lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251105142319.1139183-1-pmladek@suse.com>
Date: Wed,  5 Nov 2025 15:23:12 +0100
From: Petr Mladek <pmladek@...e.com>
To: Petr Pavlu <petr.pavlu@...e.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Alexei Starovoitov <ast@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Kees Cook <kees@...nel.org>
Cc: Daniel Borkmann <daniel@...earbox.net>,
	John Fastabend <john.fastabend@...il.com>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	Mark Rutland <mark.rutland@....com>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Daniel Gomez <da.gomez@...nel.org>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	linux-kernel@...r.kernel.org,
	bpf@...r.kernel.org,
	linux-modules@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org,
	Petr Mladek <pmladek@...e.com>
Subject: [PATCH 0/6] kallsyms: Prevent invalid access when showing module buildid

We have seen nested crashes in __sprint_symbol(), see below. They seems
to be caused by invalid pointer to "buildid".

I made an audit of __sprint_symbol() and found several situations
when the buildid might be wrong:

  + bpf_address_lookup() does not set @modbuildid

  + ftrace_mod_address_lookup() does not set @modbuildid

  + __sprint_symbol() does not take rcu_read_lock and
    the related struct module might get removed before
    mod->build_id is printed.

This patchset solves these problems:

  + 1st, 2nd patches are preparatory
  + 3rd, 4th, 6th patches fix the above problems
  + 5th patch cleans up a suspicious initialization code.

This is the backtrace, we have seen. But it is not really important.
The problems fixed by the patchset are obvious:

  crash64> bt [62/2029]
  PID: 136151 TASK: ffff9f6c981d4000 CPU: 367 COMMAND: "btrfs"
  #0 [ffffbdb687635c28] machine_kexec at ffffffffb4c845b3
  #1 [ffffbdb687635c80] __crash_kexec at ffffffffb4d86a6a
  #2 [ffffbdb687635d08] hex_string at ffffffffb51b3b61
  #3 [ffffbdb687635d40] crash_kexec at ffffffffb4d87964
  #4 [ffffbdb687635d50] oops_end at ffffffffb4c41fc8
  #5 [ffffbdb687635d70] do_trap at ffffffffb4c3e49a
  #6 [ffffbdb687635db8] do_error_trap at ffffffffb4c3e6a4
  #7 [ffffbdb687635df8] exc_stack_segment at ffffffffb5666b33
  #8 [ffffbdb687635e20] asm_exc_stack_segment at ffffffffb5800cf9
  #9 [ffffbdb687635ea8] hex_string at ffffffffb51b3b61
  #10 [ffffbdb687635ef8] vsnprintf at ffffffffb51b7291
  #11 [ffffbdb687635f50] sprintf at ffffffffb51b7541
  #12 [ffffbdb687635fb8] __sprint_symbol at ffffffffb4d849d6
  #13 [ffffbdb687636018] symbol_string at ffffffffb51b4588
  #14 [ffffbdb687636168] vsnprintf at ffffffffb51b7291
  #15 [ffffbdb6876361c0] vscnprintf at ffffffffb51b73b9
  #16 [ffffbdb6876361d0] printk_sprint at ffffffffb4d2ae82
  #17 [ffffbdb6876361f8] vprintk_store at ffffffffb4d2d06d
  #18 [ffffbdb6876362c8] vprintk_emit at ffffffffb4d2d1bf
  #19 [ffffbdb687636308] printk at ffffffffb565e5ce
  #20 [ffffbdb687636370] show_trace_log_lvl at ffffffffb4c42374
  #21 [ffffbdb687636478] __die_body at ffffffffb4c426ca
  #22 [ffffbdb687636498] die at ffffffffb4c42778
  #23 [ffffbdb6876364c0] do_trap at ffffffffb4c3e49a
  #24 [ffffbdb687636508] do_error_trap at ffffffffb4c3e6a4
  #25 [ffffbdb687636548] exc_stack_segment at ffffffffb5666b33
  #26 [ffffbdb687636570] asm_exc_stack_segment at ffffffffb5800cf9
  #27 [ffffbdb6876365f8] hex_string at ffffffffb51b3b61
  #28 [ffffbdb687636648] vsnprintf at ffffffffb51b7291
  #29 [ffffbdb6876366a0] sprintf at ffffffffb51b7541
  #30 [ffffbdb687636708] __sprint_symbol at ffffffffb4d849d6
  #31 [ffffbdb687636768] symbol_string at ffffffffb51b4588
  #32 [ffffbdb6876368b8] vsnprintf at ffffffffb51b7291
  #33 [ffffbdb687636910] vscnprintf at ffffffffb51b73b9
  #34 [ffffbdb687636920] printk_sprint at ffffffffb4d2ae82
  #35 [ffffbdb687636948] vprintk_store at ffffffffb4d2d06d
  #36 [ffffbdb687636a18] vprintk_emit at ffffffffb4d2d1bf
  #37 [ffffbdb687636a58] printk at ffffffffb565e5ce
  #38 [ffffbdb687636ac0] show_trace_log_lvl at ffffffffb4c42374
  #39 [ffffbdb687636bc8] __die_body at ffffffffb4c426ca
  #40 [ffffbdb687636be8] die at ffffffffb4c42778
  #41 [ffffbdb687636c10] do_trap at ffffffffb4c3e49a
  #42 [ffffbdb687636c58] do_error_trap at ffffffffb4c3e6a4
  #43 [ffffbdb687636c98] exc_stack_segment at ffffffffb5666b33
  #44 [ffffbdb687636cc0] asm_exc_stack_segment at ffffffffb5800cf9
  #45 [ffffbdb687636d48] hex_string at ffffffffb51b3b61
  #46 [ffffbdb687636d98] vsnprintf at ffffffffb51b7291
  #47 [ffffbdb687636df0] sprintf at ffffffffb51b7541
  #48 [ffffbdb687636e58] __sprint_symbol at ffffffffb4d849d6
  #49 [ffffbdb687636eb8] symbol_string at ffffffffb51b4588
  #50 [ffffbdb687637008] vsnprintf at ffffffffb51b7291
  #51 [ffffbdb687637060] vscnprintf at ffffffffb51b73b9
  #52 [ffffbdb687637070] printk_sprint at ffffffffb4d2ae82
  #53 [ffffbdb687637098] vprintk_store at ffffffffb4d2d06d
  #54 [ffffbdb687637168] vprintk_emit at ffffffffb4d2d1bf
  #55 [ffffbdb6876371a8] printk at ffffffffb565e5ce
  #56 [ffffbdb687637210] show_trace_log_lvl at ffffffffb4c42374
  #57 [ffffbdb687637318] __die_body at ffffffffb4c426ca
  #58 [ffffbdb687637338] die at ffffffffb4c42778
  #59 [ffffbdb687637360] do_trap at ffffffffb4c3e49a
  #60 [ffffbdb6876373a8] do_error_trap at ffffffffb4c3e6a4
  #61 [ffffbdb6876373e8] exc_stack_segment at ffffffffb5666b33
  #62 [ffffbdb687637410] asm_exc_stack_segment at ffffffffb5800cf9
  #63 [ffffbdb687637498] hex_string at ffffffffb51b3b61
  #64 [ffffbdb6876374e8] vsnprintf at ffffffffb51b7291
  #65 [ffffbdb687637540] sprintf at ffffffffb51b7541
  #66 [ffffbdb6876375a8] __sprint_symbol at ffffffffb4d849d6
  #67 [ffffbdb687637608] symbol_string at ffffffffb51b4588
  #68 [ffffbdb687637758] vsnprintf at ffffffffb51b7291
  #69 [ffffbdb6876377b0] vscnprintf at ffffffffb51b73b9
  #70 [ffffbdb6876377c0] printk_sprint at ffffffffb4d2ae82
  #71 [ffffbdb6876377e8] vprintk_store at ffffffffb4d2d06d
  #72 [ffffbdb6876378b8] vprintk_emit at ffffffffb4d2d1bf
  #73 [ffffbdb6876378f8] printk at ffffffffb565e5ce
  #74 [ffffbdb687637960] show_trace_log_lvl at ffffffffb4c42374
  #75 [ffffbdb687637a68] __warn at ffffffffb4cb0d4d
  #76 [ffffbdb687637aa0] report_bug at ffffffffb51a73fb
  #77 [ffffbdb687637ad8] handle_bug at ffffffffb5666817
  #78 [ffffbdb687637ae8] exc_invalid_op at ffffffffb56669d3
  #79 [ffffbdb687637b00] asm_exc_invalid_op at ffffffffb5800e0d
  [exception RIP: btrfs_ioctl_send+0x26e]
  RIP: ffffffffc06070ce RSP: ffffbdb687637bb8 RFLAGS: 00010282
  RAX: ffff9f6e50160380 RBX: ffff9f8eda64f200 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: 0000000000000000 R8: 000000000000000a R9: ffff9f6c9e1c5b20
  R10: 0000000000000075 R11: 0000000000000004 R12: ffff9f6d43a24000
  R13: 0000000000000001 R14: 0000000000000000 R15: ffff9a2d65644d30
  ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
  #80 [ffffbdb687637c78] _btrfs_ioctl_send at ffffffffc05c31d4 [btrfs]
  #81 [ffffbdb687637ce8] btrfs_ioctl at ffffffffc05c80c4 [btrfs]
  #82 [ffffbdb687637df8] __x64_sys_ioctl at ffffffffb4f776df
  #83 [ffffbdb687637e38] do_syscall_64 at ffffffffb56663f8
  RIP: 00007fbd339164a7 RSP: 00007ffde6a19888 RFLAGS: 00000246
  RAX: ffffffffffffffda RBX: 0000000000000fe2 RCX: 00007fbd339164a7
  RDX: 00007ffde6a19980 RSI: 0000000040489426 RDI: 0000000000000022
  RBP: 00007ffde6a1ab80 R8: 00007ffde6a19980 R9: 00007fbd33808700
  R10: 00007fbd338089d0 R11: 0000000000000246 R12: 0000000000000022
  R13: 0000000000000001 R14: 0000000000000001 R15: 00005585428002b0
  ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b

Petr Mladek (6):
  module: Add helper function for reading module_buildid()
  kallsyms: Cleanup code for appending the module buildid
  kallsyms/bpf: Set module buildid in bpf_address_lookup()
  kallsyms/ftrace: Set module buildid in ftrace_mod_address_lookup()
  kallsyms: Clean up @namebuf initialization in
    kallsyms_lookup_buildid()
  kallsyms: Prevent module removal when printing module name and buildid

 include/linux/filter.h   | 15 +++++++---
 include/linux/ftrace.h   |  6 ++--
 include/linux/module.h   |  9 ++++++
 kernel/kallsyms.c        | 60 ++++++++++++++++++++++++++++++----------
 kernel/module/kallsyms.c |  9 ++----
 kernel/trace/ftrace.c    |  5 +++-
 6 files changed, 76 insertions(+), 28 deletions(-)

-- 
2.51.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ