[PATCH] proc: fix use-after-free in proc_get_inode()

Ye Bin <yebin@xxxxxxxxxxxxxxx> · Sat, 1 Mar 2025 11:40:24 +0800

From: Ye Bin <yebin10@xxxxxxxxxx>

There's a issue as follows:
BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_lookup_de+0x11f/0x2e0
 __lookup_slow+0x188/0x350
 walk_component+0x2ab/0x4f0
 path_lookupat+0x120/0x660
 filename_lookup+0x1ce/0x560
 vfs_statx+0xac/0x150
 __do_sys_newstat+0x96/0x110
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Above issue may happen as follows:
      rmmod                         lookup
sys_delete_module
                         proc_lookup_de
                           read_lock(&proc_subdir_lock);
			   pde_get(de);
			   read_unlock(&proc_subdir_lock);
			   proc_get_inode(dir->i_sb, de);
  mod->exit()
    proc_remove
      remove_proc_subtree
       write_lock(&proc_subdir_lock);
       write_unlock(&proc_subdir_lock);
       proc_entry_rundown(de);
  free_module(mod);

                               if (S_ISREG(inode->i_mode))
	                         if (de->proc_ops->proc_read_iter)
                           --> As module is already freed, will trigger UAF

To solve above issue there's need to get 'in_use' before use proc_dir_entry
in proc_get_inode().

Fixes: fd5a13f4893c ("proc: add a read_iter method to proc proc_ops")
Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
Signed-off-by: Ye Bin <yebin10@xxxxxxxxxx>
---
 fs/proc/inode.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index 626ad7bd94f2..decfb3d9a632 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -644,6 +644,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
 		return inode;
 	}
 
+	if (!pde_is_permanent(de) && !use_pde(de)) {
+		pde_put(de);
+		return NULL;
+	}
+
 	if (de->mode) {
 		inode->i_mode = de->mode;
 		inode->i_uid = de->uid;
@@ -677,5 +682,9 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
 	} else {
 		BUG();
 	}
+
+	if (!pde_is_permanent(de))
+		unuse_pde(de);
+
 	return inode;
 }
-- 
2.34.1








