Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp5688457imw; Wed, 20 Jul 2022 10:23:34 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uYZmfJNagNxMsGYyX4V/IQOVNuxmc1EulBuodfGpht61xWyYJzsIe6CBXD4+qGmrY+wc5g X-Received: by 2002:a17:907:a05b:b0:72b:33f9:f927 with SMTP id gz27-20020a170907a05b00b0072b33f9f927mr36713513ejc.707.1658337814268; Wed, 20 Jul 2022 10:23:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658337814; cv=none; d=google.com; s=arc-20160816; b=0cSCcxPJE+GMkz8kwppvoIQETrpwJ3kgV0qVP38CRZ+7VMGm5Xfu0fPpfXzq1yVelX qHFRjErOjEskYcJvOGl0UyY3yI8fUGvk5M6+xyImdKsC+QJCmIXpS2kfmsKp0vUhjU5r o5RTSwM7RiZadFAvySoS8Oognu5QDUV7Qdnq8Ghi3vfaWVxC1WOOkhv/goJZAzgun3EP wxj3boNNF3kNU/lU/5uCa/VgusQlU/pbrl+KnhZbVMzRUniUlvD7PspxY6lqlHApVt9V UVUc2pxm9WFcolT+NqFRWPq644/JKYeRQdMguAUCexAKQCbXtn/2kh2kOkV6gpf5unFF 4wew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=AZtADZMgvtkBCIS3LAqwVrSV9dMCa75z9Sz8LnDoOZo=; b=pQIPxn6lkjfXR6tp88wM15RDz4DrAMXzjbq8ZRDlxVB/O/DcSfRUDf1VfCSY7Ww7XF EMzeH58OWMgrTqeKcCEI3ilDsRTpQyldI14F+nLyU8Hc8c4yAlxo4PFvrF+8CpYR/W/Y yqH5IMoiEdBOsgawRQxooLKDyBcWa4P8aHmIJ1s1AiGE02eocQ+IixMOxtHwpX7Q7fwv 0Y6vdXNxMFbw/VwRQUxilx/0yWLaVeHymess7/u+OhYTGA97ysVD+FgsTA+SyQaUWtSB Nb25KbSDXLHobQ9KVlSbuCHF84UJoQSjXy00KMn82f1ue/LEycakcohOXJLPKPBvrA6f P1BA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=F4eDRekK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e7-20020a170906844700b00726efe5b919si3754978ejy.806.2022.07.20.10.23.08; Wed, 20 Jul 2022 10:23:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=F4eDRekK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233437AbiGTQqO (ORCPT + 99 others); Wed, 20 Jul 2022 12:46:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233067AbiGTQqI (ORCPT ); Wed, 20 Jul 2022 12:46:08 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D1F34D171; Wed, 20 Jul 2022 09:46:07 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id a5so26910889wrx.12; Wed, 20 Jul 2022 09:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=AZtADZMgvtkBCIS3LAqwVrSV9dMCa75z9Sz8LnDoOZo=; b=F4eDRekK60FmXBYorH5UrWwF5oNEkE4DQUpDZi9I4zIz/11lNlPFUKupDgG71M7NQK 8xShZmQi6qaiKl9QLmJndgt3Wc9jhhBue6t1tFlw24Xu31wXGUUxWii3ZfGFUj1lUbC9 m8n50YA56LsA1bse7WSKej5UwEQTHqgPOyBauh0SllvURhifW0qpsNZEqQC9T4KcrfaD dbbRJ3j3FjmE1ltZtXZHsDVJOoutBOTAYt2lg6McVaKMGLDdx8pVF3EG9enVFs0xPMSI eTEQYAxCFNOpIhcjmbQjJi3l0NLQnbE5wFiyOAx3lQOH/MfBSDMHLwq9kAtrGSB3Zvfk lrCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=AZtADZMgvtkBCIS3LAqwVrSV9dMCa75z9Sz8LnDoOZo=; b=LZ6YxSjWwyeCx3z/GN8Sxy1TBzADlkucbEdD+3Ex5/iDFlIuyopo/OtBLJzFRj7OgK cdKhl87dqIYV4csslInXDnGKTiJ4n+D9XIOWQpAHTi86g9VnsGBVqj2Wlodwv4ka+/le vp1EjgaSTJF/AinOoYMpYz3Ftl6flB5l2YgRnxJoB0sZbzKDlV4iHGWFSMA5EvLIgSFW I4WHfJe261smAKtm2q/8JNOUamO+qNXSOpCo9xw2E+cUGrwkWnso9UDIes+ERdh1usCq heSzi7c191wxevGNNtPpaJsvO5kVtqOgXaQBK9u2NW0/O9vkjw6HbTK6tXdqEdCgjE72 37Aw== X-Gm-Message-State: AJIora9H1JZtNakhPlJSHDG3pgVo9gV74tk5EzT3xTiaCWc9wbc5uYFs Lep8zx5SEnBmiT/LVFXe+w== X-Received: by 2002:adf:f705:0:b0:21d:74fa:c043 with SMTP id r5-20020adff705000000b0021d74fac043mr32474671wrp.77.1658335565829; Wed, 20 Jul 2022 09:46:05 -0700 (PDT) Received: from localhost.localdomain ([46.53.253.107]) by smtp.gmail.com with ESMTPSA id w7-20020a1cf607000000b003a31f1edfa7sm3038915wmc.41.2022.07.20.09.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Jul 2022 09:46:04 -0700 (PDT) Date: Wed, 20 Jul 2022 19:46:02 +0300 From: Alexey Dobriyan To: Steven Rostedt Cc: mingo@redhat.com, linux-kernel@vger.kernel.org, Josh Poimboeuf , Jiri Kosina , Miroslav Benes , Petr Mladek , live-patching@vger.kernel.org Subject: Re: ftrace_kill() leads to kmalloc-512 UAF Message-ID: References: <20220720121102.6cac8f1d@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220720121102.6cac8f1d@gandalf.local.home> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 20, 2022 at 12:11:02PM -0400, Steven Rostedt wrote: > > [ Adding live kernel patching folks ] > > On Wed, 20 Jul 2022 18:22:25 +0300 > Alexey Dobriyan wrote: > > > I'm debugging crash of our product which does live kernel patching together > > with ISV security scanner which uses ftrace kprobes to do whatever it does. > > > > What happens is that is ftrace ever detects .text change, refuses to patch > > and prints a warning with FTRACE_WARN_ON_ONCE() then there is reliable way > > to cause UAF on kmalloc-512 cache by trying to register kprobe with > > perf_event_open() and then unregistering it by exiting the process. > > > > 1) live kernel patching happens, first instruction of some function changes > > But live kernel patching uses ftrace to do this, so the question remains, > why doesn't ftrace know about this change? That a line from our product which changes first instruction of the function. > > 2) kprobe on that function is registered with perf_event_open() > > > > WARNING: CPU: 5 PID: 2109 at kernel/trace/ftrace.c:1853 ftrace_bug+0x25d/0x270 > > [] ftrace_bug+0x25d/0x270 > > [] ftrace_replace_code+0x2b1/0x420 > > [] ftrace_modify_all_code+0x6a/0xb0 > > [] arch_ftrace_update_code+0x10/0x20 > > [] ftrace_run_update_code+0x17/0x70 > > [] ftrace_set_hash+0x1c2/0x1f0 > > [] ? SyS_dup2+0x60/0x60 > > [] ? SyS_dup2+0x60/0x60 > > [] ftrace_set_filter_ip+0x60/0x70 > > [] arm_kprobe+0x9c/0x140 > > [] enable_kprobe+0x78/0xa0 > > [] enable_trace_kprobe+0x7b/0x120 > > [] kprobe_register+0x2f/0x60 > > [] perf_trace_event_init+0x1aa/0x230 > > [] perf_kprobe_init+0xa7/0xf0 > > [] perf_kprobe_event_init+0x49/0x70 > > [] perf_try_init_event+0x99/0xc0 > > [] perf_init_event+0x92/0x150 > > [] perf_event_alloc+0x4f1/0x910 > > [] SYSC_perf_event_open+0x3c9/0xe50 > > [] SyS_perf_event_open+0x9/0x10 > > [] system_call_fastpath+0x25/0x2a > > ftrace failed to modify [] SyS_dup+0x0/0x120 > > actual: e9:4b:50:2e:3f > > > > Again, why did the above happen. This is a kernel bug that needs to be > fixed. Everything else after this is unimportant, because it's just fall > out to the above bug. I'll double check what we (not KLP) do and maybe even what KLP does!