From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751732AbdJYMbH (ORCPT ); Wed, 25 Oct 2017 08:31:07 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:9500 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751637AbdJYMbG (ORCPT ); Wed, 25 Oct 2017 08:31:06 -0400 Message-ID: <59F08398.3020707@huawei.com> Date: Wed, 25 Oct 2017 20:29:12 +0800 From: Bixuan Cui User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: CC: "Libin (Huawei)" , "kangwen (A)" Subject: [PATCH] kernel/kprobes: add check to avoid memory leaks Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.222.129] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090203.59F08407.00D5,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 3fa1412a6d2b002082a3a4ee512e08fd Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The register_kretprobe(struct kretprobe *rp) creates and initializes a hash list for rp->free_instances when register kretprobe every time. Then malloc memory for it. The test case: static struct kretprobe rp; struct kretprobe *rps[2]={&rp, &rp}; static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs) { printk(KERN_DEBUG "ret_handler\n"); return 0; } static int entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs) { printk(KERN_DEBUG "entry_handler\n"); return 0; } static int __init kretprobe_init(void) { int ret; rp.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("do_fork"); rp.handler=ret_handler; rp.entry_handler=entry_handler; rp.maxactive = 3; ret = register_kretprobes(rps,2); Result: unreferenced object 0xffff8010b12ad980 (size 64): comm "insmod", pid 17352, jiffies 4298977824 (age 63065.756s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 d8 84 12 fc ff 7f ff ff ................ 74 65 73 74 52 65 67 4b 72 65 74 70 72 6f 62 65 testRegKretprobe backtrace: [] create_object+0x1e0/0x3f0 [] kmemleak_alloc+0x6c/0xf0 [] __kmalloc+0x23c/0x2e0 [] register_kretprobe+0x12c/0x350 When call register_kretprobes(struct kretprobe **rps, int num) with the same rps(num>=2). The first time,call INIT_HLIST_HEAD() and kmalloc() to malloc memory for the hash list,then save into rp->free_instances. The second time,call INIT_HLIST_HEAD() and kmalloc() then create a new hash list into rp->free_instances and lost the first rp->free_instances. So add check to avoid it. Reported-and-tested-by: kangwen Signed-off-by: Bixuan Cui --- kernel/kprobes.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 6301dae..f19f191 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1890,10 +1890,16 @@ EXPORT_SYMBOL_GPL(register_kretprobe); int register_kretprobes(struct kretprobe **rps, int num) { - int ret = 0, i; + int ret = 0, i, j; if (num <= 0) return -EINVAL; + + for (i = 0; i < num-1; i++) + for (j = i+1; j < num; j++) + if (rps[i] == rps[j]) + return -EINVAL; + for (i = 0; i < num; i++) { ret = register_kretprobe(rps[i]); if (ret < 0) { -- 2.6.2