| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aCNNpJaTGmchbS1s@krava> Date: Tue, 13 May 2025 15:48:20 +0200 From: Jiri Olsa <olsajiri@...il.com> To: David Hildenbrand <david@...hat.com> Cc: Masami Hiramatsu <mhiramat@...nel.org>, Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Andrii Nakryiko <andrii@...nel.org>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org Subject: Re: [PATCH mm-stable] uprobes: Revert ref_ctr_offset in uprobe_unregister error path On Tue, May 13, 2025 at 03:17:46PM +0200, David Hildenbrand wrote: > On 13.05.25 15:16, David Hildenbrand wrote: > > On 13.05.25 14:21, Jiri Olsa wrote: > > > From: Jiri Olsa <olsajiri@...il.com> > > > > > > > Thanks for debugging. > > > > > There's error path that could lead to inactive uprobe: > > > > > > 1) uprobe_register succeeds - updates instruction to int3 and > > > changes ref_ctr from 0 to 1 > > > 2) uprobe_unregister fails - int3 stays in place, but ref_ctr > > > is changed to 0 (it's not restored to 1 in the fail path) > > > uprobe is leaked > > > 3) another uprobe_register comes and re-uses the leaked uprobe > > > and succeds - but int3 is already in place, so ref_ctr update > > > is skipped and it stays 0 - uprobe CAN NOT be triggered now > > > 4) uprobe_unregister fails because ref_ctr value is unexpected > > > > > > Fixing this by reverting the updated ref_ctr value back to 1 in step 2), > > > which is the case when uprobe_unregister fails (int3 stays in place), > > > but we have already updated refctr. > > > > > > The new scenario will go as follows: > > > > > > 1) uprobe_register succeeds - updates instruction to int3 and > > > changes ref_ctr from 0 to 1 > > > 2) uprobe_unregister fails - int3 stays in place and ref_ctr > > > is reverted to 1.. uprobe is leaked > > > 3) another uprobe_register comes and re-uses the leaked uprobe > > > and succeds - but int3 is already in place, so ref_ctr update > > > is skipped and it stays 1 - uprobe CAN be triggered now > > > 4) uprobe_unregister succeeds > > > > > > Suggested-by: Oleg Nesterov <oleg@...hat.com> > > > > If it's in mm-stable, we should have > > > > Fixes: ... ok > > > > here > > > > > Signed-off-by: Jiri Olsa <jolsa@...nel.org> > > > --- > > > Please note it's based on mm-stable branch, because it has the > > > latest uprobe_write_opcode rewrite changes. > > > > > > kernel/events/uprobes.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > > > index 4c965ba77f9f..84ee7b590861 100644 > > > --- a/kernel/events/uprobes.c > > > +++ b/kernel/events/uprobes.c > > > @@ -581,8 +581,8 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct vm_area_struct *vma, > > > out: > > > /* Revert back reference counter if instruction update failed. */ > > > - if (ret < 0 && is_register && ref_ctr_updated) > > > - update_ref_ctr(uprobe, mm, -1); > > > + if (ret < 0 && ref_ctr_updated) > > > + update_ref_ctr(uprobe, mm, is_register ? -1 : 1); > > > > > > Hm, but my patch essentially did here > > > > /* Revert back reference counter if instruction update failed. */ > > - if (ret && is_register && ref_ctr_updated) > > + if (ret < 0 && is_register && ref_ctr_updated) > > update_ref_ctr(uprobe, mm, -1); > > > > So how come this wasn't a problem before? > > Oh, or was this a problem before? Then we should find the corresponding > commit that needs fixing. yes, I think it was a problem before, introduced early on by: 1cc33161a83d uprobes: Support SDT markers having reference count (semaphore) it seems the scenario described in changelog will hit the same issue even without your patch, I'll re-run the test to be sure thanks, jirka
Powered by blists - more mailing lists