| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210317102529.226734-1-lihuafei1@huawei.com>
Date: Wed, 17 Mar 2021 18:25:27 +0800
From: Li Huafei <lihuafei1@...wei.com>
To: <rostedt@...dmis.org>, <mingo@...hat.com>, <jolsa@...hat.com>
CC: <linux-kernel@...r.kernel.org>, <yangjihong1@...wei.com>,
<xukuohai@...wei.com>, <zhangjinhao2@...wei.com>,
<lihuafei1@...wei.com>
Subject: [PATCH 0/2] Fix the race on &event->ftrace_ops between perf and ftrace
There is a race on &event->ftrace_ops between perf_alloc_event() and
__ftrace_ops_list_func(). When adding a perf event, if the event needs
to use the ftrace framework, it needs to register ftrace_ops with
ftrace, which is a structural member of perf event. If perf_alloc_event()
fails, it will free the allocated event directly, but if ftrace_ops has
been successfully registered, and the probe point is triggered, then
__ftrace_ops_list_func() may still reference the ftrace_ops that perf
just registered, but it has been freed with the event is freed,
so use-after-free happens.
This race condition was triggered when we did the fuzz test, see the commit
message of PATCH 2 for detailed logs. This patch set fixes this race.
Li Huafei (2):
ftrace: Update ftrace_ops->next pointer with rcu_assign_pointer()
perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()
include/linux/ftrace.h | 15 +++++++++++++++
kernel/trace/ftrace.c | 4 ++--
kernel/trace/trace_event_perf.c | 7 +++++++
3 files changed, 24 insertions(+), 2 deletions(-)
--
2.17.1
Powered by blists - more mailing lists