From bd1ed1b7338fc0a92402d0d7a0206f4add7ccdeb Mon Sep 17 00:00:00 2001
From: Cheng Jian <cj.chengjian@huawei.com>
Date: Fri, 17 Apr 2020 15:56:07 +0800
Subject: [PATCH] kretprobe: check re-registration of the same kretprobe
 earlier

hulk inclusion
category: bugfix
bugzilla: 31369
CVE: NA

---------------------------

Our system encountered a use-after-free when re-register the same
kretprobe, it access the kretprobe_instance in rp->free_instances
which has been released already.

Prevent re-registration has been implemented for kprobe before, but
it's too late for kretprobe. We must check the re-registration before
re-initializing the kretprobe, otherwise it will destroy the data and
struct of the kretprobe registered, it can lead to use-after-free,
memory leak, system crash, and even other unexpected behaviors.

Use check_kprobe_rereg() to check re-registration, also give a warning
message.

Link: https://lkml.org/lkml/2020/3/6/167
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 kernel/kprobes.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f9c3a7da4821..5ce3365ba325 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1902,6 +1902,14 @@ int register_kretprobe(struct kretprobe *rp)
 		}
 	}
 
+	/*
+	 * Return error if it's being re-registered,
+	 * also give a warning message to the developer.
+	 */
+	ret = check_kprobe_rereg(&rp->kp);
+	if (WARN_ON(ret))
+		return ret;
+
 	rp->kp.pre_handler = pre_handler_kretprobe;
 	rp->kp.post_handler = NULL;
 	rp->kp.fault_handler = NULL;
-- 
GitLab