diff mbox series

[bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set

Message ID 20220422164027.GA7862@pi3.com.pl (mailing list archive)
State Accepted
Delegated to: BPF
Headers show
Series [bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/cc_maintainers warning 7 maintainers not CCed: songliubraving@fb.com netdev@vger.kernel.org daniel@iogearbox.net kafai@fb.com yhs@fb.com john.fastabend@gmail.com kpsingh@kernel.org
netdev/build_clang success Errors and warnings before: 10 this patch: 10
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 3 this patch: 3
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 1 this patch: 1
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-VM_Test-1 fail Logs for Kernel LATEST on ubuntu-latest + selftests
bpf/vmtest-bpf-VM_Test-2 fail Logs for Kernel LATEST on z15 + selftests

Commit Message

Adam Zabrocki April 22, 2022, 4:40 p.m. UTC 
[PATCH bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set

The recent kernel change "kprobes: Use rethook for kretprobe if possible",
introduced a potential NULL pointer dereference bug in the KRETPROBE
mechanism. The official Kprobes documentation defines that "Any or all
handlers can be NULL". Unfortunately, there is a missing return handler
verification to fulfill these requirements and can result in a NULL pointer
dereference bug.

This patch adds such verification in kretprobe_rethook_handler() function.

Fixes: 73f9b911faa7 ("kprobes: Use rethook for kretprobe if possible")
Signed-off-by: Adam Zabrocki <pi3@pi3.com.pl>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
---
 kernel/kprobes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Daniel Borkmann April 25, 2022, 2:42 p.m. UTC | #1 
On 4/22/22 6:40 PM, Adam Zabrocki wrote:
> [PATCH bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set
> 
> The recent kernel change "kprobes: Use rethook for kretprobe if possible",
> introduced a potential NULL pointer dereference bug in the KRETPROBE
> mechanism. The official Kprobes documentation defines that "Any or all
> handlers can be NULL". Unfortunately, there is a missing return handler
> verification to fulfill these requirements and can result in a NULL pointer
> dereference bug.
> 
> This patch adds such verification in kretprobe_rethook_handler() function.
> 
> Fixes: 73f9b911faa7 ("kprobes: Use rethook for kretprobe if possible")
> Signed-off-by: Adam Zabrocki <pi3@pi3.com.pl>
> Acked-by: Masami Hiramatsu <mhiramat@kernel.org>

I don't mind if this fix gets routed via bpf tree if all parties are okay with
it (Masami? Steven?). Just noting that there is currently no specific dependency
in bpf tree for it, but if it's easier to route this way, happy to take it.

> ---
>   kernel/kprobes.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/kprobes.c b/kernel/kprobes.c
> index dbe57df2e199..dd58c0be9ce2 100644
> --- a/kernel/kprobes.c
> +++ b/kernel/kprobes.c
> @@ -2126,7 +2126,7 @@ static void kretprobe_rethook_handler(struct rethook_node *rh, void *data,
>   	struct kprobe_ctlblk *kcb;
>   
>   	/* The data must NOT be null. This means rethook data structure is broken. */
> -	if (WARN_ON_ONCE(!data))
> +	if (WARN_ON_ONCE(!data) || !rp->handler)
>   		return;
>   
>   	__this_cpu_write(current_kprobe, &rp->kp);
> 

Thanks,
Daniel
Masami Hiramatsu (Google) April 26, 2022, 8:50 a.m. UTC | #2 
On Mon, 25 Apr 2022 16:42:12 +0200
Daniel Borkmann <daniel@iogearbox.net> wrote:

> On 4/22/22 6:40 PM, Adam Zabrocki wrote:
> > [PATCH bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set
> > 
> > The recent kernel change "kprobes: Use rethook for kretprobe if possible",
> > introduced a potential NULL pointer dereference bug in the KRETPROBE
> > mechanism. The official Kprobes documentation defines that "Any or all
> > handlers can be NULL". Unfortunately, there is a missing return handler
> > verification to fulfill these requirements and can result in a NULL pointer
> > dereference bug.
> > 
> > This patch adds such verification in kretprobe_rethook_handler() function.
> > 
> > Fixes: 73f9b911faa7 ("kprobes: Use rethook for kretprobe if possible")
> > Signed-off-by: Adam Zabrocki <pi3@pi3.com.pl>
> > Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
> 
> I don't mind if this fix gets routed via bpf tree if all parties are okay with
> it (Masami? Steven?). Just noting that there is currently no specific dependency
> in bpf tree for it, but if it's easier to route this way, happy to take it.

Yeah, I and Steve talked about it and he suggested this to be merged
via BPF tree since the original commit came from the BPF tree.

Thank you,

> 
> > ---
> >   kernel/kprobes.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/kernel/kprobes.c b/kernel/kprobes.c
> > index dbe57df2e199..dd58c0be9ce2 100644
> > --- a/kernel/kprobes.c
> > +++ b/kernel/kprobes.c
> > @@ -2126,7 +2126,7 @@ static void kretprobe_rethook_handler(struct rethook_node *rh, void *data,
> >   	struct kprobe_ctlblk *kcb;
> >   
> >   	/* The data must NOT be null. This means rethook data structure is broken. */
> > -	if (WARN_ON_ONCE(!data))
> > +	if (WARN_ON_ONCE(!data) || !rp->handler)
> >   		return;
> >   
> >   	__this_cpu_write(current_kprobe, &rp->kp);
> > 
> 
> Thanks,
> Daniel
Daniel Borkmann April 26, 2022, 2:18 p.m. UTC | #3 
On 4/26/22 10:50 AM, Masami Hiramatsu wrote:
> On Mon, 25 Apr 2022 16:42:12 +0200
> Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 4/22/22 6:40 PM, Adam Zabrocki wrote:
>>> [PATCH bpf] x86/kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set
>>>
>>> The recent kernel change "kprobes: Use rethook for kretprobe if possible",
>>> introduced a potential NULL pointer dereference bug in the KRETPROBE
>>> mechanism. The official Kprobes documentation defines that "Any or all
>>> handlers can be NULL". Unfortunately, there is a missing return handler
>>> verification to fulfill these requirements and can result in a NULL pointer
>>> dereference bug.
>>>
>>> This patch adds such verification in kretprobe_rethook_handler() function.
>>>
>>> Fixes: 73f9b911faa7 ("kprobes: Use rethook for kretprobe if possible")
>>> Signed-off-by: Adam Zabrocki <pi3@pi3.com.pl>
>>> Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
>>
>> I don't mind if this fix gets routed via bpf tree if all parties are okay with
>> it (Masami? Steven?). Just noting that there is currently no specific dependency
>> in bpf tree for it, but if it's easier to route this way, happy to take it.
> 
> Yeah, I and Steve talked about it and he suggested this to be merged
> via BPF tree since the original commit came from the BPF tree.

Okay, I just applied it to bpf tree then.

Thanks everyone,
Daniel
diff mbox series

Patch

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index dbe57df2e199..dd58c0be9ce2 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2126,7 +2126,7 @@  static void kretprobe_rethook_handler(struct rethook_node *rh, void *data,
 	struct kprobe_ctlblk *kcb;
 
 	/* The data must NOT be null. This means rethook data structure is broken. */
-	if (WARN_ON_ONCE(!data))
+	if (WARN_ON_ONCE(!data) || !rp->handler)
 		return;
 
 	__this_cpu_write(current_kprobe, &rp->kp);