CVE-2022-50654

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix panic due to wrong pageattr of im-&gt;image<br /> <br /> In the scenario where livepatch and kretfunc coexist, the pageattr of<br /> im-&gt;image is rox after arch_prepare_bpf_trampoline in<br /> bpf_trampoline_update, and then modify_fentry or register_fentry returns<br /> -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag<br /> will be configured, and arch_prepare_bpf_trampoline will be re-executed.<br /> <br /> At this time, because the pageattr of im-&gt;image is rox,<br /> arch_prepare_bpf_trampoline will read and write im-&gt;image, which causes<br /> a fault. as follows:<br /> <br /> insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c<br /> bpftrace -e &amp;#39;kretfunc:cmdline_proc_show {}&amp;#39;<br /> <br /> BUG: unable to handle page fault for address: ffffffffa0206000<br /> PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061<br /> Oops: 0003 [#1] PREEMPT SMP PTI<br /> CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5<br /> RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0<br /> RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202<br /> RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000<br /> RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030<br /> RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400<br /> R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8<br /> R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10<br /> FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> bpf_trampoline_update+0x25a/0x6b0<br /> __bpf_trampoline_link_prog+0x101/0x240<br /> bpf_trampoline_link_prog+0x2d/0x50<br /> bpf_tracing_prog_attach+0x24c/0x530<br /> bpf_raw_tp_link_attach+0x73/0x1d0<br /> __sys_bpf+0x100e/0x2570<br /> __x64_sys_bpf+0x1c/0x30<br /> do_syscall_64+0x5b/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> With this patch, when modify_fentry or register_fentry returns -EAGAIN<br /> from bpf_tramp_ftrace_ops_func, the pageattr of im-&gt;image will be reset<br /> to nx+rw.