Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()
From: Peter Zijlstra
Date: Fri Sep 15 2023 - 05:03:52 EST
On Fri, Sep 15, 2023 at 04:21:25PM +0800, Jinjie Ruan wrote:
> Inject fault while probing btrfs.ko, if the first kzalloc() fails
> in __static_call_init(), key->mods will no be initialized. And then
> in static_call_del_module() the site_mod->mod will cause
> wild-memory-access as below:
>
> So assign key->mods to NULL in __static_call_init() if it fails
> to fix the issue. And if kzalloc fails, it will just return in init
> func, so it should break if it the key->mods is NULL in exit func.
>
I don't think we need that full splat.
>
> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0 static")
And that looks wrong, that just moved code around.
> Signed-off-by: Jinjie Ruan <ruanjinjie@xxxxxxxxxx>
> ---
> kernel/static_call_inline.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
> index 639397b5491c..e7aa70d33530 100644
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
> }
>
> site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
> - if (!site_mod)
> + if (!site_mod) {
> + key->mods = NULL;
> return -ENOMEM;
> + }
>
> /*
> * When the key has a direct sites pointer, extract
> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
> ;
>
> if (!site_mod)
> - continue;
> + break;
>
> *prev = site_mod->next;
> kfree(site_mod);
The actual patch looks okay.