Commit b0fd1852 authored by KP Singh's avatar KP Singh Committed by Martin KaFai Lau

bpf: Fix UAF in task local storage

When task local storage was generalized for tracing programs, the
bpf_task_local_storage callback was moved from a BPF LSM hook
callback for security_task_free LSM hook to it's own callback. But a
failure case in bad_fork_cleanup_security was missed which, when
triggered, led to a dangling task owner pointer and a subsequent
use-after-free. Move the bpf_task_storage_free to the very end of
free_task to handle all failure cases.

This issue was noticed when a BPF LSM program was attached to the
task_alloc hook on a kernel with KASAN enabled. The program used
bpf_task_storage_get to copy the task local storage from the current
task to the new task being created.

Fixes: a10787e6 ("bpf: Enable task local storage for tracing programs")
Reported-by: default avatarKuba Piecuch <jpiecuch@google.com>
Signed-off-by: default avatarKP Singh <kpsingh@kernel.org>
Acked-by: default avatarSong Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230602002612.1117381-1-kpsingh@kernel.orgSigned-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
parent b320a456
...@@ -627,6 +627,7 @@ void free_task(struct task_struct *tsk) ...@@ -627,6 +627,7 @@ void free_task(struct task_struct *tsk)
arch_release_task_struct(tsk); arch_release_task_struct(tsk);
if (tsk->flags & PF_KTHREAD) if (tsk->flags & PF_KTHREAD)
free_kthread_struct(tsk); free_kthread_struct(tsk);
bpf_task_storage_free(tsk);
free_task_struct(tsk); free_task_struct(tsk);
} }
EXPORT_SYMBOL(free_task); EXPORT_SYMBOL(free_task);
...@@ -979,7 +980,6 @@ void __put_task_struct(struct task_struct *tsk) ...@@ -979,7 +980,6 @@ void __put_task_struct(struct task_struct *tsk)
cgroup_free(tsk); cgroup_free(tsk);
task_numa_free(tsk, true); task_numa_free(tsk, true);
security_task_free(tsk); security_task_free(tsk);
bpf_task_storage_free(tsk);
exit_creds(tsk); exit_creds(tsk);
delayacct_tsk_free(tsk); delayacct_tsk_free(tsk);
put_signal_struct(tsk->signal); put_signal_struct(tsk->signal);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment