lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250523135452.626d8dcd@gandalf.local.home>
Date: Fri, 23 May 2025 13:54:52 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Ye Bin <yebin@...weicloud.com>
Cc: mhiramat@...nel.org, mathieu.desnoyers@...icios.com,
 mark.rutland@....com, linux-trace-kernel@...r.kernel.org,
 linux-kernel@...r.kernel.org, yebin10@...wei.com
Subject: Re: [PATCH 1/2] ftrace: fix UAF when lookup kallsym after ftrace
 disabled

On Fri, 23 May 2025 16:39:44 +0800
Ye Bin <yebin@...weicloud.com> wrote:

> Above issue may happens as follow:
> (1) Add kprobe trace point;
> (2) insmod test.ko;
> (3) Trigger ftrace disabled;

This is the bug. How was ftrace_disabled triggered? That should never
happen. Was test.ko buggy?

> (4) rmmod test.ko;
> (5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;
> ftrace_mod_get_kallsym()
> ...
> strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
> ...
> 
> As ftrace_release_mod() judge 'ftrace_disabled' is true will return, and
> 'mod_map' will remaining in ftrace_mod_maps. 'mod_map' has no chance to
> release. Therefore, this also causes residual resources to accumulate.
> To solve above issue, unconditionally clean up'mod_map'.
> 
> Fixes: aba4b5c22cba ("ftrace: Save module init functions kallsyms symbols for tracing")

This is *not* a fix. ftrace_disabled gets set when a bug is triggered. If
this prevents ftrace_disabled from getting set, then it would be a fix. But
if something else happens when ftrace_disabled is set, it just fixes a
symptom and not the bug itself.


> Signed-off-by: Ye Bin <yebin10@...wei.com>
> ---
>  kernel/trace/ftrace.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index a3d4dfad0cbc..ff5d9d73a4a7 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -7438,9 +7438,6 @@ void ftrace_release_mod(struct module *mod)
>  
>  	mutex_lock(&ftrace_lock);
>  
> -	if (ftrace_disabled)
> -		goto out_unlock;
> -

Here you delete the check, and the next patch you have:

+	if (ftrace_disabled || (mod && !mod->num_ftrace_callsites)) {
+		mutex_unlock(&ftrace_lock);
+		return;
+	}
+

Why the two patches where the second patch just adds back the check and
then adds some more stuff around it. This should be a single patch.

Also, why not just keep the goto unlock, that has:

 out_unlock:
	mutex_unlock(&ftrace_lock);

	/* Need to synchronize with ftrace_location_range() */
	if (tmp_page)
		synchronize_rcu();
	for (pg = tmp_page; pg; pg = tmp_page) {

		/* Needs to be called outside of ftrace_lock */
		clear_mod_from_hashes(pg);

		if (pg->records) {
			free_pages((unsigned long)pg->records, pg->order);
			ftrace_number_of_pages -= 1 << pg->order;
		}
		tmp_page = pg->next;
		kfree(pg);
		ftrace_number_of_groups--;
	}
}

And tmp_page is set to NULL before that jump, so the if and for loop will
both be nops.

Why all this extra churn?

-- Steve


>  	list_for_each_entry_safe(mod_map, n, &ftrace_mod_maps, list) {
>  		if (mod_map->mod == mod) {
>  			list_del_rcu(&mod_map->list);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ