lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 Apr 2023 17:55:48 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <bpf@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC:     <ast@...nel.org>, <daniel@...earbox.net>,
        <john.fastabend@...il.com>, <andrii@...nel.org>,
        <martin.lau@...ux.dev>, <song@...nel.org>, <yhs@...com>,
        <kpsingh@...nel.org>, <sdf@...gle.com>, <haoluo@...gle.com>,
        <jolsa@...nel.org>, <chenzhongjin@...wei.com>
Subject: [PATCH] bpf: Unregister fentry when bpf_trampoline_unlink_prog fails to update image

In bpf_link_free, bpf trampoline will update the image and remove the
unlinked prog.

bpf_trampoline_unlink_prog is committed as 'never fail', however it depends
on the result of image update. It is possible to fail if memory allocation
fail in bpf_trampoline_update.

The error result of bpf_trampoline_update can't be passed to bpf_link_free
because link release callback returns void. Then it will free the prog
whether image updating is successful or not.
If the old image tries to call a freed prog, it makes kernel panic.

    BUG: unable to handle page fault for address: ffffffffc04a8d20
    #PF: supervisor instruction fetch in kernel mode
    #PF: error_code(0x0010) - not-present page
    RIP: 0010:0xffffffffc04a8d20
    Code: Unable to access opcode bytes at RIP 0xffffffffc04a8cf6.
    ...
    Call Trace:
    ? bpf_trampoline_78223_0
    bpf_traced_function
    ...

Fix this when bpf_trampoline_update failed in bpf_trampoline_unlink_prog,
unregister fentry to disable the trampoline. Then other progs on the
trampoline can be unlinked safely and finally the trampoline will be
released.

Fixes: 88fd9e5352fe ("bpf: Refactor trampoline update code")
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
 kernel/bpf/trampoline.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index d0ed7d6f5eec..6daa93b30e81 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -604,7 +604,10 @@ static int __bpf_trampoline_unlink_prog(struct bpf_tramp_link *link, struct bpf_
 	}
 	hlist_del_init(&link->tramp_hlist);
 	tr->progs_cnt[kind]--;
-	return bpf_trampoline_update(tr, true /* lock_direct_mutex */);
+	err =  bpf_trampoline_update(tr, true /* lock_direct_mutex */);
+	if (err && tr->cur_image)
+		unregister_fentry(tr, tr->cur_image->image);
+	return err;
 }
 
 /* bpf_trampoline_unlink_prog() should never fail. */
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ