* [PATCH] uprobes: Fix kasan UAF reported by syzbot
@ 2021-02-02 9:35 qiang.zhang
2021-02-06 1:50 ` 回复: " Zhang, Qiang
0 siblings, 1 reply; 2+ messages in thread
From: qiang.zhang @ 2021-02-02 9:35 UTC (permalink / raw)
To: peterz, mingo, syzbot+2f6d683983e3905ad8d6; +Cc: oleg, linux-kernel
From: Zqiang <qiang.zhang@windriver.com>
Call Trace:
__dump_stack [inline]
dump_stack+0x107/0x163
print_address_description.constprop.0.cold+0x5b/0x2f8
__kasan_report [inline]
kasan_report.cold+0x7c/0xd8
uprobe_cmp [inline]
__uprobe_cmp [inline]
rb_find_add [inline]
__insert_uprobe [inline]
insert_uprobe [inline]
alloc_uprobe [inline]
__uprobe_register+0x70f/0x850
..........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 12710:
kzalloc [inline]
alloc_uprobe [inline]
__uprobe_register+0x19c/0x850
trace_uprobe_enable [inline]
trace_uprobe_register+0x443/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12710:
kfree+0xe5/0x7b0
put_uprobe [inline]
put_uprobe+0x13b/0x190
uprobe_apply+0xfc/0x130
uprobe_perf_open [inline]
trace_uprobe_register+0x5c9/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
fix the count of references lost in __find_uprobe function
Fixes: c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")
Reported-by: syzbot+1182ffb2063c5d087a38@syzkaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 7e15b2efdd87..6addc9780319 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -661,7 +661,7 @@ static struct uprobe *__find_uprobe(struct inode *inode, loff_t offset)
struct rb_node *node = rb_find(&key, &uprobes_tree, __uprobe_cmp_key);
if (node)
- return __node_2_uprobe(node);
+ return get_uprobe(__node_2_uprobe(node));
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* 回复: [PATCH] uprobes: Fix kasan UAF reported by syzbot
2021-02-02 9:35 [PATCH] uprobes: Fix kasan UAF reported by syzbot qiang.zhang
@ 2021-02-06 1:50 ` Zhang, Qiang
0 siblings, 0 replies; 2+ messages in thread
From: Zhang, Qiang @ 2021-02-06 1:50 UTC (permalink / raw)
To: peterz@infradead.org, mingo@redhat.com,
syzbot+2f6d683983e3905ad8d6@syzkaller.appspotmail.com,
dbueso@suse.de
Cc: oleg@redhat.com, linux-kernel@vger.kernel.org
Hello peterz
This ("rbtree, uprobes: Use rbtree helpers")modification misses the increase in the reference count , syzbot have been reporting recently .
Thanks
Qiang
________________________________________
发件人: Zhang, Qiang <qiang.zhang@windriver.com>
发送时间: 2021年2月2日 17:17
收件人: peterz@infradead.org; mingo@redhat.com; syzbot+2f6d683983e3905ad8d6@syzkaller.appspotmail.com
抄送: oleg@redhat.com; linux-kernel@vger.kernel.org
主题: [PATCH] uprobes: Fix kasan UAF reported by syzbot
From: Zqiang <qiang.zhang@windriver.com>
Call Trace:
__dump_stack [inline]
dump_stack+0x107/0x163
print_address_description.constprop.0.cold+0x5b/0x2f8
__kasan_report [inline]
kasan_report.cold+0x7c/0xd8
uprobe_cmp [inline]
__uprobe_cmp [inline]
rb_find_add [inline]
__insert_uprobe [inline]
insert_uprobe [inline]
alloc_uprobe [inline]
__uprobe_register+0x70f/0x850
..........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 12710:
kzalloc [inline]
alloc_uprobe [inline]
__uprobe_register+0x19c/0x850
trace_uprobe_enable [inline]
trace_uprobe_register+0x443/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12710:
kfree+0xe5/0x7b0
put_uprobe [inline]
put_uprobe+0x13b/0x190
uprobe_apply+0xfc/0x130
uprobe_perf_open [inline]
trace_uprobe_register+0x5c9/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
fix the count of references lost in __find_uprobe function
Fixes: c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")
Reported-by: syzbot+1182ffb2063c5d087a38@syzkaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 7e15b2efdd87..6addc9780319 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -661,7 +661,7 @@ static struct uprobe *__find_uprobe(struct inode *inode, loff_t offset)
struct rb_node *node = rb_find(&key, &uprobes_tree, __uprobe_cmp_key);
if (node)
- return __node_2_uprobe(node);
+ return get_uprobe(__node_2_uprobe(node));
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-06 4:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-02 9:35 [PATCH] uprobes: Fix kasan UAF reported by syzbot qiang.zhang
2021-02-06 1:50 ` 回复: " Zhang, Qiang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).