> then in our automated tests. Digging into, I found that

Re: tracing: user events UAF crash report

2024-07-25 Thread Ajay Kaher
On Mon, Jul 22, 2024 at 5:38 PM Mathias Krause wrote: > > On 22.07.24 13:13, Ajay Kaher wrote: > > On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause > > wrote: > >> > >> I noticed, the user events ftrace selftest is crashing every now and > >> then in our automated tests. Digging into, I found that

Re: tracing: user events UAF crash report

2024-07-23 Thread Mathias Krause
On 23.07.24 16:43, Steven Rostedt wrote: > On Fri, 19 Jul 2024 22:47:01 +0200 > Mathias Krause wrote: > >> Beside the obvious bug, I noticed the following (not fixing the issue, >> tho): >> >> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c >> index 5d88c184f0fc..687ad0a26458 100

Re: tracing: user events UAF crash report

2024-07-23 Thread Steven Rostedt
On Fri, 19 Jul 2024 22:47:01 +0200 Mathias Krause wrote: > Beside the obvious bug, I noticed the following (not fixing the issue, > tho): > > diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c > index 5d88c184f0fc..687ad0a26458 100644 > --- a/fs/tracefs/event_inode.c > +++ b/fs/tra

Re: tracing: user events UAF crash report

2024-07-22 Thread Steven Rostedt
On Fri, 19 Jul 2024 22:47:01 +0200 Mathias Krause wrote: > Subject: [PATCH] eventfs: Don't return NULL in eventfs_create_dir() > > Commit 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing > ei->dentry") added another check, testing if the parent was freed after > we released the mutex

Re: tracing: user events UAF crash report

2024-07-22 Thread Ajay Kaher
On Sat, Jul 20, 2024 at 2:17 AM Mathias Krause wrote: > > Hi Steven, Ajay, > > [ @Cc list: I found out issues with tracefs have been reported / > attempted to get fixed in the past, so you may be interested. ] > > I noticed, the user events ftrace selftest is crashing every now and > then in our

Re: tracing: user events UAF crash report

2024-07-19 Thread Dan Carpenter
On Fri, Jul 19, 2024 at 10:47:01PM +0200, Mathias Krause wrote: > Hi Steven, Ajay, > > [ @Cc list: I found out issues with tracefs have been reported / > attempted to get fixed in the past, so you may be interested. ] > > I noticed, the user events ftrace selftest is crashing every now and > th

tracing: user events UAF crash report

2024-07-19 Thread Mathias Krause
Hi Steven, Ajay, [ @Cc list: I found out issues with tracefs have been reported / attempted to get fixed in the past, so you may be interested. ] I noticed, the user events ftrace selftest is crashing every now and then in our automated tests. Digging into, I found that the following is trigger