From: Martin KaFai Lau <martin.lau@linux.dev>
To: KP Singh <kpsingh@kernel.org>
Cc: ast@kernel.org, songliubraving@fb.com, andrii@kernel.org,
daniel@iogearbox.net, Kuba Piecuch <jpiecuch@google.com>,
bpf@vger.kernel.org
Subject: Re: [PATCH bpf v2] bpf: Fix UAF in task local storage
Date: Fri, 2 Jun 2023 11:02:31 -0700 [thread overview]
Message-ID: <5abdfec7-99ac-be3a-634c-3eb666538ef4@linux.dev> (raw)
In-Reply-To: <20230602002612.1117381-1-kpsingh@kernel.org>
On 6/1/23 5:26 PM, KP Singh wrote:
> When task local storage was generalized for tracing programs, the
> bpf_task_local_storage callback was moved from a BPF LSM hook
> callback for security_task_free LSM hook to it's own callback. But a
> failure case in bad_fork_cleanup_security was missed which, when
> triggered, led to a dangling task owner pointer and a subsequent
> use-after-free. Move the bpf_task_storage_free to the very end of
> free_task to handle all failure cases.
>
> This issue was noticed when a BPF LSM program was attached to the
> task_alloc hook on a kernel with KASAN enabled. The program used
> bpf_task_storage_get to copy the task local storage from the current
> task to the new task being created.
>
> Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs")
> Reported-by: Kuba Piecuch <jpiecuch@google.com>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>
> * v1 -> v2
>
> Move the bpf_task_storage_free to free_task as suggested by Martin
>
> kernel/fork.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index ed4e01daccaa..cb20f9f596d3 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -627,6 +627,7 @@ void free_task(struct task_struct *tsk)
> arch_release_task_struct(tsk);
> if (tsk->flags & PF_KTHREAD)
> free_kthread_struct(tsk);
> + bpf_task_storage_free(tsk);
Applied. Thanks for the fix.
A followup question, does it need a "notrace" to be added to
bpf_task_storage_free to ensure no task storage can be recreated?
> free_task_struct(tsk);
> }
> EXPORT_SYMBOL(free_task);
> @@ -979,7 +980,6 @@ void __put_task_struct(struct task_struct *tsk)
> cgroup_free(tsk);
> task_numa_free(tsk, true);
> security_task_free(tsk);
> - bpf_task_storage_free(tsk);
> exit_creds(tsk);
> delayacct_tsk_free(tsk);
> put_signal_struct(tsk->signal);
next prev parent reply other threads:[~2023-06-02 18:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-02 0:26 [PATCH bpf v2] bpf: Fix UAF in task local storage KP Singh
2023-06-02 0:37 ` Song Liu
2023-06-02 18:02 ` Martin KaFai Lau [this message]
2023-06-05 23:04 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5abdfec7-99ac-be3a-634c-3eb666538ef4@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jpiecuch@google.com \
--cc=kpsingh@kernel.org \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.