[PATCH] trace: Protect trace_iter_expand_format against overflow and ZERO_SIZE_PTR
From: Rafal Bilkowski
Date: Mon May 19 2025 - 03:03:17 EST
Add a check in trace_iter_expand_format to prevent integer overflow when
calculating the new format buffer size, and to handle the case where krealloc
returns ZERO_SIZE_PTR. This improves robustness and prevents potential
memory corruption or kernel crashes.
Signed-off-by: Rafal Bilkowski <rafalbilkowski@xxxxxxxxx>
---
kernel/trace/trace.c | 4 ++++
kernel/trace/trace_output.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 5b8db27fb6ef..637bd1ff9325 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3596,6 +3596,10 @@ char *trace_iter_expand_format(struct trace_iterator *iter)
if (!iter->tr || iter->fmt == static_fmt_buf)
return NULL;
+ /* Protection against overflow and ZERO_SIZE_PTR returned from krealloc */
+ if (check_add_overflow(iter->fmt_size, STATIC_FMT_BUF_SIZE, &iter->fmt_size))
+ return NULL;
+
tmp = krealloc(iter->fmt, iter->fmt_size + STATIC_FMT_BUF_SIZE,
GFP_KERNEL);
if (tmp) {
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index b9ab06c99543..42560027001a 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -979,6 +979,8 @@ static void print_fields(struct trace_iterator *iter, struct trace_event_call *c
iter->fmt_size);
if (ret < 0)
trace_seq_printf(&iter->seq, "(0x%px)", pos);
+ else if (ret == 0)
+ trace_seq_printf(&iter->seq, "(0x%px:<NULL>)", pos);
else
trace_seq_printf(&iter->seq, "(0x%px:%s)",
pos, iter->fmt);
--
2.43.0