lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <92cff289-facb-4e42-b761-6fd2515d6018@suse.com>
Date: Wed, 17 Jul 2024 14:52:43 +0200
From: Petr Pavlu <petr.pavlu@...e.com>
To: linux-trace-kernel@...r.kernel.org
Cc: "Naveen N. Rao" <naveen.n.rao@...ux.ibm.com>,
 Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
 "David S. Miller" <davem@...emloft.net>,
 Masami Hiramatsu <mhiramat@...nel.org>, linux-kernel@...r.kernel.org
Subject: [PATCH pre-6.7] kprobes: Fix double free of kretprobe_holder

Hello,

Below is a patch for a kretprobe-related problem that was already fixed
in v6.7 as a side-effect of the objpool optimization, in commit
4bbd93455659 ("kprobes: kretprobe scalability improvement").

I'm sending it to the list because it might be useful to pick the fix up
for longterm or distribution kernels. Additionally, I would like to
propose a small improvement to refcount_t and this gives me an actual
problem to point to about its motivation.

Cheers,
Petr

---

>From b0dde62cc5268a7d728cfdb360cb5170266a5e11 Mon Sep 17 00:00:00 2001
From: Petr Pavlu <petr.pavlu@...e.com>
Date: Thu, 4 Apr 2024 16:44:02 +0200
Subject: [PATCH pre-6.7] kprobes: Fix double free of kretprobe_holder

When unregistering a kretprobe, the code in unregister_kretprobes() sets
rp->rph->rp to NULL which forces all associated kretprobe_instances
still in use to be later freed separately via free_rp_inst_rcu().

Function unregister_kretprobes() then calls free_rp_inst() which takes
care of releasing all currently unused kretprobe_instances, the ones
that are on the kretprobe's freelist. The code in free_rp_inst() counts
a number of these released kretprobe_instances and invokes
refcount_sub_and_test(count, &rp->rph->ref) to decrease the
kretprobe_holder's refcount and subsequently calls kfree(rp->rph) if the
function returns true, indicating the refcount reached zero.

It is possible that the number of released kretprobe_instances in
free_rp_inst() is zero and therefore refcount_sub_and_test() is invoked
with count=0. Additionally, depending on timing, it can happen
that all previously used kretprobe_instances were already freed via
free_rp_inst_rcu(). This means the refcount of kretprobe_holder already
reached zero and was deallocated.

The resulting call of refcount_sub_and_test(0, &rp->rph->ref) in
free_rp_inst() is then a use-after-free. If the memory previously
occupied by the refcount is still set to zero then the call returns true
and kretprobe_holder gets wrongly freed for the second time.

Fix the problem by adding a check for count>0 before calling
refcount_sub_and_test() in free_rp_inst().

Note that this code was reworked in v6.7 by commit 4bbd93455659
("kprobes: kretprobe scalability improvement") and the new objpool
implementation doesn't have this problem.

Fixes: d741bf41d7c7 ("kprobes: Remove kretprobe hash")
Signed-off-by: Petr Pavlu <petr.pavlu@...e.com>
---
 kernel/kprobes.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 0c6185aefaef..7ae5873545a1 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1942,10 +1942,9 @@ static inline void free_rp_inst(struct kretprobe *rp)
 		count++;
 	}
 
-	if (refcount_sub_and_test(count, &rp->rph->ref)) {
+	if (count > 0 && refcount_sub_and_test(count, &rp->rph->ref))
 		kfree(rp->rph);
-		rp->rph = NULL;
-	}
+	rp->rph = NULL;
 }
 
 /* This assumes the 'tsk' is the current task or the is not running. */

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.35.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ