lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aCNNpJaTGmchbS1s@krava>
Date: Tue, 13 May 2025 15:48:20 +0200
From: Jiri Olsa <olsajiri@...il.com>
To: David Hildenbrand <david@...hat.com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>, Oleg Nesterov <oleg@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Andrii Nakryiko <andrii@...nel.org>, linux-kernel@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH mm-stable] uprobes: Revert ref_ctr_offset in
 uprobe_unregister error path

On Tue, May 13, 2025 at 03:17:46PM +0200, David Hildenbrand wrote:
> On 13.05.25 15:16, David Hildenbrand wrote:
> > On 13.05.25 14:21, Jiri Olsa wrote:
> > > From: Jiri Olsa <olsajiri@...il.com>
> > > 
> > 
> > Thanks for debugging.
> > 
> > > There's error path that could lead to inactive uprobe:
> > > 
> > >     1) uprobe_register succeeds - updates instruction to int3 and
> > >        changes ref_ctr from 0 to 1
> > >     2) uprobe_unregister fails  - int3 stays in place, but ref_ctr
> > >        is changed to 0 (it's not restored to 1 in the fail path)
> > >        uprobe is leaked
> > >     3) another uprobe_register comes and re-uses the leaked uprobe
> > >        and succeds - but int3 is already in place, so ref_ctr update
> > >        is skipped and it stays 0 - uprobe CAN NOT be triggered now
> > >     4) uprobe_unregister fails because ref_ctr value is unexpected
> > > 
> > > Fixing this by reverting the updated ref_ctr value back to 1 in step 2),
> > > which is the case when uprobe_unregister fails (int3 stays in place),
> > > but we have already updated refctr.
> > > 
> > > The new scenario will go as follows:
> > > 
> > >     1) uprobe_register succeeds - updates instruction to int3 and
> > >        changes ref_ctr from 0 to 1
> > >     2) uprobe_unregister fails  - int3 stays in place and ref_ctr
> > >        is reverted to 1..  uprobe is leaked
> > >     3) another uprobe_register comes and re-uses the leaked uprobe
> > >        and succeds - but int3 is already in place, so ref_ctr update
> > >        is skipped and it stays 1 - uprobe CAN be triggered now
> > >     4) uprobe_unregister succeeds
> > > 
> > > Suggested-by: Oleg Nesterov <oleg@...hat.com>
> > 
> > If it's in mm-stable, we should have
> > 
> > Fixes: ...

ok

> > 
> > here
> > 
> > > Signed-off-by: Jiri Olsa <jolsa@...nel.org>
> > > ---
> > > Please note it's based on mm-stable branch, because it has the
> > > latest uprobe_write_opcode rewrite changes.
> > > 
> > >    kernel/events/uprobes.c | 4 ++--
> > >    1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> > > index 4c965ba77f9f..84ee7b590861 100644
> > > --- a/kernel/events/uprobes.c
> > > +++ b/kernel/events/uprobes.c
> > > @@ -581,8 +581,8 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma,
> > >    out:
> > >    	/* Revert back reference counter if instruction update failed. */
> > > -	if (ret < 0 && is_register && ref_ctr_updated)
> > > -		update_ref_ctr(uprobe, mm, -1);
> > > +	if (ret < 0 && ref_ctr_updated)
> > > +		update_ref_ctr(uprobe, mm, is_register ? -1 : 1);
> > 
> > 
> > Hm, but my patch essentially did here
> > 
> >           /* Revert back reference counter if instruction update failed. */
> > -       if (ret && is_register && ref_ctr_updated)
> > +       if (ret < 0 && is_register && ref_ctr_updated)
> >                   update_ref_ctr(uprobe, mm, -1);
> > 
> > So how come this wasn't a problem before?
> 
> Oh, or was this a problem before? Then we should find the corresponding
> commit that needs fixing.

yes, I think it was a problem before, introduced early on by:
  1cc33161a83d uprobes: Support SDT markers having reference count (semaphore)

it seems the scenario described in changelog will hit the same issue even
without your patch, I'll re-run the test to be sure

thanks,
jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ