[PATCH 069/193] kretprobe: check re-registration of the same kretprobe earlier

17 Apr 2020

From: Cheng Jian cj.chengjian@huawei.com
hulk inclusion
category: bugfix
bugzilla: 31369
CVE: NA
---------------------------
Our system encountered a use-after-free when re-register the same
kretprobe, it access the kretprobe_instance in rp->free_instances
which has been released already.
Prevent re-registration has been implemented for kprobe before, but
it's too late for kretprobe. We must check the re-registration before
re-initializing the kretprobe, otherwise it will destroy the data and
struct of the kretprobe registered, it can lead to use-after-free,
memory leak, system crash, and even other unexpected behaviors.
Use check_kprobe_rereg() to check re-registration, also give a warning
message.
Link: https://lkml.org/lkml/2020/3/6/167
Signed-off-by: Cheng Jian cj.chengjian@huawei.com
Acked-by: Masami Hiramatsu mhiramat@kernel.org
Reviewed-by: Xie XiuQi xiexiuqi@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 kernel/kprobes.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 35d3ac6..1ac445d 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1923,6 +1923,14 @@ int register_kretprobe(struct kretprobe *rp)
    	}
    }
+	/*
+	 * Return error if it's being re-registered,
+	 * also give a warning message to the developer.
+	 */
+	ret = check_kprobe_rereg(&rp->kp);
+	if (WARN_ON(ret))
+		return ret;
+
    rp->kp.pre_handler = pre_handler_kretprobe;
    rp->kp.post_handler = NULL;
    rp->kp.fault_handler = NULL;
-- 
1.8.3

    

2024

2023

2022

2021

2020

2019

[PATCH 069/193] kretprobe: check re-registration of the same kretprobe earlier