[SRU][J][PATCH 0/2] CVE-2024-50067
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Fri Oct 17 20:19:06 UTC 2025
https://ubuntu.com/security/CVE-2024-50067
[ Impact ]
uprobe: avoid out-of-bounds memory access of fetching args
Uprobe needs to fetch args into a percpu buffer, and then copy to ring
buffer to avoid non-atomic context problem.
Sometimes user-space strings, arrays can be very large, but the size of
percpu buffer is only page size. And store_trace_args() won't check
whether these data exceeds a single page or not, caused out-of-bounds
memory access.
[ Fix ]
Backport the following commits from upstream:
- 3eaea21b4d27 uprobes: encapsulate preparation of uprobe args buffer (dependency)
- 373b9338c972 uprobe: avoid out-of-bounds memory access of fetching args (fix commit)
[ Test Plan ]
Compile and boot tested.
Traced, using uprobes, the following reproducer:
```
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
// will return 0, cause __get_data_size() return shorter size, and
// store_trace_args() will not trigger out-of-bounds access.
// So make string length less than 4096.
#define STRLEN 4093
void generate_string(char *str, int n)
{
int i;
for (i = 0; i < n; ++i)
{
char c = i % 26 + 'a';
str[i] = c;
}
str[n-1] = '\0';
}
void print_string(char *str)
{
printf("%s\n", str);
}
int main()
{
char tmp[STRLEN];
generate_string(tmp, STRLEN);
print_string(tmp);
return 0;
}
```
Jammy tested with KASAN enabled before the patch:
```
$ gcc test.c -o test
$ objdump -t test | grep -w print_string
00000000000011e0 g F .text 000000000000001f print_string
$ echo "p /home/mpellizzer/playground/test:0x11e0 arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" | sudo tee /sys/kernel/debug/tracing/uprobe_events
$ echo 1 | sudo tee /sys/kernel/debug/tracing/events/uprobes/enable
$ echo 1 | sudo tee /sys/kernel/debug/tracing/tracing_on
$ ./test
...
[ 245.833255] BUG: KASAN: use-after-free in strncpy_from_user+0x48/0x250
[ 245.833293] Write of size 8191 at addr ffff88810496000c by task test/1091
```
Jammy tested with KASAN enabled after the patch:
```
$ gcc test.c -o test
$ objdump -t test | grep -w print_string
00000000000011e0 g F .text 000000000000001f print_string
$ echo "p /home/mpellizzer/playground/test:0x11e0 arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" | sudo tee /sys/kernel/debug/tracing/uprobe_events
$ echo 1 | sudo tee /sys/kernel/debug/tracing/events/uprobes/enable
$ echo 1 | sudo tee /sys/kernel/debug/tracing/tracing_on
$ ./test
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz...
```
[ Regression Potential ]
The fix affects the uprobe tracer's handling of user argument data
copied into the per-CPU trace buffer. An issue with this patch may
introduce incorrect size accounting or premature troncation of trace
records, leading to incomplete or malformed data in the tracing output.
In more severe cases, an error in the bound checking may cause failures
in tracing programs using uprobes.
Andrii Nakryiko (1):
uprobes: encapsulate preparation of uprobe args buffer
Qiao Ma (1):
uprobe: avoid out-of-bounds memory access of fetching args
kernel/trace/trace_uprobe.c | 85 ++++++++++++++++++++-----------------
1 file changed, 46 insertions(+), 39 deletions(-)
--
2.48.1
More information about the kernel-team
mailing list