230 Star 879 Fork 432

GVPopenEuler / kernel

 / 详情

[OLK-5.10] fix out-of-bounds in register_kretprobe when parsing negative data_size

Done
Bug
Opened this issue  
2021-11-27 11:03

【标题描述】执行kerlnel_test kprobe用例出现KASAN call trace
【环境信息】
硬件信息:
1) 裸机场景提供出问题的硬件信息;
2) 虚机场景提供虚机XML文件或者配置信息
软件信息:
1) OS版本及分支
2) 内核信息
3) 发现问题的组件版本信息
如果有特殊组网,请提供网络拓扑图
【问题复现步骤】
复现demo:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kprobes.h>
#include <linux/version.h>

static int data_size=0;
module_param(data_size, int, 0644);

static struct kretprobe rp;

static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
     printk(KERN_DEBUG "ret_handler\n");
     return 0;
}
static int entry_handler(struct kretprobe_instance *ri, struct pt_regs 
*regs)
{
     printk(KERN_DEBUG "entry_handler\n");
         return 0;
}
static int __init kretprobe_init(void)
{
     int ret;
     printk(KERN_DEBUG"size = %ld\n", sizeof(struct kretprobe_instance) 
- 1);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,2,0)
     rp.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("_do_fork");
#else
     rp.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("do_fork");
#endif

     rp.handler = ret_handler;
     rp.entry_handler = entry_handler;
     rp.data_size = data_size;
     rp.maxactive = 1;

     ret = register_kretprobe(&rp);
     if (ret < 0)
     {
         printk(KERN_DEBUG "register_kretprobe failed, returned %d\n", ret);
         return -1;
     }
     printk(KERN_DEBUG "register_kretprobe pass\n");
     return 0;
}

static void __exit kretprobe_exit(void)
{
     unregister_kretprobe(&rp);
     printk(KERN_DEBUG "kretprobe  unregistered\n");
}

module_init(kretprobe_init)
module_exit(kretprobe_exit)
MODULE_LICENSE("GPL");

insmod this module

 sudo insmod testRegKretprobe.ko data_size=-1

出现概率(是否必现,概率性错误)
【预期结果】
kretprobe注册失败,返回错误
【实际结果】
kretprobe注册成功
描述出问题的结果
出现内存越界访问
【附件信息】
Actual results (现象):

[ 1277.862412] ==================================================================
[ 1277.863463] BUG: KASAN: slab-out-of-bounds in trampoline_probe_handler+0xb4/0x2f0 at addr ffff8001af47d6a0
[ 1277.872612] Read of size 8 by task sh/1910
[ 1277.873212] =============================================================================
[ 1277.874289] BUG kmalloc-64 (Tainted: G    B      OE  ): kasan: bad access detected
[ 1277.875212] -----------------------------------------------------------------------------
[ 1277.875212]
[ 1277.881592] INFO: Allocated in register_kretprobe+0x12c/0x350 age=11445 cpu=6 pid=1912
[ 1277.882730] 	alloc_debug_processing+0x18c/0x1a0
[ 1277.883491] 	__slab_alloc+0x52c/0x560
[ 1277.886165] 	__kmalloc+0x254/0x2e0
[ 1277.886827] 	register_kretprobe+0x12c/0x350
[ 1277.887469] 	0xffff7ffffc090050
[ 1277.888076] 	do_one_initcall+0x120/0x260
[ 1277.892827] 	do_init_module+0xf0/0x288
[ 1277.893495] 	load_module+0x1834/0x1b60
[ 1277.894166] 	SyS_init_module+0x164/0x1e0
[ 1277.894835] 	el0_svc_naked+0x20/0x24
[ 1277.895548] INFO: Freed in do_one_initcall+0x110/0x260 age=11463 cpu=6 pid=1912
[ 1277.896589] 	free_debug_processing+0x1d4/0x2c0
[ 1277.897336] 	__slab_free+0x240/0x390
[ 1277.897994] 	kfree+0x1cc/0x1e0
[ 1277.898593] 	do_one_initcall+0x110/0x260
[ 1277.899280] 	do_init_module+0xf0/0x288
[ 1277.899944] 	load_module+0x1834/0x1b60
[ 1277.900601] 	SyS_init_module+0x164/0x1e0
[ 1277.901269] 	el0_svc_naked+0x20/0x24
[ 1277.901920] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=11 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1277.903141] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0x          (null)
[ 1277.903141]
[ 1277.904383] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1277.905603] Object ffff8001af47d680: 00 00 00 00 00 00 00 00 48 e4 82 01 00 80 ff ff  ........H.......
[ 1277.906810] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff  ........ .......
[ 1277.908012] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00  ................
[ 1277.909220] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1277.910457] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1277.911696] CPU: 2 PID: 1910 Comm: sh Tainted: G    B      OE   4.1.46 #8
[ 1277.911858] Hardware name: linux,dummy-virt (DT)
[ 1277.911990] Call trace:
[ 1277.912587] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1277.912897] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1277.913195] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1277.913499] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1277.913807] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1277.914077] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1277.914404] [<ffff8000002e39a0>] __asan_load8+0x60/0x80
[ 1277.914708] [<ffff800001000054>] trampoline_probe_handler+0xb4/0x2f0
[ 1277.914999] [<ffff800000ffff38>] kretprobe_trampoline+0x54/0xbc
[ 1277.915144] Memory state around the buggy address:
[ 1277.915898]  ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.916875]  ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.917852] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1277.918752]                                ^
[ 1277.919451]  ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.920433]  ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.921312] ==================================================================
[ 1277.922198] ret_handler
[ 1281.525417] ==================================================================
[ 1281.526507] BUG: KASAN: slab-out-of-bounds in pre_handler_kretprobe+0x10c/0x2e0 at addr ffff8001af47d6a0
[ 1281.527523] Write of size 8 by task sh/1910
[ 1281.528033] =============================================================================
[ 1281.529885] BUG kmalloc-64 (Tainted: G    B      OE  ): kasan: bad access detected
[ 1281.530826] -----------------------------------------------------------------------------
[ 1281.530826]
[ 1281.534390] INFO: Allocated in register_kretprobe+0x12c/0x350 age=12358 cpu=6 pid=1912
[ 1281.535519] 	alloc_debug_processing+0x18c/0x1a0
[ 1281.538353] 	__slab_alloc+0x52c/0x560
[ 1281.539037] 	__kmalloc+0x254/0x2e0
[ 1281.539688] 	register_kretprobe+0x12c/0x350
[ 1281.543986] 	0xffff7ffffc090050
[ 1281.545285] 	do_one_initcall+0x120/0x260
[ 1281.545989] 	do_init_module+0xf0/0x288
[ 1281.546664] 	load_module+0x1834/0x1b60
[ 1281.547329] 	SyS_init_module+0x164/0x1e0
[ 1281.547994] 	el0_svc_naked+0x20/0x24
[ 1281.551980] INFO: Freed in do_one_initcall+0x110/0x260 age=12375 cpu=6 pid=1912
[ 1281.557086] 	free_debug_processing+0x1d4/0x2c0
[ 1281.557846] 	__slab_free+0x240/0x390
[ 1281.558519] 	kfree+0x1cc/0x1e0
[ 1281.559115] 	do_one_initcall+0x110/0x260
[ 1281.559808] 	do_init_module+0xf0/0x288
[ 1281.560469] 	load_module+0x1834/0x1b60
[ 1281.561130] 	SyS_init_module+0x164/0x1e0
[ 1281.561795] 	el0_svc_naked+0x20/0x24
[ 1281.562450] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=10 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1281.563646] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0xdead000000000100
[ 1281.563646]
[ 1281.564885] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1281.566102] Object ffff8001af47d680: 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de  ................
[ 1281.567308] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff  ........ .......
[ 1281.568515] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00  ................
[ 1281.569725] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1281.570948] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1281.572197] CPU: 4 PID: 1910 Comm: sh Tainted: G    B      OE   4.1.46 #8
[ 1281.572361] Hardware name: linux,dummy-virt (DT)
[ 1281.572497] Call trace:
[ 1281.573095] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1281.573409] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1281.573713] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1281.574021] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1281.574349] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1281.574628] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1281.574950] [<ffff8000002e3a20>] __asan_store8+0x60/0x80
[ 1281.575261] [<ffff8000001d7edc>] pre_handler_kretprobe+0x10c/0x2e0
[ 1281.575548] [<ffff800000fff8bc>] kprobe_handler+0x12c/0x290
[ 1281.575844] [<ffff800000fffba8>] kprobe_breakpoint_handler+0x18/0x30
[ 1281.576130] [<ffff8000000865c0>] brk_handler+0x80/0xa0
[ 1281.576402] [<ffff80000008257c>] do_debug_exception+0x7c/0x120
[ 1281.576619] Exception stack(0xffff8001af4a7d60 to 0xffff8001af4a7ea0)
[ 1281.576906] 7d60: 0000000001200011 0000000000000000 0000000000000000 0000000000000000
[ 1281.577207] 7d80: 0000ffffaf5540d0 0000ffffaf554000 0000000000000000 0000ffffaf5546f0
[ 1281.577495] 7da0: 00000000000000dc ffff80000008471c 0000000000000776 0000000000000025
[ 1281.577797] 7dc0: 0000000000000028 ffffffffffffffff ffffffffffffffff 0000ffffaf35622c
[ 1281.578090] 7de0: ffff8000000e8800 0000ffffaf3ef670 0000000000000000 0000000000000000
[ 1281.578408] 7e00: 0000ffffd1f191e0 ffffffffffffffff 0000ffffaf3ef714 0000000060000000
[ 1281.578699] 7e20: 0000000000000015 000000000000011a 00000000000000dc ffff80000100d000
[ 1281.579014] 7e40: ffff8001af4a4000 ffff8001af4a7ea0 ffff8000000e8820 ffff8001af4a7ea0
[ 1281.579308] 7e60: ffff8000000e8270 0000000080000145 0000000000000000 000000005632cbd4
[ 1281.579593] 7e80: 0000000000000000 000000000000006d 0001000000000000 0000000000001000
[ 1281.579848] [<ffff800000083ed4>] el1_dbg+0x18/0x8c
[ 1281.579993] Memory state around the buggy address:
[ 1281.580757]  ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.581738]  ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.582734] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1281.583629]                                ^
[ 1281.584322]  ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.585302]  ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.586189] ==================================================================
[ 1281.587066] entry_handler
[ 1281.915832] ==================================================================
[ 1281.925612] BUG: KASAN: slab-out-of-bounds in trampoline_probe_handler+0xb4/0x2f0 at addr ffff8001af47d6a0
[ 1281.926840] Read of size 8 by task sh/1910
[ 1281.927431] =============================================================================
[ 1281.929215] BUG kmalloc-64 (Tainted: G    B      OE  ): kasan: bad access detected
[ 1281.930152] -----------------------------------------------------------------------------
[ 1281.930152]
[ 1281.931576] INFO: Allocated in register_kretprobe+0x12c/0x350 age=12457 cpu=6 pid=1912
[ 1281.935773] 	alloc_debug_processing+0x18c/0x1a0
[ 1281.938018] 	__slab_alloc+0x52c/0x560
[ 1281.938704] 	__kmalloc+0x254/0x2e0
[ 1281.939357] 	register_kretprobe+0x12c/0x350
[ 1281.940006] 	0xffff7ffffc090050
[ 1281.943904] 	do_one_initcall+0x120/0x260
[ 1281.947826] 	do_init_module+0xf0/0x288
[ 1281.951691] 	load_module+0x1834/0x1b60
[ 1281.955572] 	SyS_init_module+0x164/0x1e0
[ 1281.959596] 	el0_svc_naked+0x20/0x24
[ 1281.963545] INFO: Freed in do_one_initcall+0x110/0x260 age=12475 cpu=6 pid=1912
[ 1281.967837] 	free_debug_processing+0x1d4/0x2c0
[ 1281.971839] 	__slab_free+0x240/0x390
[ 1281.975746] 	kfree+0x1cc/0x1e0
[ 1281.979615] 	do_one_initcall+0x110/0x260
[ 1281.981107] 	do_init_module+0xf0/0x288
[ 1281.981778] 	load_module+0x1834/0x1b60
[ 1281.982453] 	SyS_init_module+0x164/0x1e0
[ 1281.983122] 	el0_svc_naked+0x20/0x24
[ 1281.983770] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=10 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1281.991427] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0x          (null)
[ 1281.991427]
[ 1281.995948] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1281.997957] Object ffff8001af47d680: 00 00 00 00 00 00 00 00 48 e4 82 01 00 80 ff ff  ........H.......
[ 1281.999174] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff  ........ .......
[ 1282.003618] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00  ................
[ 1282.008069] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1282.015983] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 1282.022380] CPU: 4 PID: 1910 Comm: sh Tainted: G    B      OE   4.1.46 #8
[ 1282.022542] Hardware name: linux,dummy-virt (DT)
[ 1282.022674] Call trace:
[ 1282.023286] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1282.023597] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1282.023894] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1282.028262] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1282.028580] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1282.028853] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1282.029172] [<ffff8000002e39a0>] __asan_load8+0x60/0x80
[ 1282.029483] [<ffff800001000054>] trampoline_probe_handler+0xb4/0x2f0
[ 1282.029777] [<ffff800000ffff38>] kretprobe_trampoline+0x54/0xbc
[ 1282.029922] Memory state around the buggy address:
[ 1282.030697]  ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.031683]  ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.032666] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1282.033561]                                ^
[ 1282.034266]  ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.035246]  ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.036123] ==================================================================
[ 1282.037007] ret_handler
[ 1283.715570] kretprobe  unregister

Comments (2)

lihuafei created缺陷

Hi lihuafei1, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at
https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers: @XieXiuQi , @YangYingliang , @成坚 (CHENG Jian) .

openeuler-ci-bot added
 
sig/Kernel
label

您好,请问一下您的复现步骤是什么样的,kallsyms_lookup_name("_do_fork")的返回值一直为0,因为内核中并没有_do_fork函数的函数地址,所以在register_kretprobe时直接会返回-EINVAL,并未出现越界的情况;还有就是这个问题是偶现还是必现的?

XieXiuQi changed description
zhengzengkai throughsrc-openeuler/kernel Pull Request !418 changed issue state from 待办的 to 已完成

Sign in to comment

Status
Assignees
Projects
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
参与者(3)
5329419 openeuler ci bot 1632792936
C
1
https://toscode.gitee.com/openeuler/kernel.git
git@toscode.gitee.com:openeuler/kernel.git
openeuler
kernel
kernel

Search