CVE-2022-50255

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix reading strings from synthetic events<br /> <br /> The follow commands caused a crash:<br /> <br /> # cd /sys/kernel/tracing<br /> # echo &amp;#39;s:open char file[]&amp;#39; &gt; dynamic_events<br /> # echo &amp;#39;hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)&amp;#39; &gt; events/syscalls/sys_enter_openat/trigger&amp;#39;<br /> # echo 1 &gt; events/synthetic/open/enable<br /> <br /> BOOM!<br /> <br /> The problem is that the synthetic event field "char file[]" will read<br /> the value given to it as a string without any memory checks to make sure<br /> the address is valid. The above example will pass in the user space<br /> address and the sythetic event code will happily call strlen() on it<br /> and then strscpy() where either one will cause an oops when accessing<br /> user space addresses.<br /> <br /> Use the helper functions from trace_kprobe and trace_eprobe that can<br /> read strings safely (and actually succeed when the address is from user<br /> space and the memory is mapped in).<br /> <br /> Now the above can show:<br /> <br /> packagekitd-1721 [000] ...2. 104.597170: open: file=/usr/lib/rpm/fileattrs/cmake.attr<br /> in:imjournal-978 [006] ...2. 104.599642: open: file=/var/lib/rsyslog/imjournal.state.tmp<br /> packagekitd-1721 [000] ...2. 104.626308: open: file=/usr/lib/rpm/fileattrs/debuginfo.attr