| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Nov 2022 00:33:11 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Li Huafei <lihuafei1@...wei.com>
Cc: <linux-kernel@...r.kernel.org>, <naveen.n.rao@...ux.ibm.com>,
<anil.s.keshavamurthy@...el.com>, <davem@...emloft.net>,
<rostedt@...dmis.org>, <joe.lawrence@...hat.com>,
<zhaogongyi@...wei.com>
Subject: Re: [PATCH] kprobes: Update ftrace_ops when clearing ftrace-based
aggrprobe's post_handler
On Fri, 11 Nov 2022 18:10:06 +0800
Li Huafei <lihuafei1@...wei.com> wrote:
> In __unregister_kprobe_top(), if the currently unregistered probe has
> post_handler but other child probes of the aggrprobe do not have
> post_handler, the post_handler of the aggrprobe is cleared. If this is
> a ftrace-based probe, there is a problem. In later calls to
> disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is
> NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in
> __disarm_kprobe_ftrace() and may even cause use-after-free:
>
> Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2)
> WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0
> Modules linked in: testKprobe_007(-)
> CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18
> [...]
> Call Trace:
> <TASK>
> __disable_kprobe+0xcd/0xe0
> __unregister_kprobe_top+0x12/0x150
> ? mutex_lock+0xe/0x30
> unregister_kprobes.part.23+0x31/0xa0
> unregister_kprobe+0x32/0x40
> __x64_sys_delete_module+0x15e/0x260
> ? do_user_addr_fault+0x2cd/0x6b0
> do_syscall_64+0x3a/0x90
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> [...]
Ah, good catch! :D
>
> For ftrace kprobe, update post_handler at the same time update
> ftrace_ops, moving it from kprobe_ipmodify_ops to kprobe_ftrace_ops.
Hmm, but I would not like this because there can be a time
window when it can miss an event. What about just skipping
clearing ap->post_handler in kprobe-on-ftrace case?
>
> Fixes: 0bc11ed5ab60 ("kprobes: Allow kprobes coexist with livepatch")
> Reported-by: Zhao Gongyi <zhaogongyi@...wei.com>
> Signed-off-by: Li Huafei <lihuafei1@...wei.com>
> ---
> kernel/kprobes.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/kprobes.c b/kernel/kprobes.c
> index cd9f5a66a690..f8bec48a9cf9 100644
> --- a/kernel/kprobes.c
> +++ b/kernel/kprobes.c
> @@ -1766,7 +1766,17 @@ static int __unregister_kprobe_top(struct kprobe *p)
> if ((list_p != p) && (list_p->post_handler))
> goto noclean;
> }
> - ap->post_handler = NULL;
> + /*
> + * For ftrace kprobe, we need to update ftrace_ops
> + * at the same time as we update post_handler, moving
> + * it from kprobe_ipmodify_ops to kprobe_ftrace_ops.
> + */
> + if (unlikely(kprobe_ftrace(ap))) {
> + disarm_kprobe(ap, false);
> + ap->post_handler = NULL;
> + arm_kprobe(ap);
> + } else
So here, just add; (also, don't use unlikely/likely for this case, this
depends on where the user probes, not a systematically rare case.)
if (!kprobe_ftrace(ap))
> + ap->post_handler = NULL;
Thank you!
> }
> noclean:
> /*
> --
> 2.17.1
>
--
Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists