From 499ac8be0b08816e44bdc76ce2b8bdd0c64a2909 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Thu, 29 Sep 2022 16:45:26 -0400
Subject: [PATCH] Fix: bytecode validator: reject specialized load instructions

Reject specialized load instructions so a bytecode crafted with
nefarious intent cannot:

- Read user-space memory without proper get_user accessors,
- Read a memory area larger than the memory targeted by the instrumentation.

This prevents bytecode received from a tracing group user from oopsing
the kernel or disclosing the content of kernel memory to the tracing
group.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: Ia70bb2da645d6a0b36515a8ac51995c13283d4cc
---
 lttng-filter-validator.c | 54 +++++++++-------------------------------
 1 file changed, 12 insertions(+), 42 deletions(-)

diff --git a/lttng-filter-validator.c b/lttng-filter-validator.c
index c479af08..2a5db119 100644
--- a/lttng-filter-validator.c
+++ b/lttng-filter-validator.c
@@ -976,60 +976,30 @@ int validate_instruction_context(struct bytecode_runtime *bytecode,
 		dbg_printk("Validate load field\n");
 		break;
 	}
+
+	/*
+	 * Disallow already specialized bytecode op load field instructions to
+	 * ensure that the received bytecode does not:
+	 *
+	 * - Read user-space memory without proper get_user accessors,
+	 * - Read a memory area larger than the memory targeted by the instrumentation.
+	 */
 	case FILTER_OP_LOAD_FIELD_S8:
-	{
-		dbg_printk("Validate load field s8\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_S16:
-	{
-		dbg_printk("Validate load field s16\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_S32:
-	{
-		dbg_printk("Validate load field s32\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_S64:
-	{
-		dbg_printk("Validate load field s64\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_U8:
-	{
-		dbg_printk("Validate load field u8\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_U16:
-	{
-		dbg_printk("Validate load field u16\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_U32:
-	{
-		dbg_printk("Validate load field u32\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_U64:
-	{
-		dbg_printk("Validate load field u64\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_STRING:
-	{
-		dbg_printk("Validate load field string\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_SEQUENCE:
-	{
-		dbg_printk("Validate load field sequence\n");
-		break;
-	}
 	case FILTER_OP_LOAD_FIELD_DOUBLE:
 	{
-		dbg_printk("Validate load field double\n");
-		break;
+		dbg_printk("Validate load field, reject specialized load instruction (%d)\n",
+				(int) opcode);
+		ret = -EINVAL;
+		goto end;
 	}
 
 	case FILTER_OP_GET_SYMBOL:
-- 
2.34.1