Commit 85b642bd authored by Zheng Yejian's avatar Zheng Yejian
Browse files

ftrace: Fix possible use-after-free issue in ftrace_location() 

mainline inclusion
from mainline-v6.10-rc1
commit e60b613df8b6253def41215402f72986fee3fc8d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5H
CVE: CVE-2024-38588

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e60b613df8b6253def41215402f72986fee3fc8d

------------------------------------------------------

KASAN reports a bug:

  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
  Read of size 8 at addr ffff888141d40010 by task insmod/424
  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+
  [...]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x68/0xa0
   print_report+0xcf/0x610
   kasan_report+0xb5/0xe0
   ftrace_location+0x90/0x120
   register_kprobe+0x14b/0xa40
   kprobe_init+0x2d/0xff0 [kprobe_example]
   do_one_initcall+0x8f/0x2d0
   do_init_module+0x13a/0x3c0
   load_module+0x3082/0x33d0
   init_module_from_file+0xd2/0x130
   __x64_sys_finit_module+0x306/0x440
   do_syscall_64+0x68/0x140
   entry_SYSCALL_64_after_hwframe+0x71/0x79

The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:

           CPU1                       |      CPU2
  register_kprobes() {                | delete_module() {
    check_kprobe_address_safe() {     |
      arch_check_ftrace_location() {  |
        ftrace_location() {           |
          lookup_rec() // USE!        |   ftrace_release_mod() // Free!

To fix this issue:
  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
  2. Use ftrace_location_range() instead of lookup_rec() in
     ftrace_location();
  3. Call synchronize_rcu() before freeing any ftrace pages both in
     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().

Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com



Cc: stable@vger.kernel.org
Cc: <mhiramat@kernel.org>
Cc: <mark.rutland@arm.com>
Cc: <mathieu.desnoyers@efficios.com>
Fixes: ae6aa16f ("kprobes: introduce ftrace based optimization")
Suggested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
Conflicts:
	kernel/trace/ftrace.c
[Resolve conflicts due to lack of commit aebfd125 ("x86/ibt,ftrace:
 Search for __fentry__ location")]
Signed-off-by: default avatarZheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
parent 3f736df9

kernel/trace/ftrace.c

+21 −7
Original line number Diff line number Diff line
@@ -1576,10 +1576,12 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) 
	struct ftrace_page *pg;

	struct dyn_ftrace *rec;

	struct dyn_ftrace key;

	unsigned long ip = 0;



	key.ip = start;

	key.flags = end;	/* overload flags, as it is unsigned long */



	rcu_read_lock();

	for (pg = ftrace_pages_start; pg; pg = pg->next) {

		if (pg->index == 0 ||

		    end < pg->records[0].ip ||
@@ -1588,11 +1590,14 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) 
		rec = bsearch(&key, pg->records, pg->index,

			      sizeof(struct dyn_ftrace),

			      ftrace_cmp_recs);

		if (rec)

			return rec->ip;

		if (rec) {

			ip = rec->ip;

			break;

		}

	}

	rcu_read_unlock();



	return 0;

	return ip;

}



/**
@@ -5682,6 +5687,8 @@ static int ftrace_process_locs(struct module *mod, 
	/* We should have used all pages unless we skipped some */

	if (pg_unuse) {

		WARN_ON(!skipped);

		/* Need to synchronize with ftrace_location_range() */

		synchronize_rcu();

		ftrace_free_pages(pg_unuse);

	}

	return ret;
@@ -5836,6 +5843,9 @@ void ftrace_release_mod(struct module *mod) 
 out_unlock:

	mutex_unlock(&ftrace_lock);



	/* Need to synchronize with ftrace_location_range() */

	if (tmp_page)

		synchronize_rcu();

	for (pg = tmp_page; pg; pg = tmp_page) {



		/* Needs to be called outside of ftrace_lock */
@@ -6144,13 +6154,13 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) 
	unsigned long start = (unsigned long)(start_ptr);

	unsigned long end = (unsigned long)(end_ptr);

	struct ftrace_page **last_pg = &ftrace_pages_start;

	struct ftrace_page *tmp_page = NULL;

	struct ftrace_page *pg;

	struct dyn_ftrace *rec;

	struct dyn_ftrace key;

	struct ftrace_mod_map *mod_map = NULL;

	struct ftrace_init_func *func, *func_next;

	struct list_head clear_hash;

	int order;



	INIT_LIST_HEAD(&clear_hash);
@@ -6188,9 +6198,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) 
		ftrace_update_tot_cnt--;

		if (!pg->index) {

			*last_pg = pg->next;

			order = get_count_order(pg->size / ENTRIES_PER_PAGE);

			free_pages((unsigned long)pg->records, order);

			kfree(pg);

			pg->next = tmp_page;

			tmp_page = pg;

			pg = container_of(last_pg, struct ftrace_page, next);

			if (!(*last_pg))

				ftrace_pages = pg;
@@ -6207,6 +6216,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) 
		clear_func_from_hashes(func);

		kfree(func);

	}

	/* Need to synchronize with ftrace_location_range() */

	if (tmp_page) {

		synchronize_rcu();

		ftrace_free_pages(tmp_page);

	}

}



void __init ftrace_free_init_mem(void)