From: Cheng Jian <cj.chengjian@huawei.com> hulk inclusion category: bugfix bugzilla: 31369 CVE: NA --------------------------- Our system encountered a use-after-free when re-register the same kretprobe, it access the kretprobe_instance in rp->free_instances which has been released already. Prevent re-registration has been implemented for kprobe before, but it's too late for kretprobe. We must check the re-registration before re-initializing the kretprobe, otherwise it will destroy the data and struct of the kretprobe registered, it can lead to use-after-free, memory leak, system crash, and even other unexpected behaviors. Use check_kprobe_rereg() to check re-registration, also give a warning message. Link: https://lkml.org/lkml/2020/3/6/167 Signed-off-by: Cheng Jian <cj.chengjian@huawei.com> Acked-by: Masami Hiramatsu <mhiramat@kernel.org> Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- kernel/kprobes.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 35d3ac6..1ac445d 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1923,6 +1923,14 @@ int register_kretprobe(struct kretprobe *rp) } } + /* + * Return error if it's being re-registered, + * also give a warning message to the developer. + */ + ret = check_kprobe_rereg(&rp->kp); + if (WARN_ON(ret)) + return ret; + rp->kp.pre_handler = pre_handler_kretprobe; rp->kp.post_handler = NULL; rp->kp.fault_handler = NULL; -- 1.8.3