hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
01469773db
sst-linux/include
History
Ye Bin 966f331403 proc: fix UAF in proc_get_inode() 
commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.

Fix race between rmmod and /proc/XXX's inode instantiation.

The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.

use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->...  dereference.

      rmmod                         lookup
sys_delete_module
                         proc_lookup_de
			   pde_get(de);
			   proc_get_inode(dir->i_sb, de);
  mod->exit()
    proc_remove
      remove_proc_subtree
       proc_entry_rundown(de);
  free_module(mod);

                               if (S_ISREG(inode->i_mode))
	                         if (de->proc_ops->proc_read_iter)
                           --> As module is already freed, will trigger UAF

BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_lookup_de+0x11f/0x2e0
 __lookup_slow+0x188/0x350
 walk_component+0x2ab/0x4f0
 path_lookupat+0x120/0x660
 filename_lookup+0x1ce/0x560
 vfs_statx+0xac/0x150
 __do_sys_newstat+0x96/0x110
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
Fixes: 778f3dd5a1 ("Fix procfs compat_ioctl regression")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-03-28 21:59:01 +01:00
..
acpi ACPI: CPPC: Make rmw_lock a raw_spin_lock 2024-11-08 16:26:43 +01:00
asm-generic vmlinux.lds: Ensure that const vars with relocations are mapped R/O 2025-03-07 16:56:50 +01:00
clocksource x86/hyperv: Fix hv tsc page based sched_clock for hibernation 2025-01-09 13:29:56 +01:00
crypto crypto: simd - Do not call crypto_alloc_tfm during registration 2024-10-17 15:21:39 +02:00
drm drm/ttm: Make sure the mapped tt pages are decrypted when needed 2024-12-14 19:54:54 +01:00
dt-bindings dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x 2024-10-17 15:22:07 +02:00
keys
kunit
kvm KVM: arm64: Fix host-programmed guest events in nVHE 2024-04-10 16:28:23 +02:00
linux proc: fix UAF in proc_get_inode() 2025-03-28 21:59:01 +01:00
math-emu
media media: v4l2-core: v4l2-dv-timings: check cvt/gtf result 2024-12-14 19:54:04 +01:00
memory memory: renesas-rpc-if: Remove Runtime PM wrappers 2024-12-14 19:53:37 +01:00
misc
net Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" 2025-03-28 21:58:49 +01:00
pcmcia
ras
rdma
rv rv: Reset per-task monitors also for idle tasks 2025-02-21 13:49:47 +01:00
scsi scsi: core: Fix the return value of scsi_logical_block_count() 2024-08-29 17:30:49 +02:00
soc net: mscc: ocelot: be resilient to loss of PTP packets during transmission 2024-12-19 18:08:54 +01:00
sound ASoC: ops: Consistently treat platform_max as control value 2025-03-28 21:58:57 +01:00
target
trace net/ipv4: add tracepoint for icmp_send 2025-03-07 16:56:44 +01:00
uapi io_uring: get rid of remap_pfn_range() for mapping rings/sqes 2025-03-28 21:58:53 +01:00
ufs scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions 2025-02-21 13:49:42 +01:00
vdso
video
xen