From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ye Bin <yebin10@huawei.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S. Miller" <davem@davemloft.net>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.6 47/77] proc: fix UAF in proc_get_inode()
Date: Tue, 25 Mar 2025 08:22:42 -0400 [thread overview]
Message-ID: <20250325122145.582355111@linuxfoundation.org> (raw)
In-Reply-To: <20250325122144.259256924@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.
Fix race between rmmod and /proc/XXX's inode instantiation.
The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.
use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->... dereference.
rmmod lookup
sys_delete_module
proc_lookup_de
pde_get(de);
proc_get_inode(dir->i_sb, de);
mod->exit()
proc_remove
remove_proc_subtree
proc_entry_rundown(de);
free_module(mod);
if (S_ISREG(inode->i_mode))
if (de->proc_ops->proc_read_iter)
--> As module is already freed, will trigger UAF
BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_lookup_de+0x11f/0x2e0
__lookup_slow+0x188/0x350
walk_component+0x2ab/0x4f0
path_lookupat+0x120/0x660
filename_lookup+0x1ce/0x560
vfs_statx+0xac/0x150
__do_sys_newstat+0x96/0x110
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/generic.c | 10 +++++++++-
fs/proc/inode.c | 6 +++---
fs/proc/internal.h | 14 ++++++++++++++
include/linux/proc_fs.h | 7 +++++--
4 files changed, 31 insertions(+), 6 deletions(-)
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -557,10 +557,16 @@ struct proc_dir_entry *proc_create_reg(c
return p;
}
-static inline void pde_set_flags(struct proc_dir_entry *pde)
+static void pde_set_flags(struct proc_dir_entry *pde)
{
if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
pde->flags |= PROC_ENTRY_PERMANENT;
+ if (pde->proc_ops->proc_read_iter)
+ pde->flags |= PROC_ENTRY_proc_read_iter;
+#ifdef CONFIG_COMPAT
+ if (pde->proc_ops->proc_compat_ioctl)
+ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+#endif
}
struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
@@ -624,6 +630,7 @@ struct proc_dir_entry *proc_create_seq_p
p->proc_ops = &proc_seq_ops;
p->seq_ops = ops;
p->state_size = state_size;
+ pde_set_flags(p);
return proc_register(parent, p);
}
EXPORT_SYMBOL(proc_create_seq_private);
@@ -654,6 +661,7 @@ struct proc_dir_entry *proc_create_singl
return NULL;
p->proc_ops = &proc_single_ops;
p->single_show = show;
+ pde_set_flags(p);
return proc_register(parent, p);
}
EXPORT_SYMBOL(proc_create_single_data);
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -679,13 +679,13 @@ struct inode *proc_get_inode(struct supe
if (S_ISREG(inode->i_mode)) {
inode->i_op = de->proc_iops;
- if (de->proc_ops->proc_read_iter)
+ if (pde_has_proc_read_iter(de))
inode->i_fop = &proc_iter_file_ops;
else
inode->i_fop = &proc_reg_file_ops;
#ifdef CONFIG_COMPAT
- if (de->proc_ops->proc_compat_ioctl) {
- if (de->proc_ops->proc_read_iter)
+ if (pde_has_proc_compat_ioctl(de)) {
+ if (pde_has_proc_read_iter(de))
inode->i_fop = &proc_iter_file_ops_compat;
else
inode->i_fop = &proc_reg_file_ops_compat;
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -84,6 +84,20 @@ static inline void pde_make_permanent(st
pde->flags |= PROC_ENTRY_PERMANENT;
}
+static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde)
+{
+ return pde->flags & PROC_ENTRY_proc_read_iter;
+}
+
+static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
+{
+#ifdef CONFIG_COMPAT
+ return pde->flags & PROC_ENTRY_proc_compat_ioctl;
+#else
+ return false;
+#endif
+}
+
extern struct kmem_cache *proc_dir_entry_cache;
void pde_free(struct proc_dir_entry *pde);
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -20,10 +20,13 @@ enum {
* If in doubt, ignore this flag.
*/
#ifdef MODULE
- PROC_ENTRY_PERMANENT = 0U,
+ PROC_ENTRY_PERMANENT = 0U,
#else
- PROC_ENTRY_PERMANENT = 1U << 0,
+ PROC_ENTRY_PERMANENT = 1U << 0,
#endif
+
+ PROC_ENTRY_proc_read_iter = 1U << 1,
+ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
};
struct proc_ops {
next prev parent reply other threads:[~2025-03-25 12:35 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-25 12:21 [PATCH 6.6 00/77] 6.6.85-rc1 review Greg Kroah-Hartman
2025-03-25 12:21 ` [PATCH 6.6 01/77] firmware: imx-scu: fix OF node leak in .probe() Greg Kroah-Hartman
2025-03-25 12:21 ` [PATCH 6.6 02/77] arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Greg Kroah-Hartman
2025-03-25 12:21 ` [PATCH 6.6 03/77] xfrm: fix tunnel mode TX datapath in packet offload mode Greg Kroah-Hartman
2025-03-25 12:21 ` [PATCH 6.6 04/77] xfrm_output: Force software GSO only in tunnel mode Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 05/77] soc: imx8m: Remove global soc_uid Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 06/77] soc: imx8m: Use devm_* to simplify probe failure handling Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 07/77] soc: imx8m: Unregister cpufreq and soc dev in cleanup path Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 08/77] ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 09/77] arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1 Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 10/77] RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 11/77] RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 12/77] ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 13/77] ARM: dts: bcm2711: Dont mark timer regs unconfigured Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 14/77] RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 15/77] RDMA/hns: Fix soft lockup during bt pages loop Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 16/77] RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 17/77] RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 18/77] RDMA/hns: Fix wrong value of max_sge_rd Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 19/77] Bluetooth: Fix error code in chan_alloc_skb_cb() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 20/77] Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 21/77] accel/qaic: Fix possible data corruption in BOs > 2G Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 22/77] ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 23/77] ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 24/77] ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 25/77] net: atm: fix use after free in lec_send() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 26/77] net: lwtunnel: fix recursion loops Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 27/77] net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 28/77] Revert "gre: Fix IPv6 link-local address generation." Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 29/77] i2c: omap: fix IRQ storms Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 30/77] can: rcar_canfd: Fix page entries in the AFL list Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 31/77] can: ucan: fix out of bound read in strscpy() source Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 32/77] can: flexcan: only change CAN state when link up in system PM Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 33/77] can: flexcan: disable transceiver during " Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 34/77] drm/v3d: Dont run jobs that have errors flagged in its fence Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 35/77] riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 36/77] regulator: dummy: force synchronous probing Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 37/77] regulator: check that dummy regulator has been probed before using it Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 38/77] accel/qaic: Fix integer overflow in qaic_validate_req() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 39/77] arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 40/77] arm64: dts: freescale: imx8mm-verdin-dahlia: " Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 41/77] arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 42/77] arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 43/77] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 44/77] mmc: atmel-mci: Add missing clk_disable_unprepare() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 45/77] mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 46/77] mm/migrate: fix shmem xarray update during migration Greg Kroah-Hartman
2025-03-25 12:22 ` Greg Kroah-Hartman [this message]
2025-03-25 12:22 ` [PATCH 6.6 48/77] memcg: drain obj stock on cpu hotplug teardown Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 49/77] ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 50/77] ARM: shmobile: smp: Enforce shmobile_smp_* alignment Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 51/77] efi/libstub: Avoid physical address 0x0 when doing random allocation Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 52/77] xsk: fix an integer overflow in xp_create_and_assign_umem() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 53/77] batman-adv: Ignore own maximum aggregation size during RX Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 54/77] soc: qcom: pdr: Fix the potential deadlock Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 55/77] drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 56/77] drm/sched: Fix fence reference count leak Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 57/77] drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 58/77] drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 59/77] drm/amd/display: should support dmub hw lock on Replay Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 60/77] drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 61/77] ksmbd: fix incorrect validation for num_aces field of smb_acl Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 62/77] mptcp: Fix data stream corruption in the address announcement Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 63/77] KVM: arm64: Calculate cptr_el2 traps on activating traps Greg Kroah-Hartman
2025-03-25 12:22 ` [PATCH 6.6 64/77] KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 65/77] KVM: arm64: Remove host FPSIMD saving for non-protected KVM Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 66/77] KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 67/77] KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 68/77] KVM: arm64: Refactor exit handlers Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 69/77] KVM: arm64: Mark some header functions as inline Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 70/77] KVM: arm64: Eagerly switch ZCR_EL{1,2} Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 71/77] arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 72/77] Revert "sched/core: Reduce cost of sched_move_task when config autogroup" Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 73/77] btrfs: make sure that WRITTEN is set on all metadata blocks Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 74/77] bnxt_en: Fix receive ring space parameters when XDP is active Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 75/77] wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8 Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 76/77] wifi: iwlwifi: mvm: ensure offloading TID queue exists Greg Kroah-Hartman
2025-03-25 12:23 ` [PATCH 6.6 77/77] netfilter: nft_counter: Use u64_stats_t for statistic Greg Kroah-Hartman
2025-03-25 15:07 ` [PATCH 6.6 00/77] 6.6.85-rc1 review Naresh Kamboju
2025-03-25 16:07 ` Dragan Simic
2025-03-25 23:36 ` Greg Kroah-Hartman
2025-03-26 2:33 ` Harshit Mogalapalli
2025-03-26 3:56 ` Dragan Simic
2025-03-26 15:38 ` Greg Kroah-Hartman
2025-03-27 7:12 ` Dragan Simic
2025-03-25 17:25 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250325122145.582355111@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).