| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <60b3386e-dbb1-4fe9-bc38-d62eba4d9c50@redhat.com>
Date: Tue, 13 May 2025 15:16:08 +0200
From: David Hildenbrand <david@...hat.com>
To: Jiri Olsa <jolsa@...nel.org>, Masami Hiramatsu <mhiramat@...nel.org>,
Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <peterz@...radead.org>,
Andrii Nakryiko <andrii@...nel.org>
Cc: linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH mm-stable] uprobes: Revert ref_ctr_offset in
uprobe_unregister error path
On 13.05.25 14:21, Jiri Olsa wrote:
> From: Jiri Olsa <olsajiri@...il.com>
>
Thanks for debugging.
> There's error path that could lead to inactive uprobe:
>
> 1) uprobe_register succeeds - updates instruction to int3 and
> changes ref_ctr from 0 to 1
> 2) uprobe_unregister fails - int3 stays in place, but ref_ctr
> is changed to 0 (it's not restored to 1 in the fail path)
> uprobe is leaked
> 3) another uprobe_register comes and re-uses the leaked uprobe
> and succeds - but int3 is already in place, so ref_ctr update
> is skipped and it stays 0 - uprobe CAN NOT be triggered now
> 4) uprobe_unregister fails because ref_ctr value is unexpected
>
> Fixing this by reverting the updated ref_ctr value back to 1 in step 2),
> which is the case when uprobe_unregister fails (int3 stays in place),
> but we have already updated refctr.
>
> The new scenario will go as follows:
>
> 1) uprobe_register succeeds - updates instruction to int3 and
> changes ref_ctr from 0 to 1
> 2) uprobe_unregister fails - int3 stays in place and ref_ctr
> is reverted to 1.. uprobe is leaked
> 3) another uprobe_register comes and re-uses the leaked uprobe
> and succeds - but int3 is already in place, so ref_ctr update
> is skipped and it stays 1 - uprobe CAN be triggered now
> 4) uprobe_unregister succeeds
>
> Suggested-by: Oleg Nesterov <oleg@...hat.com>
If it's in mm-stable, we should have
Fixes: ...
here
> Signed-off-by: Jiri Olsa <jolsa@...nel.org>
> ---
> Please note it's based on mm-stable branch, because it has the
> latest uprobe_write_opcode rewrite changes.
>
> kernel/events/uprobes.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index 4c965ba77f9f..84ee7b590861 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -581,8 +581,8 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma,
>
> out:
> /* Revert back reference counter if instruction update failed. */
> - if (ret < 0 && is_register && ref_ctr_updated)
> - update_ref_ctr(uprobe, mm, -1);
> + if (ret < 0 && ref_ctr_updated)
> + update_ref_ctr(uprobe, mm, is_register ? -1 : 1);
Hm, but my patch essentially did here
/* Revert back reference counter if instruction update failed. */
- if (ret && is_register && ref_ctr_updated)
+ if (ret < 0 && is_register && ref_ctr_updated)
update_ref_ctr(uprobe, mm, -1);
So how come this wasn't a problem before?
--
Cheers,
David / dhildenb
Powered by blists - more mailing lists