* [PATCH] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
@ 2024-12-10 16:32 Jann Horn
2024-12-10 18:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2024-12-10 16:32 UTC (permalink / raw)
To: Song Liu, Jiri Olsa, KP Singh, Matt Bobrowski, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Yonghong Song, John Fastabend,
Stanislav Fomichev, Hao Luo, Steven Rostedt, Masami Hiramatsu,
Mathieu Desnoyers, Delyan Kratunov
Cc: bpf, linux-kernel, linux-trace-kernel, stable, Jann Horn
Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU
protection. But it is possible to attach a non-sleepable BPF program to a
uprobe, and non-sleepable BPF programs are freed via normal RCU (see
__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal
RCU grace period does not imply a tasks-trace-RCU grace period.
Fix it by explicitly waiting for a tasks-trace-RCU grace period after
removing the attachment of a bpf_prog to a perf_event.
Cc: stable@vger.kernel.org
Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps")
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jann Horn <jannh@google.com>
---
kernel/trace/bpf_trace.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 949a3870946c381820e8fa7194851b84593d17d9..a403b05a7091384fb08e8c47ed02fad79c1a4874 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -2258,6 +2258,13 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
bpf_prog_array_free_sleepable(old_array);
}
+ /*
+ * It could be that the bpf_prog is not sleepable (and will be freed
+ * via normal RCU), but is called from a point that supports sleepable
+ * programs and uses tasks-trace-RCU.
+ */
+ synchronize_rcu_tasks_trace();
+
bpf_prog_put(event->prog);
event->prog = NULL;
---
base-commit: 509df676c2d79c985ec2eaa3e3a3bbe557645861
change-id: 20241210-bpf-fix-actual-uprobe-uaf-0aa234c0e005
--
Jann Horn <jannh@google.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
2024-12-10 16:32 [PATCH] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Jann Horn
@ 2024-12-10 18:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-12-10 18:30 UTC (permalink / raw)
To: Jann Horn
Cc: song, jolsa, kpsingh, mattbobrowski, ast, daniel, andrii,
martin.lau, eddyz87, yonghong.song, john.fastabend, sdf, haoluo,
rostedt, mhiramat, mathieu.desnoyers, delyank, bpf, linux-kernel,
linux-trace-kernel, stable
Hello:
This patch was applied to bpf/bpf.git (master)
by Andrii Nakryiko <andrii@kernel.org>:
On Tue, 10 Dec 2024 17:32:13 +0100 you wrote:
> Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU
> protection. But it is possible to attach a non-sleepable BPF program to a
> uprobe, and non-sleepable BPF programs are freed via normal RCU (see
> __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal
> RCU grace period does not imply a tasks-trace-RCU grace period.
>
> Fix it by explicitly waiting for a tasks-trace-RCU grace period after
> removing the attachment of a bpf_prog to a perf_event.
>
> [...]
Here is the summary with links:
- bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
https://git.kernel.org/bpf/bpf/c/ef1b808e3b7c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-12-10 18:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-10 16:32 [PATCH] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors Jann Horn
2024-12-10 18:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox