[PATCH tip/perf/core] bpf: fix use-after-free in bpf_uprobe_multi_link_attach()

[PATCH tip/perf/core] bpf: fix use-after-free in bpf_uprobe_multi_link_attach()

[Oleg Nesterov]

If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
error_free label and frees the array of bpf_uprobe's without calling
bpf_uprobe_unregister().

This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
without removing it from the uprobe->consumers list.

Cc: stable@vger.kernel.org
Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link")
Reported-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000382d39061f59f2dd@google.com/
Tested-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 kernel/trace/bpf_trace.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 4e391daafa64..90cd30e9723e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -3484,17 +3484,20 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
 						    &uprobes[i].consumer);
 		if (IS_ERR(uprobes[i].uprobe)) {
 			err = PTR_ERR(uprobes[i].uprobe);
-			bpf_uprobe_unregister(uprobes, i);
-			goto error_free;
+			link->cnt = i;
+			goto error_unregister;
 		}
 	}
 
 	err = bpf_link_prime(&link->link, &link_primer);
 	if (err)
-		goto error_free;
+		goto error_unregister;
 
 	return bpf_link_settle(&link_primer);
 
+error_unregister:
+	bpf_uprobe_unregister(uprobes, link->cnt);
+
 error_free:
 	kvfree(uprobes);
 	kfree(link);
-- 
2.25.1.362.g51ebf55

Re: [PATCH tip/perf/core] bpf: fix use-after-free in bpf_uprobe_multi_link_attach()

[Jiri Olsa]

On Tue, Aug 13, 2024 at 05:25:24PM +0200, Oleg Nesterov wrote:
> If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
> error_free label and frees the array of bpf_uprobe's without calling
> bpf_uprobe_unregister().
> 
> This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
> without removing it from the uprobe->consumers list.
> 
> Cc: stable@vger.kernel.org
> Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link")
> Reported-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000382d39061f59f2dd@google.com/
> Tested-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
> Acked-by: Andrii Nakryiko <andrii@kernel.org>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

thanks for fixing this

Acked-by: Jiri Olsa <jolsa@kernel.org>

jirka

> ---
>  kernel/trace/bpf_trace.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 4e391daafa64..90cd30e9723e 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -3484,17 +3484,20 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>  						    &uprobes[i].consumer);
>  		if (IS_ERR(uprobes[i].uprobe)) {
>  			err = PTR_ERR(uprobes[i].uprobe);
> -			bpf_uprobe_unregister(uprobes, i);
> -			goto error_free;
> +			link->cnt = i;
> +			goto error_unregister;
>  		}
>  	}
>  
>  	err = bpf_link_prime(&link->link, &link_primer);
>  	if (err)
> -		goto error_free;
> +		goto error_unregister;
>  
>  	return bpf_link_settle(&link_primer);
>  
> +error_unregister:
> +	bpf_uprobe_unregister(uprobes, link->cnt);
> +
>  error_free:
>  	kvfree(uprobes);
>  	kfree(link);
> -- 
> 2.25.1.362.g51ebf55
> 
> 

[tip: perf/core] bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

[tip-bot2 for Oleg Nesterov]

The following commit has been merged into the perf/core branch of tip:

Commit-ID:     5fe6e308abaea082c20fbf2aa5df8e14495622cf
Gitweb:        https://git.kernel.org/tip/5fe6e308abaea082c20fbf2aa5df8e14495622cf
Author:        Oleg Nesterov <oleg@redhat.com>
AuthorDate:    Tue, 13 Aug 2024 17:25:24 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Thu, 05 Sep 2024 16:56:13 +02:00

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
error_free label and frees the array of bpf_uprobe's without calling
bpf_uprobe_unregister().

This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
without removing it from the uprobe->consumers list.

Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link")
Closes: https://lore.kernel.org/all/000000000000382d39061f59f2dd@google.com/
Reported-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Tested-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240813152524.GA7292@redhat.com
---
 kernel/trace/bpf_trace.c |  9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 4e391da..90cd30e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -3484,17 +3484,20 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
 						    &uprobes[i].consumer);
 		if (IS_ERR(uprobes[i].uprobe)) {
 			err = PTR_ERR(uprobes[i].uprobe);
-			bpf_uprobe_unregister(uprobes, i);
-			goto error_free;
+			link->cnt = i;
+			goto error_unregister;
 		}
 	}
 
 	err = bpf_link_prime(&link->link, &link_primer);
 	if (err)
-		goto error_free;
+		goto error_unregister;
 
 	return bpf_link_settle(&link_primer);
 
+error_unregister:
+	bpf_uprobe_unregister(uprobes, link->cnt);
+
 error_free:
 	kvfree(uprobes);
 	kfree(link);