Commit 1d661ed5 authored by Adam Zabrocki's avatar Adam Zabrocki Committed by Daniel Borkmann

kprobes: Fix KRETPROBES when CONFIG_KRETPROBE_ON_RETHOOK is set

The recent kernel change in 73f9b911 ("kprobes: Use rethook for kretprobe
if possible"), introduced a potential NULL pointer dereference bug in the
KRETPROBE mechanism. The official Kprobes documentation defines that "Any or
all handlers can be NULL". Unfortunately, there is a missing return handler
verification to fulfill these requirements and can result in a NULL pointer
dereference bug.

This patch adds such verification in kretprobe_rethook_handler() function.

Fixes: 73f9b911 ("kprobes: Use rethook for kretprobe if possible")
Signed-off-by: default avatarAdam Zabrocki <pi3@pi3.com.pl>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Anil S. Keshavamurthy <anil.s.keshavamurthy@intel.com>
Link: https://lore.kernel.org/bpf/20220422164027.GA7862@pi3.com.pl
parent b02d196c
...@@ -2126,7 +2126,7 @@ static void kretprobe_rethook_handler(struct rethook_node *rh, void *data, ...@@ -2126,7 +2126,7 @@ static void kretprobe_rethook_handler(struct rethook_node *rh, void *data,
struct kprobe_ctlblk *kcb; struct kprobe_ctlblk *kcb;
/* The data must NOT be null. This means rethook data structure is broken. */ /* The data must NOT be null. This means rethook data structure is broken. */
if (WARN_ON_ONCE(!data)) if (WARN_ON_ONCE(!data) || !rp->handler)
return; return;
__this_cpu_write(current_kprobe, &rp->kp); __this_cpu_write(current_kprobe, &rp->kp);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment