ACK: Re: [SRU][J][PATCH 0/2] CVE-2024-50067
Paolo Pisati
paolo.pisati at canonical.com
Mon Oct 20 10:04:21 UTC 2025
On Fri, Oct 17, 2025 at 10:19:06PM +0200, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-50067
>
> [ Impact ]
>
> uprobe: avoid out-of-bounds memory access of fetching args
>
> Uprobe needs to fetch args into a percpu buffer, and then copy to ring
> buffer to avoid non-atomic context problem.
>
> Sometimes user-space strings, arrays can be very large, but the size of
> percpu buffer is only page size. And store_trace_args() won't check
> whether these data exceeds a single page or not, caused out-of-bounds
> memory access.
>
> [ Fix ]
>
> Backport the following commits from upstream:
> - 3eaea21b4d27 uprobes: encapsulate preparation of uprobe args buffer (dependency)
> - 373b9338c972 uprobe: avoid out-of-bounds memory access of fetching args (fix commit)
>
> [ Test Plan ]
>
> Compile and boot tested.
> Traced, using uprobes, the following reproducer:
>
> ```
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>
> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
> // will return 0, cause __get_data_size() return shorter size, and
> // store_trace_args() will not trigger out-of-bounds access.
> // So make string length less than 4096.
> #define STRLEN 4093
>
> void generate_string(char *str, int n)
> {
> int i;
> for (i = 0; i < n; ++i)
> {
> char c = i % 26 + 'a';
> str[i] = c;
> }
> str[n-1] = '\0';
> }
>
> void print_string(char *str)
> {
> printf("%s\n", str);
> }
>
> int main()
> {
> char tmp[STRLEN];
>
> generate_string(tmp, STRLEN);
> print_string(tmp);
>
> return 0;
> }
> ```
>
> Jammy tested with KASAN enabled before the patch:
> ```
> $ gcc test.c -o test
> $ objdump -t test | grep -w print_string
> 00000000000011e0 g F .text 000000000000001f print_string
> $ echo "p /home/mpellizzer/playground/test:0x11e0 arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" | sudo tee /sys/kernel/debug/tracing/uprobe_events
> $ echo 1 | sudo tee /sys/kernel/debug/tracing/events/uprobes/enable
> $ echo 1 | sudo tee /sys/kernel/debug/tracing/tracing_on
> $ ./test
> ...
> [ 245.833255] BUG: KASAN: use-after-free in strncpy_from_user+0x48/0x250
> [ 245.833293] Write of size 8191 at addr ffff88810496000c by task test/1091
> ```
>
> Jammy tested with KASAN enabled after the patch:
> ```
> $ gcc test.c -o test
> $ objdump -t test | grep -w print_string
> 00000000000011e0 g F .text 000000000000001f print_string
> $ echo "p /home/mpellizzer/playground/test:0x11e0 arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" | sudo tee /sys/kernel/debug/tracing/uprobe_events
> $ echo 1 | sudo tee /sys/kernel/debug/tracing/events/uprobes/enable
> $ echo 1 | sudo tee /sys/kernel/debug/tracing/tracing_on
> $ ./test
> abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz...
> ```
>
> [ Regression Potential ]
>
> The fix affects the uprobe tracer's handling of user argument data
> copied into the per-CPU trace buffer. An issue with this patch may
> introduce incorrect size accounting or premature troncation of trace
> records, leading to incomplete or malformed data in the tracing output.
> In more severe cases, an error in the bound checking may cause failures
> in tracing programs using uprobes.
>
> Andrii Nakryiko (1):
> uprobes: encapsulate preparation of uprobe args buffer
>
> Qiao Ma (1):
> uprobe: avoid out-of-bounds memory access of fetching args
>
> kernel/trace/trace_uprobe.c | 85 ++++++++++++++++++++-----------------
> 1 file changed, 46 insertions(+), 39 deletions(-)
>
> --
> 2.48.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Paolo Pisati <paolo.pisati at canonical.com>
--
bye,
p.
More information about the kernel-team
mailing list