On Tue, Jan 09, 2018 at 11:10:22PM -0500, Steven Rostedt wrote: > On Wed, 10 Jan 2018 11:02:06 +0800 > "Du, Changbin" <changbin.du@xxxxxxxxx> wrote: > > > On Tue, Jan 09, 2018 at 06:02:58PM -0500, Steven Rostedt wrote: > > > On Tue, 9 Jan 2018 17:55:47 +0800 > > > changbin.du@xxxxxxxxx wrote: > > > > > > > From: Changbin Du <changbin.du@xxxxxxxxx> > > > > > > > > The parser parse every string into parser.buffer. And some of the callers > > > > assume that parser.buffer contains a C string. So it is dangerous that the > > > > parser returns a unterminated string. The userspace can leverage this to > > > > attack the kernel. > > > > > > Is this only a bug if we apply your first patch? > > > > > I don't think so. Seems it is there already. > > > > OK. I'll have to take a deeper look into this so that I completely > understand the problem and your solution. I'm currently traveling and > may not get to do that this week. Please ping me next week if you don't > hear back from me on this issue. > > Thanks! > > -- Steve I checked every trace_get_user() clients again and found it is not an issue in current kernel. The client has checked trace_parser_cont() before using parsed string or append '\0'. I still want to make the parser returns a '\0' terminated string. Then we don't require the clients append it. I think this would be better since we are dealing with strings. -- Thanks, Changbin Du