kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   128c8d64704339fe2b17dd304c40cd51e8b80fb0
  2.   patches.suse
  3.   kprobes-Fix-double-free-of-kretprobe_holder.patch
Blob Blame History Raw 
From e14cbede05bc5f1ec13a802159f5374bdb84e7f2 Mon Sep 17 00:00:00 2001
From: Petr Pavlu <petr.pavlu@suse.com>
Date: Thu, 4 Apr 2024 16:44:02 +0200
Subject: [PATCH] kprobes: Fix double free of kretprobe_holder
Patch-mainline: Never, the code has been reworked upstream
References: bsc#1220901

When unregistering a kretprobe, the code in unregister_kretprobes() sets
rp->rph->rp to NULL which forces all associated kretprobe_instances
still in use to be later freed separately via free_rp_inst_rcu().

Function unregister_kretprobes() then calls free_rp_inst() which takes
care of releasing all currently unused kretprobe_instances, the ones
that are on the kretprobe's freelist. The code in free_rp_inst() counts
a number of these released kretprobe_instances and invokes
refcount_sub_and_test(count, &rp->rph->ref) to decrease the
kretprobe_holder's refcount and subsequently calls kfree(rp->rph) if the
function returns true, indicating the refcount reached zero.

It is possible that the number of released kretprobe_instances in
free_rp_inst() is zero and therefore refcount_sub_and_test() is invoked
with count=0. Additionally, depending on timing, it can happen
that all previously used kretprobe_instances were already freed via
free_rp_inst_rcu(). This means the refcount of kretprobe_holder already
reached zero and was deallocated.

The resulting call of refcount_sub_and_test(0, &rp->rph->ref) in
free_rp_inst() is then a use-after-free. If the memory previously
occupied by the refcount is still set to zero then the call returns true
and kretprobe_holder gets wrongly freed for the second time.

Fix the problem by adding a check for count>0 before calling
refcount_sub_and_test() in free_rp_inst().

Note that this code was reworked upstream in commit 4bbd93455659
("kprobes: kretprobe scalability improvement") and the new objpool
implementation doesn't have this problem.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
---
 kernel/kprobes.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 77f5bcfc9b54..e532418256cd 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1288,10 +1288,9 @@ static inline void free_rp_inst(struct kretprobe *rp)
 		count++;
 	}
 
-	if (refcount_sub_and_test(count, &rp->rph->ref)) {
+	if (count > 0 && refcount_sub_and_test(count, &rp->rph->ref))
 		kfree(rp->rph);
-		rp->rph = NULL;
-	}
+	rp->rph = NULL;
 }
 
 /* Add the new probe to ap->list */
-- 
2.44.0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.