| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8323f942-52e1-44b4-b599-e275f1c66ede@redhat.com> Date: Tue, 13 May 2025 15:17:46 +0200 From: David Hildenbrand <david@...hat.com> To: Jiri Olsa <jolsa@...nel.org>, Masami Hiramatsu <mhiramat@...nel.org>, Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Andrii Nakryiko <andrii@...nel.org> Cc: linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org Subject: Re: [PATCH mm-stable] uprobes: Revert ref_ctr_offset in uprobe_unregister error path On 13.05.25 15:16, David Hildenbrand wrote: > On 13.05.25 14:21, Jiri Olsa wrote: >> From: Jiri Olsa <olsajiri@...il.com> >> > > Thanks for debugging. > >> There's error path that could lead to inactive uprobe: >> >> 1) uprobe_register succeeds - updates instruction to int3 and >> changes ref_ctr from 0 to 1 >> 2) uprobe_unregister fails - int3 stays in place, but ref_ctr >> is changed to 0 (it's not restored to 1 in the fail path) >> uprobe is leaked >> 3) another uprobe_register comes and re-uses the leaked uprobe >> and succeds - but int3 is already in place, so ref_ctr update >> is skipped and it stays 0 - uprobe CAN NOT be triggered now >> 4) uprobe_unregister fails because ref_ctr value is unexpected >> >> Fixing this by reverting the updated ref_ctr value back to 1 in step 2), >> which is the case when uprobe_unregister fails (int3 stays in place), >> but we have already updated refctr. >> >> The new scenario will go as follows: >> >> 1) uprobe_register succeeds - updates instruction to int3 and >> changes ref_ctr from 0 to 1 >> 2) uprobe_unregister fails - int3 stays in place and ref_ctr >> is reverted to 1.. uprobe is leaked >> 3) another uprobe_register comes and re-uses the leaked uprobe >> and succeds - but int3 is already in place, so ref_ctr update >> is skipped and it stays 1 - uprobe CAN be triggered now >> 4) uprobe_unregister succeeds >> >> Suggested-by: Oleg Nesterov <oleg@...hat.com> > > If it's in mm-stable, we should have > > Fixes: ... > > here > >> Signed-off-by: Jiri Olsa <jolsa@...nel.org> >> --- >> Please note it's based on mm-stable branch, because it has the >> latest uprobe_write_opcode rewrite changes. >> >> kernel/events/uprobes.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c >> index 4c965ba77f9f..84ee7b590861 100644 >> --- a/kernel/events/uprobes.c >> +++ b/kernel/events/uprobes.c >> @@ -581,8 +581,8 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma, >> >> out: >> /* Revert back reference counter if instruction update failed. */ >> - if (ret < 0 && is_register && ref_ctr_updated) >> - update_ref_ctr(uprobe, mm, -1); >> + if (ret < 0 && ref_ctr_updated) >> + update_ref_ctr(uprobe, mm, is_register ? -1 : 1); > > > Hm, but my patch essentially did here > > /* Revert back reference counter if instruction update failed. */ > - if (ret && is_register && ref_ctr_updated) > + if (ret < 0 && is_register && ref_ctr_updated) > update_ref_ctr(uprobe, mm, -1); > > So how come this wasn't a problem before? Oh, or was this a problem before? Then we should find the corresponding commit that needs fixing. -- Cheers, David / dhildenb
Powered by blists - more mailing lists