Received: by 2002:ab2:4a89:0:b0:1f4:a8b6:6e69 with SMTP id w9csp165301lqj; Wed, 10 Apr 2024 07:12:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXot+BwAyMGbuZTSZ6nUjFSdP14cg/7lF4+McPRsohGNP6ZsJx/4PPJUAFcWpby+jOBwPPesF1H2DZ5Fmak/DE+8M5S5t8XG69ZJufK7A== X-Google-Smtp-Source: AGHT+IFyl0lcfHQ+tb1evJ6CcuthtJxlJ2ZUjtnrU5k2+3Yt4JKNiaHYx8/KeFhDtqf9rwV2r2HX X-Received: by 2002:a05:6e02:1c28:b0:36a:686:bc98 with SMTP id m8-20020a056e021c2800b0036a0686bc98mr3474227ilh.14.1712758337749; Wed, 10 Apr 2024 07:12:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712758337; cv=pass; d=google.com; s=arc-20160816; b=vhMrO1FX0M+6j8JjX1sNjZXl/RIdSsRxsrrEEUsIm13NtPqnzKFu4Hx6LvRydP72G+ 0twqO2AE+eeidM5lYKDJxufvtsbBI1rHvWJ7/X5a4imbCiNnp0trokhUj1/a6GR/CHYE t0U+JFtLWJL9y+DIeQJE8MLEuxUSHKdveM5SFDQFy7B8C2n41RLdDfg5O9XrQZyCQ2N/ g7HOZUdvO9qxkZy9nlJGcaNjIz2KYiXkqLEsafEmTbPMMCLE6xEw9GLil3VCTHzotqS+ mpA/OjftxOQc6pQJHj1IJONHsdpmSrgyu6Pbg+AELdIGTKhn5WLJceoTH242S6AYW64I qogg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=8pWbqtldnEEf/Kap09E+FD7saMjFbsfZMrznvB4J9w0=; fh=7M0878MAChG4xtUyV/qPN52+2mGrnRH4h7du/yB6bt8=; b=HFgjla/u5TYYH3mX6MMDTg3ibt6ph2hIR5rxdqiTyENHS0sN+5szRpnXQy0Nz7KnCE 5Qbwkz8VJF0Ifn/DorWUN/DKmhMMdpzIydRCvjA5uLODePI/dEC1uhuiw2Nl8kk6vS+q zI3N+BCROYEvIOKyB+Nc4VIJsbnyX7vXjLv9xp+AgBpNXQtuAvlueJFvFzNv7AUY82Va 8vrzc29yF77TTcCPkURgbWH+nPsuzhSW8N8ASd9uixB2dU7HE731rZv0sBkgxQrQlbN+ 8xFjEpJ/9GC7VYRteA0cNbYu9OpQUl4Ju0hIx206AFMLrxELtlGd1ZrulwKNHSlyDFJp PVgw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jLywsviC; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-138717-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-138717-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id z14-20020a63c04e000000b005ee3f1a07e7si10664026pgi.201.2024.04.10.07.12.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 07:12:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-138717-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jLywsviC; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-138717-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-138717-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AFF942837B4 for ; Wed, 10 Apr 2024 14:09:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5EF5D171064; Wed, 10 Apr 2024 14:03:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jLywsviC" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 859C716F90A; Wed, 10 Apr 2024 14:03:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712757820; cv=none; b=kb5z7MGo37t2hpluFgC+SQzM9m4Pl7kRnLEt69h/xPM+qdMAELipKANvlW9GwZ8i1CrolaXSW30K3+cH5y104BgtybPPHp6V+fqcK7CPOqfbGLvWvlEheaWWgJKGl8wE4yYOyrZCpMI1PbgW/Lw3/hwhvJEeZEFr2WBGfchyjNA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712757820; c=relaxed/simple; bh=YJVg15asCDUWzkyyR8ToaYmqFAys5qM4yXSLrQA/+80=; h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References: Mime-Version:Content-Type; b=rIp1/YhvoCkHDG32oMHEbf0c2yWIj8Mwywg9TtV4ZK08VMfDdLwPOvmmkGy78wmfZwutYBfreZS7ZJNPEbGdHYK2k2LGCxEP7h7ijvLWjsb/6KuKJzT96dK1gu33T35lziKuOhG6SEIaI+CUE+RGPmK5bGGGUWzQA78b3KaixwU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jLywsviC; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 61829C433F1; Wed, 10 Apr 2024 14:03:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712757820; bh=YJVg15asCDUWzkyyR8ToaYmqFAys5qM4yXSLrQA/+80=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=jLywsviC5iixRQ/Vh5FfpPD5jeOMgc2lbpP/jYlJPAq0j76LZP9AwOuf3RqEWWpII 2/sUR/JppzslVYvydEw3/QLOs5KW35efGANvBEVeEs0thqCAHwLsGGrczjq2tVrykV H44pZxwY1qvvtnnkKuxrEYfYkp83dLSa7CHJo6MifOJLbZBaq28eWcJgHwFsW8eYGC YnxHE2aSa6vhwul8EwFqski13lt7FWUsQG1m4+NEYYyYaN5RjKCBkvuVd0fR/L5t56 AkmRE7KPX4IO36/MzikgjhBJLFAF9+rGKVgl+Er4RqGd0cw3daxZa1pHi1r/sQdn0b Lf7PmRXCybBdg== Date: Wed, 10 Apr 2024 23:03:36 +0900 From: Masami Hiramatsu (Google) To: Zheng Yejian Cc: , , , , Subject: Re: [PATCH v3] kprobes: Fix possible use-after-free issue on kprobe registration Message-Id: <20240410230336.8ef84251c45ef363f3f1ff6f@kernel.org> In-Reply-To: <20240410015802.265220-1-zhengyejian1@huawei.com> References: <20240407035904.2556645-1-zhengyejian1@huawei.com> <20240410015802.265220-1-zhengyejian1@huawei.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 10 Apr 2024 09:58:02 +0800 Zheng Yejian wrote: > When unloading a module, its state is changing MODULE_STATE_LIVE -> > MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take > a time. `is_module_text_address()` and `__module_text_address()` > works with MODULE_STATE_LIVE and MODULE_STATE_GOING. > If we use `is_module_text_address()` and `__module_text_address()` > separately, there is a chance that the first one is succeeded but the > next one is failed because module->state becomes MODULE_STATE_UNFORMED > between those operations. > > In `check_kprobe_address_safe()`, if the second `__module_text_address()` > is failed, that is ignored because it expected a kernel_text address. > But it may have failed simply because module->state has been changed > to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify > non-exist module text address (use-after-free). > > To fix this problem, we should not use separated `is_module_text_address()` > and `__module_text_address()`, but use only `__module_text_address()` > once and do `try_module_get(module)` which is only available with > MODULE_STATE_LIVE. > > Signed-off-by: Zheng Yejian Looks good to me. Let me pick this version, and it should be a bugfix. Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") Cc: stable@vger.kernel.org Thank you! > --- > kernel/kprobes.c | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) > > v3: > - Update commit messages as suggested by Masami. > Link: https://lore.kernel.org/all/20240409224922.5f192e8ace5f7a90937bfa69@kernel.org/ > - Also change to a more appropriate title. > > v2: > - Update commit messages and comments as suggested by Masami. > Link: https://lore.kernel.org/all/20240408115038.b0c85767bf1f249eccc32fff@kernel.org/ > - Link: https://lore.kernel.org/all/20240408083403.3302274-1-zhengyejian1@huawei.com/ > > v1: > - Link: https://lore.kernel.org/all/20240407035904.2556645-1-zhengyejian1@huawei.com/ > > diff --git a/kernel/kprobes.c b/kernel/kprobes.c > index 9d9095e81792..65adc815fc6e 100644 > --- a/kernel/kprobes.c > +++ b/kernel/kprobes.c > @@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(struct kprobe *p, > jump_label_lock(); > preempt_disable(); > > - /* Ensure it is not in reserved area nor out of text */ > - if (!(core_kernel_text((unsigned long) p->addr) || > - is_module_text_address((unsigned long) p->addr)) || > - in_gate_area_no_mm((unsigned long) p->addr) || > + /* Ensure the address is in a text area, and find a module if exists. */ > + *probed_mod = NULL; > + if (!core_kernel_text((unsigned long) p->addr)) { > + *probed_mod = __module_text_address((unsigned long) p->addr); > + if (!(*probed_mod)) { > + ret = -EINVAL; > + goto out; > + } > + } > + /* Ensure it is not in reserved area. */ > + if (in_gate_area_no_mm((unsigned long) p->addr) || > within_kprobe_blacklist((unsigned long) p->addr) || > jump_label_text_reserved(p->addr, p->addr) || > static_call_text_reserved(p->addr, p->addr) || > @@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(struct kprobe *p, > goto out; > } > > - /* Check if 'p' is probing a module. */ > - *probed_mod = __module_text_address((unsigned long) p->addr); > + /* Get module refcount and reject __init functions for loaded modules. */ > if (*probed_mod) { > /* > * We must hold a refcount of the probed module while updating > -- > 2.25.1 > -- Masami Hiramatsu (Google)