* [PATCH] static_call: fix null-ptr-deref in static_call_del_module
@ 2021-10-09 7:44 Wang Hai
2021-10-09 10:00 ` Peter Zijlstra
0 siblings, 1 reply; 3+ messages in thread
From: Wang Hai @ 2021-10-09 7:44 UTC (permalink / raw)
To: peterz, jpoimboe, jbaron, rostedt, ardb, mingo; +Cc: linux-kernel
I got a NULL pointer dereference report when doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000009
...
RIP: 0010:static_call_del_module+0x7a/0x100
...
Call Trace:
static_call_module_notify+0x1e1/0x200
notifier_call_chain_robust+0x6f/0xe0
blocking_notifier_call_chain_robust+0x4e/0x70
load_module+0x21f7/0x2b60
__do_sys_finit_module+0xb0/0xf0
? __do_sys_finit_module+0xb0/0xf0
__x64_sys_finit_module+0x1a/0x20
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
When loading a module, if it fails to allocate memory for static
calls, it will delete the non-existent mods (mods == 1) in the
static_call_module_notify()'s error path.
static_call_module_notify
static_call_add_module
__static_call_init
site_mod = kzalloc() // fault injection
static_call_del_module // access non-existent mods
This patch fixes the bug by skipping the operation when the key
has no mods.
Fixes: a945c8345ec0 ("static_call: Allow early init")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
---
kernel/static_call.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/static_call.c b/kernel/static_call.c
index 43ba0b1e0edb..c3f8ffc5a52f 100644
--- a/kernel/static_call.c
+++ b/kernel/static_call.c
@@ -400,7 +400,7 @@ static void static_call_del_module(struct module *mod)
for (site = start; site < stop; site++) {
key = static_call_key(site);
- if (key == prev_key)
+ if (key == prev_key || !static_call_key_has_mods(key))
continue;
prev_key = key;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] static_call: fix null-ptr-deref in static_call_del_module
2021-10-09 7:44 [PATCH] static_call: fix null-ptr-deref in static_call_del_module Wang Hai
@ 2021-10-09 10:00 ` Peter Zijlstra
2021-10-11 3:18 ` wanghai (M)
0 siblings, 1 reply; 3+ messages in thread
From: Peter Zijlstra @ 2021-10-09 10:00 UTC (permalink / raw)
To: Wang Hai; +Cc: jpoimboe, jbaron, rostedt, ardb, mingo, linux-kernel
On Sat, Oct 09, 2021 at 03:44:28PM +0800, Wang Hai wrote:
> I got a NULL pointer dereference report when doing fault injection test:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000009
> ...
> RIP: 0010:static_call_del_module+0x7a/0x100
> ...
> Call Trace:
> static_call_module_notify+0x1e1/0x200
> notifier_call_chain_robust+0x6f/0xe0
> blocking_notifier_call_chain_robust+0x4e/0x70
> load_module+0x21f7/0x2b60
> __do_sys_finit_module+0xb0/0xf0
> ? __do_sys_finit_module+0xb0/0xf0
> __x64_sys_finit_module+0x1a/0x20
> do_syscall_64+0x34/0xb0
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> When loading a module, if it fails to allocate memory for static
> calls, it will delete the non-existent mods (mods == 1) in the
> static_call_module_notify()'s error path.
>
> static_call_module_notify
> static_call_add_module
> __static_call_init
> site_mod = kzalloc() // fault injection
> static_call_del_module // access non-existent mods
>
> This patch fixes the bug by skipping the operation when the key
> has no mods.
>
> Fixes: a945c8345ec0 ("static_call: Allow early init")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>
> ---
> kernel/static_call.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/static_call.c b/kernel/static_call.c
> index 43ba0b1e0edb..c3f8ffc5a52f 100644
> --- a/kernel/static_call.c
> +++ b/kernel/static_call.c
> @@ -400,7 +400,7 @@ static void static_call_del_module(struct module *mod)
>
> for (site = start; site < stop; site++) {
> key = static_call_key(site);
> - if (key == prev_key)
> + if (key == prev_key || !static_call_key_has_mods(key))
> continue;
>
> prev_key = key;
Should you not update prev_key in that case? Also have you looked at
jump_label_del_module() which is very similar in construction?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] static_call: fix null-ptr-deref in static_call_del_module
2021-10-09 10:00 ` Peter Zijlstra
@ 2021-10-11 3:18 ` wanghai (M)
0 siblings, 0 replies; 3+ messages in thread
From: wanghai (M) @ 2021-10-11 3:18 UTC (permalink / raw)
To: Peter Zijlstra; +Cc: jpoimboe, jbaron, rostedt, ardb, mingo, linux-kernel
在 2021/10/9 18:00, Peter Zijlstra 写道:
> On Sat, Oct 09, 2021 at 03:44:28PM +0800, Wang Hai wrote:
>> I got a NULL pointer dereference report when doing fault injection test:
>>
>> BUG: kernel NULL pointer dereference, address: 0000000000000009
>> ...
>> RIP: 0010:static_call_del_module+0x7a/0x100
>> ...
>> Call Trace:
>> static_call_module_notify+0x1e1/0x200
>> notifier_call_chain_robust+0x6f/0xe0
>> blocking_notifier_call_chain_robust+0x4e/0x70
>> load_module+0x21f7/0x2b60
>> __do_sys_finit_module+0xb0/0xf0
>> ? __do_sys_finit_module+0xb0/0xf0
>> __x64_sys_finit_module+0x1a/0x20
>> do_syscall_64+0x34/0xb0
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> When loading a module, if it fails to allocate memory for static
>> calls, it will delete the non-existent mods (mods == 1) in the
>> static_call_module_notify()'s error path.
>>
>> static_call_module_notify
>> static_call_add_module
>> __static_call_init
>> site_mod = kzalloc() // fault injection
>> static_call_del_module // access non-existent mods
>>
>> This patch fixes the bug by skipping the operation when the key
>> has no mods.
>>
>> Fixes: a945c8345ec0 ("static_call: Allow early init")
>> Signed-off-by: Wang Hai <wanghai38@huawei.com>
>> ---
>> kernel/static_call.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/static_call.c b/kernel/static_call.c
>> index 43ba0b1e0edb..c3f8ffc5a52f 100644
>> --- a/kernel/static_call.c
>> +++ b/kernel/static_call.c
>> @@ -400,7 +400,7 @@ static void static_call_del_module(struct module *mod)
>>
>> for (site = start; site < stop; site++) {
>> key = static_call_key(site);
>> - if (key == prev_key)
>> + if (key == prev_key || !static_call_key_has_mods(key))
>> continue;
>>
>> prev_key = key;
> Should you not update prev_key in that case? Also have you looked at
> jump_label_del_module() which is very similar in construction?
> .
Thanks for your guidance, as with jump_label_del_module(),
the prev_key needs to be updated, can it be fixed like this?
--- a/kernel/static_call.c
+++ b/kernel/static_call.c
@@ -404,9 +404,9 @@ static void static_call_del_module(struct module *mod)
continue;
prev_key = key;
+ site_mod = static_call_key_next(key);
- for (prev = &key->mods, site_mod = key->mods;
- site_mod && site_mod->mod != mod;
+ for (prev = &key->mods; site_mod && site_mod->mod != mod;
prev = &site_mod->next, site_mod = site_mod->next)
;
--
Wang Hai
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-11 3:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09 7:44 [PATCH] static_call: fix null-ptr-deref in static_call_del_module Wang Hai
2021-10-09 10:00 ` Peter Zijlstra
2021-10-11 3:18 ` wanghai (M)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.