| From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> |
| Date: Wed, 9 May 2018 11:59:32 -0400 |
| Subject: tracing: Fix regex_match_front() to not over compare the test string |
| |
| commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. |
| |
| The regex match function regex_match_front() in the tracing filter logic, |
| was fixed to test just the pattern length from testing the entire test |
| string. That is, it went from strncmp(str, r->pattern, len) to |
| strcmp(str, r->pattern, r->len). |
| |
| The issue is that str is not guaranteed to be nul terminated, and if r->len |
| is greater than the length of str, it can access more memory than is |
| allocated. |
| |
| The solution is to add a simple test if (len < r->len) return 0. |
| |
| Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") |
| Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| kernel/trace/trace_events_filter.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/kernel/trace/trace_events_filter.c |
| +++ b/kernel/trace/trace_events_filter.c |
| @@ -273,6 +273,9 @@ static int regex_match_full(char *str, s |
| |
| static int regex_match_front(char *str, struct regex *r, int len) |
| { |
| + if (len < r->len) |
| + return 0; |
| + |
| if (strncmp(str, r->pattern, r->len) == 0) |
| return 1; |
| return 0; |