Landlock tracepoints expose filesystem paths and process names that may contain spaces, equal signs, or other characters that break ftrace field parsing. Add a new __print_untrusted_str() helper to safely print strings after escaping all special characters, including common separators (space, equal sign), quotes, and backslashes. This transforms a string from an untrusted source (e.g. user space) to make it: - safe to parse, - easy to read (for simple strings), - easy to get back the original. Cc: Günther Noack Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Steven Rostedt Cc: Tingmao Wang Signed-off-by: Mickaël Salaün --- Changes since v1: https://lore.kernel.org/r/20250523165741.693976-4-mic@digikod.net - Remove WARN_ON() (pointed out by Steven Rostedt). --- include/linux/trace_events.h | 2 ++ include/trace/stages/stage3_trace_output.h | 4 +++ include/trace/stages/stage7_class_define.h | 1 + kernel/trace/trace_output.c | 41 ++++++++++++++++++++++ 4 files changed, 48 insertions(+) diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 37eb2f0f3dd8..7f4325d327ee 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -57,6 +57,8 @@ trace_print_hex_dump_seq(struct trace_seq *p, const char *prefix_str, int prefix_type, int rowsize, int groupsize, const void *buf, size_t len, bool ascii); +const char *trace_print_untrusted_str_seq(struct trace_seq *s, const char *str); + int trace_raw_output_prep(struct trace_iterator *iter, struct trace_event *event); extern __printf(2, 3) diff --git a/include/trace/stages/stage3_trace_output.h b/include/trace/stages/stage3_trace_output.h index fce85ea2df1c..62e98babb969 100644 --- a/include/trace/stages/stage3_trace_output.h +++ b/include/trace/stages/stage3_trace_output.h @@ -133,6 +133,10 @@ trace_print_hex_dump_seq(p, prefix_str, prefix_type, \ rowsize, groupsize, buf, len, ascii) +#undef __print_untrusted_str +#define __print_untrusted_str(str) \ + trace_print_untrusted_str_seq(p, __get_str(str)) + #undef __print_ns_to_secs #define __print_ns_to_secs(value) \ ({ \ diff --git a/include/trace/stages/stage7_class_define.h b/include/trace/stages/stage7_class_define.h index fcd564a590f4..1164aacd550f 100644 --- a/include/trace/stages/stage7_class_define.h +++ b/include/trace/stages/stage7_class_define.h @@ -24,6 +24,7 @@ #undef __print_array #undef __print_dynamic_array #undef __print_hex_dump +#undef __print_untrusted_str #undef __get_buf /* diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c index 1996d7aba038..9d14c7cc654d 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -16,6 +16,7 @@ #include #include #include +#include #include "trace_output.h" #include "trace_btf.h" @@ -321,6 +322,46 @@ trace_print_hex_dump_seq(struct trace_seq *p, const char *prefix_str, } EXPORT_SYMBOL(trace_print_hex_dump_seq); +/** + * trace_print_untrusted_str_seq - print a string after escaping characters + * @s: trace seq struct to write to + * @src: The string to print + * + * Prints a string to a trace seq after escaping all special characters, + * including common separators (space, equal sign), quotes, and backslashes. + * This transforms a string from an untrusted source (e.g. user space) to make + * it: + * - safe to parse, + * - easy to read (for simple strings), + * - easy to get back the original. + */ +const char *trace_print_untrusted_str_seq(struct trace_seq *s, + const char *src) +{ + int escaped_size; + char *buf; + size_t buf_size = seq_buf_get_buf(&s->seq, &buf); + const char *ret = trace_seq_buffer_ptr(s); + + /* Buffer exhaustion is normal when the trace buffer is full. */ + if (!src || buf_size == 0) + return NULL; + + escaped_size = string_escape_mem(src, strlen(src), buf, buf_size, + ESCAPE_SPACE | ESCAPE_SPECIAL | ESCAPE_NAP | ESCAPE_APPEND | + ESCAPE_OCTAL, " ='\"\\"); + if (unlikely(escaped_size >= buf_size)) { + /* We need some room for the final '\0'. */ + seq_buf_set_overflow(&s->seq); + s->full = 1; + return NULL; + } + seq_buf_commit(&s->seq, escaped_size); + trace_seq_putc(s, 0); + return ret; +} +EXPORT_SYMBOL(trace_print_untrusted_str_seq); + int trace_raw_output_prep(struct trace_iterator *iter, struct trace_event *trace_event) { -- 2.53.0