回复: [PATCH] uprobes: Fix kasan UAF reported by syzbot

Fri, 05 Feb 2021 20:54:57 -0800 

Hello peterz
 This ("rbtree, uprobes: Use rbtree helpers")modification misses the increase 
in the reference count , syzbot  have been reporting recently .
Thanks
Qiang

________________________________________
发件人: Zhang, Qiang <qiang.zh...@windriver.com>
发送时间: 2021年2月2日 17:17
收件人: pet...@infradead.org; mi...@redhat.com; 
syzbot+2f6d683983e3905ad...@syzkaller.appspotmail.com
抄送: o...@redhat.com; linux-kernel@vger.kernel.org
主题: [PATCH] uprobes: Fix kasan UAF reported by syzbot

From: Zqiang <qiang.zh...@windriver.com>

Call Trace:
 __dump_stack [inline]
 dump_stack+0x107/0x163
 print_address_description.constprop.0.cold+0x5b/0x2f8
 __kasan_report [inline]
 kasan_report.cold+0x7c/0xd8
 uprobe_cmp [inline]
 __uprobe_cmp [inline]
 rb_find_add [inline]
 __insert_uprobe [inline]
 insert_uprobe [inline]
 alloc_uprobe [inline]
 __uprobe_register+0x70f/0x850
 ..........
 __do_sys_perf_event_open+0x647/0x2e60
 do_syscall_64+0x2d/0x70
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Allocated by task 12710:
 kzalloc [inline]
 alloc_uprobe [inline]
 __uprobe_register+0x19c/0x850
 trace_uprobe_enable [inline]
 trace_uprobe_register+0x443/0x880
 ...........
 __do_sys_perf_event_open+0x647/0x2e60
 do_syscall_64+0x2d/0x70
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 12710:
 kfree+0xe5/0x7b0
 put_uprobe [inline]
 put_uprobe+0x13b/0x190
 uprobe_apply+0xfc/0x130
 uprobe_perf_open [inline]
 trace_uprobe_register+0x5c9/0x880
 ...........
 __do_sys_perf_event_open+0x647/0x2e60
 do_syscall_64+0x2d/0x70
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

 fix the count of references lost in __find_uprobe function

Fixes: c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")
Reported-by: syzbot+1182ffb2063c5d087...@syzkaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zh...@windriver.com>
---
 kernel/events/uprobes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 7e15b2efdd87..6addc9780319 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -661,7 +661,7 @@ static struct uprobe *__find_uprobe(struct inode *inode, 
loff_t offset)
        struct rb_node *node = rb_find(&key, &uprobes_tree, __uprobe_cmp_key);

        if (node)
-               return __node_2_uprobe(node);
+               return get_uprobe(__node_2_uprobe(node));

        return NULL;
 }
--
2.17.1

Reply via email to