From: Greg KH <greg@kroah.com>
To: Zheng Yejian <zhengyejian1@huawei.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH 5.15.y] kprobes: Fix possible use-after-free issue on kprobe registration
Date: Fri, 19 Apr 2024 13:10:13 +0200 [thread overview]
Message-ID: <2024041905-hamstring-quit-892c@gregkh> (raw)
In-Reply-To: <20240416021654.1184927-1-zhengyejian1@huawei.com>
On Tue, Apr 16, 2024 at 10:16:54AM +0800, Zheng Yejian wrote:
> commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream.
>
> When unloading a module, its state is changing MODULE_STATE_LIVE ->
> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
> a time. `is_module_text_address()` and `__module_text_address()`
> works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
> If we use `is_module_text_address()` and `__module_text_address()`
> separately, there is a chance that the first one is succeeded but the
> next one is failed because module->state becomes MODULE_STATE_UNFORMED
> between those operations.
>
> In `check_kprobe_address_safe()`, if the second `__module_text_address()`
> is failed, that is ignored because it expected a kernel_text address.
> But it may have failed simply because module->state has been changed
> to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
> non-exist module text address (use-after-free).
>
> To fix this problem, we should not use separated `is_module_text_address()`
> and `__module_text_address()`, but use only `__module_text_address()`
> once and do `try_module_get(module)` which is only available with
> MODULE_STATE_LIVE.
>
> Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/
>
> Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> [Fix conflict due to lack dependency
> commit 223a76b268c9 ("kprobes: Fix coding style issues")]
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
> kernel/kprobes.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
All now queued up, thanks.
greg k-h
prev parent reply other threads:[~2024-04-19 11:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 12:36 FAILED: patch "[PATCH] kprobes: Fix possible use-after-free issue on kprobe" failed to apply to 5.15-stable tree gregkh
2024-04-16 2:16 ` [PATCH 5.15.y] kprobes: Fix possible use-after-free issue on kprobe registration Zheng Yejian
2024-04-19 11:10 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024041905-hamstring-quit-892c@gregkh \
--to=greg@kroah.com \
--cc=stable@vger.kernel.org \
--cc=zhengyejian1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.