!14931 bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (b654f43f) · Commits · EulixOS / Software / Kernel

include/linux/bpf.h

+5 −8

Original line number	Diff line number	Diff line
		@@ -2078,26 +2078,25 @@ bpf_prog_run_array(const struct bpf_prog_array *array,
		* rcu-protected dynamically sized maps.
		*/
		static __always_inline u32
		bpf_prog_run_array_uprobe(const struct bpf_prog_array __rcu *array_rcu,
		bpf_prog_run_array_uprobe(const struct bpf_prog_array *array,
		const void *ctx, bpf_prog_run_fn run_prog)
		{
		const struct bpf_prog_array_item *item;
		const struct bpf_prog *prog;
		const struct bpf_prog_array *array;
		struct bpf_run_ctx *old_run_ctx;
		struct bpf_trace_run_ctx run_ctx;
		u32 ret = 1;

		might_fault();
		RCU_LOCKDEP_WARN(!rcu_read_lock_trace_held(), "no rcu lock held");

		if (unlikely(!array))
		return ret;

		rcu_read_lock_trace();
		migrate_disable();

		run_ctx.is_uprobe = true;

		array = rcu_dereference_check(array_rcu, rcu_read_lock_trace_held());
		if (unlikely(!array))
		goto out;
		old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);
		item = &array->items[0];
		while ((prog = READ_ONCE(item->prog))) {
		@@ -2112,9 +2111,7 @@ bpf_prog_run_array_uprobe(const struct bpf_prog_array __rcu *array_rcu,
		rcu_read_unlock();
		}
		bpf_reset_run_ctx(old_run_ctx);
		out:
		migrate_enable();
		rcu_read_unlock_trace();
		return ret;
		}

+5 −1

Original line number	Diff line number	Diff line
		@@ -1346,9 +1346,13 @@ static void __uprobe_perf_func(struct trace_uprobe *tu,

		#ifdef CONFIG_BPF_EVENTS
		if (bpf_prog_array_valid(call)) {
		const struct bpf_prog_array *array;
		u32 ret;

		ret = bpf_prog_run_array_uprobe(call->prog_array, regs, bpf_prog_run);
		rcu_read_lock_trace();
		array = rcu_dereference_check(call->prog_array, rcu_read_lock_trace_held());
		ret = bpf_prog_run_array_uprobe(array, regs, bpf_prog_run);
		rcu_read_unlock_trace();
		if (!ret)
		return;
		}