x86, hw_breakpoints: Fix racy access to ptrace breakpoints

While the tracer accesses ptrace breakpoints, the child task may concurrently exit due to a SIGKILL and thus release its breakpoints at the same time. We can then dereference some freed pointers. To fix this, hold a reference on the child breakpoints before manipulating them. Reported-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Will Deacon <will.deacon@arm.com> Cc: Prasad <prasad@linux.vnet.ibm.com> Cc: Paul Mundt <lethal@linux-sh.org> Cc: v2.6.33.. <stable@kernel.org> Link: http://lkml.kernel.org/r/1302284067-7860-3-git-send-email-fweisbec@gmail.com
author: Frederic Weisbecker <fweisbec@gmail.com> 2011-04-08 11:29:36 -0400
committer: Frederic Weisbecker <fweisbec@gmail.com> 2011-04-25 11:32:40 -0400
commit: 87dc669ba25777b67796d7262c569429e58b1ed4 (patch)
tree: 861710b50740b7d3924ce254963f3b4d26f0a514
parent: bf26c018490c2fce7fe9b629083b96ce0e6ad019 (diff)
1 files changed, 26 insertions, 10 deletions
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 45892dc4b72a..f65e5b521dbd 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -608,6 +608,9 @@ static int ptrace_write_dr7(struct task_struct *tsk, unsigned long data)
        unsigned len, type;
        struct perf_event *bp;
+        if (ptrace_get_breakpoints(tsk) < 0)
+                return -ESRCH;
        data &= ~DR_CONTROL_RESERVED;
        old_dr7 = ptrace_get_dr7(thread->ptrace_bps);
 restore:
@@ -655,6 +658,9 @@ restore:
                }
                goto restore;
        }
+        ptrace_put_breakpoints(tsk);
        return ((orig_ret < 0) ? orig_ret : rc);
 }
@@ -668,10 +674,17 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
        if (n < HBP_NUM) {
                struct perf_event *bp;
+                if (ptrace_get_breakpoints(tsk) < 0)
+                        return -ESRCH;
                bp = thread->ptrace_bps[n];
                if (!bp)
-                        return 0;
+                        val = 0;
-                val = bp->hw.info.address;
+                else
+                        val = bp->hw.info.address;
+                ptrace_put_breakpoints(tsk);
        } else if (n == 6) {
                val = thread->debugreg6;
         } else if (n == 7) {
@@ -686,6 +699,10 @@ static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
        struct perf_event *bp;
        struct thread_struct *t = &tsk->thread;
        struct perf_event_attr attr;
+        int err = 0;
+        if (ptrace_get_breakpoints(tsk) < 0)
+                return -ESRCH;
        if (!t->ptrace_bps[nr]) {
                ptrace_breakpoint_init(&attr);
@@ -709,24 +726,23 @@ static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
                 * writing for the user. And anyway this is the previous
                 * behaviour.
                 */
-                if (IS_ERR(bp))
+                if (IS_ERR(bp)) {
-                        return PTR_ERR(bp);
+                        err = PTR_ERR(bp);
+                        goto put;
+                }
                t->ptrace_bps[nr] = bp;
        } else {
-                int err;
                bp = t->ptrace_bps[nr];
                attr = bp->attr;
                attr.bp_addr = addr;
                err = modify_user_hw_breakpoint(bp, &attr);
-                if (err)
-                        return err;
        }
+put:
-        return 0;
+        ptrace_put_breakpoints(tsk);
+        return err;
 }
 /*
author	Frederic Weisbecker <fweisbec@gmail.com>	2011-04-08 11:29:36 -0400
committer	Frederic Weisbecker <fweisbec@gmail.com>	2011-04-25 11:32:40 -0400
commit	87dc669ba25777b67796d7262c569429e58b1ed4 (patch)
tree	861710b50740b7d3924ce254963f3b4d26f0a514
parent	bf26c018490c2fce7fe9b629083b96ce0e6ad019 (diff)

diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c index 45892dc4b72a..f65e5b521dbd 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c
@@ -608,6 +608,9 @@ static int ptrace_write_dr7(struct task_struct *tsk, unsigned long data)
608	unsigned len, type;	608	unsigned len, type;
609	struct perf_event *bp;	609	struct perf_event *bp;
610		610
		611	if (ptrace_get_breakpoints(tsk) < 0)
		612	return -ESRCH;
		613
611	data &= ~DR_CONTROL_RESERVED;	614	data &= ~DR_CONTROL_RESERVED;
612	old_dr7 = ptrace_get_dr7(thread->ptrace_bps);	615	old_dr7 = ptrace_get_dr7(thread->ptrace_bps);
613	restore:	616	restore:
@@ -655,6 +658,9 @@ restore:
655	}	658	}
656	goto restore;	659	goto restore;
657	}	660	}
		661
		662	ptrace_put_breakpoints(tsk);
		663
658	return ((orig_ret < 0) ? orig_ret : rc);	664	return ((orig_ret < 0) ? orig_ret : rc);
659	}	665	}
660		666
@@ -668,10 +674,17 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
668		674
669	if (n < HBP_NUM) {	675	if (n < HBP_NUM) {
670	struct perf_event *bp;	676	struct perf_event *bp;
		677
		678	if (ptrace_get_breakpoints(tsk) < 0)
		679	return -ESRCH;
		680
671	bp = thread->ptrace_bps[n];	681	bp = thread->ptrace_bps[n];
672	if (!bp)	682	if (!bp)
673	return 0;	683	val = 0;
674	val = bp->hw.info.address;	684	else
		685	val = bp->hw.info.address;
		686
		687	ptrace_put_breakpoints(tsk);
675	} else if (n == 6) {	688	} else if (n == 6) {
676	val = thread->debugreg6;	689	val = thread->debugreg6;
677	} else if (n == 7) {	690	} else if (n == 7) {
@@ -686,6 +699,10 @@ static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
686	struct perf_event *bp;	699	struct perf_event *bp;
687	struct thread_struct *t = &tsk->thread;	700	struct thread_struct *t = &tsk->thread;
688	struct perf_event_attr attr;	701	struct perf_event_attr attr;
		702	int err = 0;
		703
		704	if (ptrace_get_breakpoints(tsk) < 0)
		705	return -ESRCH;
689		706
690	if (!t->ptrace_bps[nr]) {	707	if (!t->ptrace_bps[nr]) {
691	ptrace_breakpoint_init(&attr);	708	ptrace_breakpoint_init(&attr);
@@ -709,24 +726,23 @@ static int ptrace_set_breakpoint_addr(struct task_struct *tsk, int nr,
709	* writing for the user. And anyway this is the previous	726	* writing for the user. And anyway this is the previous
710	* behaviour.	727	* behaviour.
711	*/	728	*/
712	if (IS_ERR(bp))	729	if (IS_ERR(bp)) {
713	return PTR_ERR(bp);	730	err = PTR_ERR(bp);
		731	goto put;
		732	}
714		733
715	t->ptrace_bps[nr] = bp;	734	t->ptrace_bps[nr] = bp;
716	} else {	735	} else {
717	int err;
718
719	bp = t->ptrace_bps[nr];	736	bp = t->ptrace_bps[nr];
720		737
721	attr = bp->attr;	738	attr = bp->attr;
722	attr.bp_addr = addr;	739	attr.bp_addr = addr;
723	err = modify_user_hw_breakpoint(bp, &attr);	740	err = modify_user_hw_breakpoint(bp, &attr);
724	if (err)
725	return err;
726	}	741	}
727		742
728		743	put:
729	return 0;	744	ptrace_put_breakpoints(tsk);
		745	return err;
730	}	746	}
731		747
732	/*	748	/*