Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-06 05:06:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
efcf38d279
linux-stable/kernel/trace
History
Yang Jihong 4c34a2a6c9 ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead 
commit c3b0f72e80 upstream.

ftrace_startup does not remove ops from ftrace_ops_list when
ftrace_startup_enable fails:

register_ftrace_function
  ftrace_startup
    __register_ftrace_function
      ...
      add_ftrace_ops(&ftrace_ops_list, ops)
      ...
    ...
    ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1
    ...
  return 0 // ops is in the ftrace_ops_list.

When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:
unregister_ftrace_function
  ftrace_shutdown
    if (unlikely(ftrace_disabled))
            return -ENODEV;  // return here, __unregister_ftrace_function is not executed,
                             // as a result, ops is still in the ftrace_ops_list
    __unregister_ftrace_function
    ...

If ops is dynamically allocated, it will be free later, in this case,
is_ftrace_trampoline accesses NULL pointer:

is_ftrace_trampoline
  ftrace_ops_trampoline
    do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!

Syzkaller reports as follows:
[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b
[ 1203.508039] #PF: supervisor read access in kernel mode
[ 1203.508798] #PF: error_code(0x0000) - not-present page
[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0
[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI
[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G    B   W         5.10.0 #8
[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0
[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00
[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246
[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866
[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b
[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07
[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399
[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008
[ 1203.525634] FS:  00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
[ 1203.526801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0
[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Therefore, when ftrace_startup_enable fails, we need to rollback registration
process and remove ops from ftrace_ops_list.

Link: https://lkml.kernel.org/r/20220818032659.56209-1-yangjihong1@huawei.com

Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-09-05 10:25:06 +02:00
..
blktrace.c blktrace: Fix uaf in blk_trace access after removing by sysfs 2021-10-06 15:05:06 +02:00
bpf_trace.c bpf: fix check of allowed specifiers in bpf_trace_printk 2018-12-17 09:28:50 +01:00
ftrace.c ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead 2022-09-05 10:25:06 +02:00
Kconfig Stop the ad-hoc games with -Wno-maybe-initialized 2020-05-20 08:17:10 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
power-traces.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ring_buffer_benchmark.c ring-buffer: Have ring_buffer_alloc_read_page() return error on offline CPU 2017-08-02 14:23:02 -04:00
ring_buffer.c tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. 2021-07-28 11:12:19 +02:00
rpm-traces.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_benchmark.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_benchmark.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_branch.c Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP" 2019-07-03 13:15:57 +02:00
trace_clock.c tracing: Do no increment trace_clock_global() by one 2021-06-30 08:48:53 -04:00
trace_entries.h tracing: Set kernel_stack's caller size properly 2020-10-01 13:12:32 +02:00
trace_event_perf.c perf/ftrace: Fix double traces of perf on ftrace:function 2017-08-29 13:29:29 +02:00
trace_events_filter_test.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_events_filter.c tracing: Fix regex_match_front() to not over compare the test string 2018-05-16 10:10:27 +02:00
trace_events_hist.c tracing: Do not reference char * as a string in histograms 2021-07-20 16:17:48 +02:00
trace_events_trigger.c tracing: Dump stacktrace trigger to the corresponding instance 2022-04-27 13:15:29 +02:00
trace_events.c tracing: Check pid filtering when creating events 2021-12-08 08:46:49 +01:00
trace_export.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_functions_graph.c tracing/fgraph: Fix set_graph_function from showing interrupts 2019-05-16 19:42:27 +02:00
trace_functions.c tracing: Have all levels of checks prevent recursion 2021-10-27 09:51:41 +02:00
trace_hwlat.c tracing/hwlat: Honor the tracing_cpumask 2020-08-21 09:48:19 +02:00
trace_irqsoff.c tracing/fgraph: Fix set_graph_function from showing interrupts 2019-05-16 19:42:27 +02:00
trace_kdb.c tracing: Silence GCC 9 array bounds warning 2019-06-25 11:36:50 +08:00
trace_kprobe.c ftrace/kprobe: Show the maxactive number on kprobe_events 2020-04-24 08:00:50 +02:00
trace_mmiotrace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_nop.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_output.c tracing: Reorder display of TGID to be after PID 2018-07-17 11:39:30 +02:00
trace_output.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_printk.c tracing: Handle NULL formats in hold_module_trace_bprintk_format() 2016-06-20 09:46:12 -04:00
trace_probe.c tracing: probeevent: Fix to support minus offset from symbol 2018-03-28 18:24:42 +02:00
trace_probe.h tracing: probeevent: Fix to support minus offset from symbol 2018-03-28 18:24:42 +02:00
trace_sched_switch.c tracing: Fix sched switch start/stop refcount racy updates 2020-02-14 16:32:07 -05:00
trace_sched_wakeup.c kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail 2020-01-14 20:05:40 +01:00
trace_selftest_dynamic.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_selftest.c ftrace: Handle tracing when switching between context 2020-11-10 10:29:04 +01:00
trace_seq.c tracing: use %*pb[l] to print bitmaps including cpumasks and nodemasks 2015-02-13 21:21:37 -08:00
trace_stack.c tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined 2020-01-14 20:05:40 +01:00
trace_stat.c tracing: Fix very unlikely race of registering two stat tracers 2020-02-28 16:35:58 +01:00
trace_stat.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_syscalls.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace_uprobe.c tracing/uprobes: Fix output for multiple string arguments 2019-02-20 10:20:53 +01:00
trace.c tracing: Avoid adding tracer option before update_tracer_options 2022-06-14 16:53:58 +02:00
trace.h tracing: Fix pid filtering when triggers are attached 2021-12-08 08:46:48 +01:00
tracing_map.c tracing: Fix a kmemleak false positive in tracing_map 2021-12-22 09:17:58 +01:00
tracing_map.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00