linux-kernel - [PATCH] kretprobe: check re-registration of the same kretprobe earlier

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date:   Fri, 6 Mar 2020 17:35:06 +0800
From:   Cheng Jian <cj.chengjian@...wei.com>
To:     <linux-kernel@...r.kernel.org>
CC:     <cj.chengjian@...wei.com>, <huawei.libin@...wei.com>,
        <xiexiuqi@...wei.com>, <bobo.shaobowang@...wei.com>,
        <naveen.n.rao@...ux.ibm.com>, <anil.s.keshavamurthy@...el.com>,
        <davem@...emloft.net>, <mhiramat@...nel.org>
Subject: [PATCH] kretprobe: check re-registration of the same kretprobe earlier

Our system encountered a use-after-free when re-register a
same kretprobe. it access the hlist node in rp->free_instances
which has been released already.

Prevent re-registration has been implemented for kprobe before,
but it's too late for kretprobe. We must check the re-registration
before re-initializing the kretprobe, otherwise it will destroy the
data and struct of the kretprobe registered, it can lead to memory
leak and use-after-free.

Signed-off-by: Cheng Jian <cj.chengjian@...wei.com>
---
 kernel/kprobes.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 2625c24..f1fc921 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1946,6 +1946,11 @@ int register_kretprobe(struct kretprobe *rp)
 		}
 	}

+	/* Return error if it's being re-registered */
+	ret = check_kprobe_rereg(&rp->kp);
+	if (ret)
+		return ret;
+
 	rp->kp.pre_handler = pre_handler_kretprobe;
 	rp->kp.post_handler = NULL;
 	rp->kp.fault_handler = NULL;
-- 
2.7.4