| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1583487306-81985-1-git-send-email-cj.chengjian@huawei.com>
Date: Fri, 6 Mar 2020 17:35:06 +0800
From: Cheng Jian <cj.chengjian@...wei.com>
To: <linux-kernel@...r.kernel.org>
CC: <cj.chengjian@...wei.com>, <huawei.libin@...wei.com>,
<xiexiuqi@...wei.com>, <bobo.shaobowang@...wei.com>,
<naveen.n.rao@...ux.ibm.com>, <anil.s.keshavamurthy@...el.com>,
<davem@...emloft.net>, <mhiramat@...nel.org>
Subject: [PATCH] kretprobe: check re-registration of the same kretprobe earlier
Our system encountered a use-after-free when re-register a
same kretprobe. it access the hlist node in rp->free_instances
which has been released already.
Prevent re-registration has been implemented for kprobe before,
but it's too late for kretprobe. We must check the re-registration
before re-initializing the kretprobe, otherwise it will destroy the
data and struct of the kretprobe registered, it can lead to memory
leak and use-after-free.
Signed-off-by: Cheng Jian <cj.chengjian@...wei.com>
---
kernel/kprobes.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 2625c24..f1fc921 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1946,6 +1946,11 @@ int register_kretprobe(struct kretprobe *rp)
}
}
+ /* Return error if it's being re-registered */
+ ret = check_kprobe_rereg(&rp->kp);
+ if (ret)
+ return ret;
+
rp->kp.pre_handler = pre_handler_kretprobe;
rp->kp.post_handler = NULL;
rp->kp.fault_handler = NULL;
--
2.7.4
Powered by blists - more mailing lists