projects / lttng-modules.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c9b7e9c) | patch
fix: don't allow userspace copy to read kernel memory
authorMichael Jeanson <mjeanson@efficios.com>
Fri, 25 Sep 2020 20:05:00 +0000 (16:05 -0400)
committerMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Wed, 30 Sep 2020 16:06:36 +0000 (12:06 -0400)
commit9d209ed112e998bf21c5df6d013635367b886ba2
tree904503f1691d8db4651bd0148a8b3f7498ecc297tree | snapshot
parentc9b7e9c8cee5e9ee5f8a9288bb77d2b52deed077commit | diff
fix: don't allow userspace copy to read kernel memory

This patch fixes a security issue which allows the root user to read
arbitrary kernel memory. Considering the security model used in LTTng
userspace tooling for kernel tracing, this bug also allows members of
the 'tracing' group to read arbitrary kernel memory.

Calls to __copy_from_user_inatomic() where wrongly enclosed in
set_fs(KERNEL_DS) defeating the access_ok() calls and allowing to read
from kernel memory if a kernel address is provided.

Remove all set_fs() calls around __copy_from_user_inatomic().

As a side effect this will allow us to support v5.10 which should remove
set_fs().

Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I35e4562c835217352c012ed96a7b8f93e941381e
lib/ringbuffer/backend.h diff | blob | blame | history
lttng-filter-interpreter.c diff | blob | blame | history
probes/lttng-probe-user.c diff | blob | blame | history
LTTng 2.0/0.x modules
This page took 0.026011 seconds and 4 git commands to generate.