All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steven Rostedt <rostedt@goodmis.org>
To: Afi0 <capyenglishlite@gmail.com>
Cc: security@kernel.org, linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org, mhiramat@kernel.org,
	Greg KH <gregkh@linuxfoundation.org>,
	Jiri Olsa <olsajiri@gmail.com>
Subject: Re: Race condition in __modify_ftrace_direct() between tmp_ops registration and direct_functions hash update
Date: Sun, 17 May 2026 09:15:10 -0400	[thread overview]
Message-ID: <20260517091510.7ea4cd28@fedora> (raw)
In-Reply-To: <CAEABq7fMcvHpp4+59Mt-QdgGNpWhOqrGWHKmy+qt3tJSYb69kg@mail.gmail.com>


Added Jiri as he works on this code.

On Sun, 17 May 2026 06:24:11 +0000
Afi0 <capyenglishlite@gmail.com> wrote:

> Hi list,
> 
> Apologies for initially sending only to Greg. Resending to the full list as
> requested.
> ------------------------------
> 
> Component: kernel/trace/ftrace.c Function: __modify_ftrace_direct()
> Affected versions: Linux kernel 5.15+ Type: TOCTOU / Race condition CVSS
> 3.1: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H - 7.8 (High)
> 
> SUMMARY
> 
> A race condition exists in __modify_ftrace_direct() between the
> registration of tmp_ops into ftrace_ops_list and the subsequent update of
> direct_functions hash entries. During this window, concurrent CPUs
> executing traced functions will read the stale direct call address via
> ftrace_find_rec_direct() and jump to it, while the caller may have already
> invalidated or freed the old trampoline memory.

What the above doesn't describe is how the direct was stale to begin
with. Before the assignment, it should be NULL and not a problem, and
if was being modified, the current trampoline that direct points to
should *NOT* be freed before calling this. Otherwise, that itself is a
bug.

-- Steve


> 
> VULNERABLE CODE
> 
> err = register_ftrace_function_nolock(&tmp_ops);[race window:
> ftrace_ops_list_func now active, direct_functions not yet
> updated]mutex_lock(&ftrace_lock);entry->direct = addr;   /* update
> happens here, too late */mutex_unlock(&ftrace_lock);
> 
> IMPACT
> 
> CPU executing traced function reads stale direct_functions entry during the
> race window. arch_ftrace_set_direct_caller() redirects execution to
> potentially freed or invalidated trampoline memory. Use-after-free in
> executable code context on SMP systems.
> 
> TRIGGER
> 
> Requires CAP_PERFMON or CAP_SYS_ADMIN directly. Also reachable via BPF
> trampolines (kernel/bpf/trampoline.c calls __modify_ftrace_direct()
> internally) with CAP_BPF + CAP_PERFMON, default in many CI/CD container
> runtimes. Live patching via klp_patch_func() also goes through this path.
> 
> SUGGESTED FIX
> 
> Update entry->direct under ftrace_lock BEFORE registering tmp_ops. Add
> smp_wmb() between the store and registration to ensure ordering on
> weakly-ordered architectures.
> 
> Patch attached as 0001-ftrace-fix-race-in-__modify_ftrace_direct.patch
> 
> Fixes: 0567d6809440 ("ftrace: Add modify_ftrace_direct()")
> 
> Thanks,
> 
>  Afi0


  parent reply	other threads:[~2026-05-17 13:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-17  6:24 Race condition in __modify_ftrace_direct() between tmp_ops registration and direct_functions hash update Afi0
2026-05-17  7:08 ` Greg KH
2026-05-17 13:15 ` Steven Rostedt [this message]
     [not found]   ` <CAEABq7dxnaLrTOhmD+tKnDenmZTUQD8sG=eoxe72mi_gwaus6g@mail.gmail.com>
2026-05-17 16:53     ` Steven Rostedt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260517091510.7ea4cd28@fedora \
    --to=rostedt@goodmis.org \
    --cc=capyenglishlite@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=olsajiri@gmail.com \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.