In __static_call_init(), any one of the kzalloc fails will cause
wild-memory-access when traverse the site and subsequent sites in
static_call_del_module().
Changes in v2:
- Add a new patch which fix a a similar problem.
- Update the commit message and simplify error stack for the first.
Jinjie Ruan (2):
static_call: Fix a wild-memory-access bug in static_call_del_module()
static_call: Fix a wild-memory-access bug when
static_call_key_sites(key) is true
kernel/static_call_inline.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--
2.34.1
Inject fault while probing btrfs.ko, if the first kzalloc() fails
in __static_call_init(), key->mods will all no be initialized in this
site and subsequent sites. And then in static_call_del_module() the
site_mod->mod will cause wild-memory-access as below.
To fix the issue, assign key->mods to NULL in __static_call_init() if it
fails. On the other hand, if kzalloc fails, it will just return in init
func. Even if static_call_key_sites(key) = true, the exit func will match
the mod before the site_mod->next = NULL node is traversed. So just
break if it the key->mods is NULL in exit func to avoid
wild-memory-access in the subsequent site traversal.
general protection fault, probably for non-canonical address 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x5c002ace44fca500-0x5c002ace44fca507]
CPU: 2 PID: 1843 Comm: modprobe Tainted: G W N 6.6.0-rc1+ #60
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:static_call_del_module+0x113/0x280
Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
FS: 00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
? __die_body+0x1b/0x60
? die_addr+0x43/0x70
? exc_general_protection+0x121/0x210
? asm_exc_general_protection+0x22/0x30
? static_call_del_module+0x113/0x280
? __SCT__tp_func_ipi_exit+0x8/0x8
static_call_module_notify+0x27f/0x390
? rcu_segcblist_inc_len+0x17/0x20
notifier_call_chain+0xbf/0x280
notifier_call_chain_robust+0x7f/0xe0
? notifier_call_chain+0x280/0x280
? kasan_quarantine_put+0x46/0x160
blocking_notifier_call_chain_robust+0x5b/0x80
load_module+0x4d1d/0x69f0
? module_frob_arch_sections+0x20/0x20
? update_cfs_group+0x10c/0x2a0
? __wake_up_common+0x10b/0x5d0
? kernel_read_file+0x3ca/0x510
? __x64_sys_fsconfig+0x650/0x650
? __schedule+0xa0b/0x2a60
? init_module_from_file+0xd2/0x130
init_module_from_file+0xd2/0x130
? __ia32_sys_init_module+0xa0/0xa0
? _raw_spin_lock_irqsave+0xe0/0xe0
? ptrace_stop+0x487/0x790
idempotent_init_module+0x32d/0x6a0
? init_module_from_file+0x130/0x130
? __fget_light+0x57/0x500
__x64_sys_finit_module+0xbb/0x130
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Signed-off-by: Jinjie Ruan <[email protected]>
---
v2:
- Update the fix tag.
- Remove the redundant error information.
- Update the commit message description.
---
kernel/static_call_inline.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 639397b5491c..e7aa70d33530 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
}
site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
- if (!site_mod)
+ if (!site_mod) {
+ key->mods = NULL;
return -ENOMEM;
+ }
/*
* When the key has a direct sites pointer, extract
@@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
;
if (!site_mod)
- continue;
+ break;
*prev = site_mod->next;
kfree(site_mod);
--
2.34.1
Inject fault while probing btrfs.ko, when static_call_key_sites(key) is
true, if the first kzalloc() succeeds but the second kzalloc() fails in
__static_call_init() in the for loop, the key->mods will not be
initialized in the subsequent sites. And then in static_call_del_module()
the site_mod->mod will cause wild-memory-access as below.
So assign key->mods to NULL in __static_call_init() if it fails and break
if key->mods is NULL in exit func to fix the issue.
Free the just allocated site_mod in key->mods because site_mod->mod
will be NULL without a site_mod->mod = mod head node, so it will not be
found in static_call_del_module().
general protection fault, probably for non-canonical address 0xfec001628a9f8a82: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xf6002b1454fc5410-0xf6002b1454fc5417]
CPU: 2 PID: 1812 Comm: modprobe Tainted: G W N 6.6.0-rc1+ #96
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:static_call_del_module+0x11a/0x2a0
Code: 00 00 49 8b 6e 08 48 85 ed 75 14 e9 8c 00 00 00 48 85 db 0f 84 83 00 00 00 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 87 00 00 00 48 89 e8 4c 8b 6d 08 48 c1 e8 03
RSP: 0018:ffff888101e97860 EFLAGS: 00010a06
RAX: 1ec005628a9f8a82 RBX: f6002b1454fc540b RCX: ffffffffa05b1880
RDX: ffffffffa05acd84 RSI: 0000000000000000 RDI: f6002b1454fc5413
RBP: f6002b1454fc540b R08: ffffffffa05adb3c R09: ffffed10203d2eda
R10: ffffed10203d2ed9 R11: ffff888101e976cf R12: dffffc0000000000
R13: 68002b144cfe8871 R14: ffffffff851958a0 R15: ffffffff84ee4449
FS: 00007f20cb75f540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe945e1bb8 CR3: 000000010c3d6003 CR4: 0000000000170ee0
DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
? __die_body+0x1b/0x60
? die_addr+0x43/0x70
? exc_general_protection+0x121/0x210
? asm_exc_general_protection+0x22/0x30
? static_call_del_module+0x11a/0x2a0
? __SCT__cond_resched+0x8/0x8
static_call_module_notify+0x2a6/0x3c0
notifier_call_chain+0xbf/0x280
? stack_trace_save+0x91/0xc0
notifier_call_chain_robust+0x7f/0xe0
? notifier_call_chain+0x280/0x280
? alloc_covered_add+0x30/0x60
blocking_notifier_call_chain_robust+0x5b/0x80
load_module+0x4d1d/0x69f0
? module_frob_arch_sections+0x20/0x20
? uprobe_apply+0x100/0x100
? rwsem_down_write_slowpath+0x11c0/0x11c0
? kernel_read_file+0x3ca/0x510
? __x64_sys_fsconfig+0x650/0x650
? init_module_from_file+0xd2/0x130
init_module_from_file+0xd2/0x130
? __ia32_sys_init_module+0xa0/0xa0
? userfaultfd_unmap_prep+0x3d0/0x3d0
? _raw_spin_lock_irqsave+0xe0/0xe0
idempotent_init_module+0x32d/0x6a0
? init_module_from_file+0x130/0x130
? __fget_light+0x57/0x500
__x64_sys_finit_module+0xbb/0x130
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: a945c8345ec0 ("static_call: Allow early init")
Signed-off-by: Jinjie Ruan <[email protected]>
---
kernel/static_call_inline.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index e7aa70d33530..a8ade6208237 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -274,8 +274,11 @@ static int __static_call_init(struct module *mod,
key->mods = site_mod;
site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
- if (!site_mod)
+ if (!site_mod) {
+ kfree(key->mods);
+ key->mods = NULL;
return -ENOMEM;
+ }
}
site_mod->mod = mod;
--
2.34.1
Ping.
On 2023/9/15 20:36, Jinjie Ruan wrote:
> In __static_call_init(), any one of the kzalloc fails will cause
> wild-memory-access when traverse the site and subsequent sites in
> static_call_del_module().
>
> Changes in v2:
> - Add a new patch which fix a a similar problem.
> - Update the commit message and simplify error stack for the first.
>
> Jinjie Ruan (2):
> static_call: Fix a wild-memory-access bug in static_call_del_module()
> static_call: Fix a wild-memory-access bug when
> static_call_key_sites(key) is true
>
> kernel/static_call_inline.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>