From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FBD4C43334 for ; Wed, 20 Jul 2022 16:46:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233673AbiGTQqM (ORCPT ); Wed, 20 Jul 2022 12:46:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233067AbiGTQqI (ORCPT ); Wed, 20 Jul 2022 12:46:08 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D1F34D171; Wed, 20 Jul 2022 09:46:07 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id a5so26910889wrx.12; Wed, 20 Jul 2022 09:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=AZtADZMgvtkBCIS3LAqwVrSV9dMCa75z9Sz8LnDoOZo=; b=F4eDRekK60FmXBYorH5UrWwF5oNEkE4DQUpDZi9I4zIz/11lNlPFUKupDgG71M7NQK 8xShZmQi6qaiKl9QLmJndgt3Wc9jhhBue6t1tFlw24Xu31wXGUUxWii3ZfGFUj1lUbC9 m8n50YA56LsA1bse7WSKej5UwEQTHqgPOyBauh0SllvURhifW0qpsNZEqQC9T4KcrfaD dbbRJ3j3FjmE1ltZtXZHsDVJOoutBOTAYt2lg6McVaKMGLDdx8pVF3EG9enVFs0xPMSI eTEQYAxCFNOpIhcjmbQjJi3l0NLQnbE5wFiyOAx3lQOH/MfBSDMHLwq9kAtrGSB3Zvfk lrCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=AZtADZMgvtkBCIS3LAqwVrSV9dMCa75z9Sz8LnDoOZo=; b=LZ6YxSjWwyeCx3z/GN8Sxy1TBzADlkucbEdD+3Ex5/iDFlIuyopo/OtBLJzFRj7OgK cdKhl87dqIYV4csslInXDnGKTiJ4n+D9XIOWQpAHTi86g9VnsGBVqj2Wlodwv4ka+/le vp1EjgaSTJF/AinOoYMpYz3Ftl6flB5l2YgRnxJoB0sZbzKDlV4iHGWFSMA5EvLIgSFW I4WHfJe261smAKtm2q/8JNOUamO+qNXSOpCo9xw2E+cUGrwkWnso9UDIes+ERdh1usCq heSzi7c191wxevGNNtPpaJsvO5kVtqOgXaQBK9u2NW0/O9vkjw6HbTK6tXdqEdCgjE72 37Aw== X-Gm-Message-State: AJIora9H1JZtNakhPlJSHDG3pgVo9gV74tk5EzT3xTiaCWc9wbc5uYFs Lep8zx5SEnBmiT/LVFXe+w== X-Google-Smtp-Source: AGRyM1sJGR02ktTNDO/5V/8b0J7NeLfgLZAQKhP26fn+FEGkv5+s4DYNVKTfEGxjHlbkqQOROaICnw== X-Received: by 2002:adf:f705:0:b0:21d:74fa:c043 with SMTP id r5-20020adff705000000b0021d74fac043mr32474671wrp.77.1658335565829; Wed, 20 Jul 2022 09:46:05 -0700 (PDT) Received: from localhost.localdomain ([46.53.253.107]) by smtp.gmail.com with ESMTPSA id w7-20020a1cf607000000b003a31f1edfa7sm3038915wmc.41.2022.07.20.09.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Jul 2022 09:46:04 -0700 (PDT) Date: Wed, 20 Jul 2022 19:46:02 +0300 From: Alexey Dobriyan To: Steven Rostedt Cc: mingo@redhat.com, linux-kernel@vger.kernel.org, Josh Poimboeuf , Jiri Kosina , Miroslav Benes , Petr Mladek , live-patching@vger.kernel.org Subject: Re: ftrace_kill() leads to kmalloc-512 UAF Message-ID: References: <20220720121102.6cac8f1d@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220720121102.6cac8f1d@gandalf.local.home> Precedence: bulk List-ID: X-Mailing-List: live-patching@vger.kernel.org On Wed, Jul 20, 2022 at 12:11:02PM -0400, Steven Rostedt wrote: > > [ Adding live kernel patching folks ] > > On Wed, 20 Jul 2022 18:22:25 +0300 > Alexey Dobriyan wrote: > > > I'm debugging crash of our product which does live kernel patching together > > with ISV security scanner which uses ftrace kprobes to do whatever it does. > > > > What happens is that is ftrace ever detects .text change, refuses to patch > > and prints a warning with FTRACE_WARN_ON_ONCE() then there is reliable way > > to cause UAF on kmalloc-512 cache by trying to register kprobe with > > perf_event_open() and then unregistering it by exiting the process. > > > > 1) live kernel patching happens, first instruction of some function changes > > But live kernel patching uses ftrace to do this, so the question remains, > why doesn't ftrace know about this change? That a line from our product which changes first instruction of the function. > > 2) kprobe on that function is registered with perf_event_open() > > > > WARNING: CPU: 5 PID: 2109 at kernel/trace/ftrace.c:1853 ftrace_bug+0x25d/0x270 > > [] ftrace_bug+0x25d/0x270 > > [] ftrace_replace_code+0x2b1/0x420 > > [] ftrace_modify_all_code+0x6a/0xb0 > > [] arch_ftrace_update_code+0x10/0x20 > > [] ftrace_run_update_code+0x17/0x70 > > [] ftrace_set_hash+0x1c2/0x1f0 > > [] ? SyS_dup2+0x60/0x60 > > [] ? SyS_dup2+0x60/0x60 > > [] ftrace_set_filter_ip+0x60/0x70 > > [] arm_kprobe+0x9c/0x140 > > [] enable_kprobe+0x78/0xa0 > > [] enable_trace_kprobe+0x7b/0x120 > > [] kprobe_register+0x2f/0x60 > > [] perf_trace_event_init+0x1aa/0x230 > > [] perf_kprobe_init+0xa7/0xf0 > > [] perf_kprobe_event_init+0x49/0x70 > > [] perf_try_init_event+0x99/0xc0 > > [] perf_init_event+0x92/0x150 > > [] perf_event_alloc+0x4f1/0x910 > > [] SYSC_perf_event_open+0x3c9/0xe50 > > [] SyS_perf_event_open+0x9/0x10 > > [] system_call_fastpath+0x25/0x2a > > ftrace failed to modify [] SyS_dup+0x0/0x120 > > actual: e9:4b:50:2e:3f > > > > Again, why did the above happen. This is a kernel bug that needs to be > fixed. Everything else after this is unimportant, because it's just fall > out to the above bug. I'll double check what we (not KLP) do and maybe even what KLP does!