Commit 67b3d3cc authored by Andrey Konovalov's avatar Andrey Konovalov Committed by Linus Torvalds

kcov: fix potential use-after-free in kcov_remote_start

If vmalloc() fails in kcov_remote_start() we'll access remote->kcov
without holding kcov_remote_lock, so remote might potentially be freed at
that point.  Cache kcov pointer in a local variable.
Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Alexander Potapenko <glider@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Link: http://lkml.kernel.org/r/9d9134359725a965627b7e8f2652069f86f1d1fa.1585233617.git.andreyknvl@google.com
Link: http://lkml.kernel.org/r/de0d3d30ff90776a2a509cc34c7c1c7521bda125.1584655448.git.andreyknvl@google.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 3c61df38
...@@ -748,6 +748,7 @@ static const struct file_operations kcov_fops = { ...@@ -748,6 +748,7 @@ static const struct file_operations kcov_fops = {
void kcov_remote_start(u64 handle) void kcov_remote_start(u64 handle)
{ {
struct kcov_remote *remote; struct kcov_remote *remote;
struct kcov *kcov;
void *area; void *area;
struct task_struct *t; struct task_struct *t;
unsigned int size; unsigned int size;
...@@ -774,16 +775,17 @@ void kcov_remote_start(u64 handle) ...@@ -774,16 +775,17 @@ void kcov_remote_start(u64 handle)
spin_unlock(&kcov_remote_lock); spin_unlock(&kcov_remote_lock);
return; return;
} }
kcov = remote->kcov;
/* Put in kcov_remote_stop(). */ /* Put in kcov_remote_stop(). */
kcov_get(remote->kcov); kcov_get(kcov);
t->kcov = remote->kcov; t->kcov = kcov;
/* /*
* Read kcov fields before unlock to prevent races with * Read kcov fields before unlock to prevent races with
* KCOV_DISABLE / kcov_remote_reset(). * KCOV_DISABLE / kcov_remote_reset().
*/ */
size = remote->kcov->remote_size; size = kcov->remote_size;
mode = remote->kcov->mode; mode = kcov->mode;
sequence = remote->kcov->sequence; sequence = kcov->sequence;
area = kcov_remote_area_get(size); area = kcov_remote_area_get(size);
spin_unlock(&kcov_remote_lock); spin_unlock(&kcov_remote_lock);
...@@ -791,7 +793,7 @@ void kcov_remote_start(u64 handle) ...@@ -791,7 +793,7 @@ void kcov_remote_start(u64 handle)
area = vmalloc(size * sizeof(unsigned long)); area = vmalloc(size * sizeof(unsigned long));
if (!area) { if (!area) {
t->kcov = NULL; t->kcov = NULL;
kcov_put(remote->kcov); kcov_put(kcov);
return; return;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment