Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp5611754imw;
        Wed, 20 Jul 2022 08:57:17 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1v9fbgMWxdV/6IUodfRSGRGt/jEAgr2k2CKUF3FenVh7cYeg+q20bPwrwPsY/IhG3jH2TSL
X-Received: by 2002:a17:907:720f:b0:72f:1c62:8dac with SMTP id dr15-20020a170907720f00b0072f1c628dacmr19307416ejc.437.1658332636962;
        Wed, 20 Jul 2022 08:57:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658332636; cv=none;
        d=google.com; s=arc-20160816;
        b=QIhVunJA5wv5i8z3yjUC5+He7sVk8Rhct1Uj3SuOf87aVxKrIHjS88wGx9MGG72Phs
         zlHWz1cNmbYJ0P5ntVdLJNBVwQljIIA34AUsHhE4LtfUNyXPHxYTdwK7ZPCxBKv1WVs8
         AMjdh1mrzwhQvxLsVkllVCFOn1fR3p6cLIWErVWhSILbTA1L1mj/5ZCBOKWIJ9OJKmCI
         tgOjxQbQb5HC9QlyR1NqbirYunTs1aU5Q3Sr2GVyHi+ou62zPWGi31QBEuQlrThLu9v9
         Zh4bX1UsyNPyLYVqh5jGByo0jsZvy+TGxDvlNyQHI+M7+mbQa31tj9Bi/xE06Xc/Bf5M
         3Phg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=s0q8tGaGZfo8aVPE2fPIW0LEWfxTCQdOM/1n4DOI8Lc=;
        b=Nv+/RX/nHoBIulA4nZmsLjXYD1w384nDpOZeBAzDxOj9EtMbsW76TKZQGk9hZn+qBN
         0f4vNkwNznokMu+fLAiP7M+t9m+QWW/j7UEfEY7tFJv/y4+fGv+8sX5Vpbb+1kxRouM9
         RdAmE6TPbv8tiCup0oITPfxR3AvywLC3C3oxgqXtTk/EML5PeUX+EujXmpbtG1c2eEjs
         JUG3d1ItP7GBGLLtNbSKfxG7y8BcKUcWFKWvE1x8IOHXtJLpbCv+otPeznwdohhRDJkC
         hxOY4aBByMOfNRtX2fHqD2ik8Ky7HwsRLIxM3gH9/R9xu2j3Sw5jwjCy2R2AGiDnoRVC
         5epQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id dn15-20020a17090794cf00b0072f1c604fd4si1246958ejc.713.2022.07.20.08.56.50;
        Wed, 20 Jul 2022 08:57:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237773AbiGTPkY (ORCPT <rfc822;alizee.penel@gmail.com>
        + 99 others); Wed, 20 Jul 2022 11:40:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49124 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240941AbiGTPkT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Jul 2022 11:40:19 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2FD9E0C9
        for <linux-kernel@vger.kernel.org>; Wed, 20 Jul 2022 08:40:13 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 2D99A61CD9
        for <linux-kernel@vger.kernel.org>; Wed, 20 Jul 2022 15:40:13 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 243FFC3411E;
        Wed, 20 Jul 2022 15:40:12 +0000 (UTC)
Date:   Wed, 20 Jul 2022 11:40:10 -0400
From:   Steven Rostedt <rostedt@goodmis.org>
To:     Alexey Dobriyan <adobriyan@gmail.com>
Cc:     mingo@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: ftrace_kill() leads to kmalloc-512 UAF
Message-ID: <20220720114010.20d3e0dd@gandalf.local.home>
In-Reply-To: <YtgdsW8UBSwCKtQW@localhost.localdomain>
References: <YtgdsW8UBSwCKtQW@localhost.localdomain>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 20 Jul 2022 18:22:25 +0300
Alexey Dobriyan <adobriyan@gmail.com> wrote:

> Basically, if ftrace_kill() is ever called ever there is a ticking UAFbomb.

That's because ftrace_kill() means something horribly went wrong, and
because ftrace modifies the kernel text, it shuts everything down and this
needs to be fixed.

The fix is not to have something handle ftrace_kill(), it's to fix the
situation so that ftrace_kill() is not called.

Hmm, perhaps we should add an option to make ftrace_kill() call BUG().

I'll go back and take a look at your analysis.

Thanks,

-- Steve