• Steven Rostedt (VMware)'s avatar
    tracing: Add a verifier to check string pointers for trace events · 9a6944fe
    Steven Rostedt (VMware) authored
    It is a common mistake for someone writing a trace event to save a pointer
    to a string in the TP_fast_assign() and then display that string pointer
    in the TP_printk() with %s. The problem is that those two events may happen
    a long time apart, where the source of the string may no longer exist.
    
    The proper way to handle displaying any string that is not guaranteed to be
    in the kernel core rodata section, is to copy it into the ring buffer via
    the __string(), __assign_str() and __get_str() helper macros.
    
    Add a check at run time while displaying the TP_printk() of events to make
    sure that every %s referenced is safe to dereference, and if it is not,
    trigger a warning and only show the address of the pointer, and the
    dereferenced string if it can be safely retrieved with a
    strncpy_from_kernel_nofault() call.
    
    In order to not have to copy the parsing of vsnprintf() formats, or even
    exporting its code, the verifier relies on vsnprintf() being able to
    modify the va_list that is passed to it, and it remains modified after it
    is called. This is the case for some architectures like x86_64, but other
    architectures like x86_32 pass the va_list to vsnprintf() as a value not a
    reference, and the verifier can not use it to parse the non string
    arguments. Thus, at boot up, it is checked if vsnprintf() modifies the
    passed in va_list or not, and a static branch will disable the verifier if
    it's not compatible.
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    9a6944fe
trace.c 240 KB