perf bpf-event: Fix use-after-free in synthesis

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Calls to perf_env__insert_bpf_prog_info may fail as a sideband thread
may already have inserted the bpf_prog_info. Such failures may yield
info_linear being freed which then causes use-after-free issues with
the internal bpf_prog_info info struct. Make it so that
perf_env__insert_bpf_prog_info trigger early non-error paths and fix
the use-after-free in perf_event__synthesize_one_bpf_prog. Add proper
return error handling to perf_env__add_bpf_info (that calls
perf_env__insert_bpf_prog_info) and propagate the return value in its
callers.

Closes: https://lore.kernel.org/lkml/CAP-5=fWJQcmUOP7MuCA2ihKnDAHUCOBLkQFEkQES-1ZZTrgf8Q@mail.gmail.com/
Fixes: 03edb7020bb9 ("perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()")
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250902181713.309797-2-irogers@google.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>

authored by

Ian Rogers and committed by

Namhyung Kim 7 months ago d7b67dd6 2c369d91

+27 -12

1 changed file

expand all

tools

perf

util

bpf-event.c

+27 -12

tools/perf/util/bpf-event.c

··· 657 657 info_node->info_linear = info_linear; 658 658 info_node->metadata = NULL; 659 659 if (!perf_env__insert_bpf_prog_info(env, info_node)) { 660 - free(info_linear); 660 + /* 661 + * Insert failed, likely because of a duplicate event 662 + * made by the sideband thread. Ignore synthesizing the 663 + * metadata. 664 + */ 661 665 free(info_node); 666 + goto out; 662 667 } 668 + /* info_linear is now owned by info_node and shouldn't be freed below. */ 663 669 info_linear = NULL; 664 670 665 671 /* ··· 833 827 return err; 834 828 } 835 829 836 - static void perf_env__add_bpf_info(struct perf_env *env, u32 id) 830 + static int perf_env__add_bpf_info(struct perf_env *env, u32 id) 837 831 { 838 832 struct bpf_prog_info_node *info_node; 839 833 struct perf_bpil *info_linear; 840 834 struct btf *btf = NULL; 841 835 u64 arrays; 842 836 u32 btf_id; 843 - int fd; 837 + int fd, err = 0; 844 838 845 839 fd = bpf_prog_get_fd_by_id(id); 846 840 if (fd < 0) 847 - return; 841 + return -EINVAL; 848 842 849 843 arrays = 1UL << PERF_BPIL_JITED_KSYMS; 850 844 arrays |= 1UL << PERF_BPIL_JITED_FUNC_LENS; ··· 858 852 info_linear = get_bpf_prog_info_linear(fd, arrays); 859 853 if (IS_ERR_OR_NULL(info_linear)) { 860 854 pr_debug("%s: failed to get BPF program info. aborting\n", __func__); 855 + err = PTR_ERR(info_linear); 861 856 goto out; 862 857 } 863 858 ··· 869 862 info_node->info_linear = info_linear; 870 863 info_node->metadata = bpf_metadata_create(&info_linear->info); 871 864 if (!perf_env__insert_bpf_prog_info(env, info_node)) { 865 + pr_debug("%s: duplicate add bpf info request for id %u\n", 866 + __func__, btf_id); 872 867 free(info_linear); 873 868 free(info_node); 869 + goto out; 874 870 } 875 - } else 871 + } else { 876 872 free(info_linear); 873 + err = -ENOMEM; 874 + goto out; 875 + } 877 876 878 877 if (btf_id == 0) 879 878 goto out; 880 879 881 880 btf = btf__load_from_kernel_by_id(btf_id); 882 - if (libbpf_get_error(btf)) { 883 - pr_debug("%s: failed to get BTF of id %u, aborting\n", 884 - __func__, btf_id); 885 - goto out; 881 + if (!btf) { 882 + err = -errno; 883 + pr_debug("%s: failed to get BTF of id %u %d\n", __func__, btf_id, err); 884 + } else { 885 + perf_env__fetch_btf(env, btf_id, btf); 886 886 } 887 - perf_env__fetch_btf(env, btf_id, btf); 888 887 889 888 out: 890 889 btf__free(btf); 891 890 close(fd); 891 + return err; 892 892 } 893 893 894 894 static int bpf_event__sb_cb(union perf_event *event, void *data) 895 895 { 896 896 struct perf_env *env = data; 897 + int ret = 0; 897 898 898 899 if (event->header.type != PERF_RECORD_BPF_EVENT) 899 900 return -1; 900 901 901 902 switch (event->bpf.type) { 902 903 case PERF_BPF_EVENT_PROG_LOAD: 903 - perf_env__add_bpf_info(env, event->bpf.id); 904 + ret = perf_env__add_bpf_info(env, event->bpf.id); 904 905 905 906 case PERF_BPF_EVENT_PROG_UNLOAD: 906 907 /* ··· 922 907 break; 923 908 } 924 909 925 - return 0; 910 + return ret; 926 911 } 927 912 928 913 int evlist__add_bpf_sb_event(struct evlist *evlist, struct perf_env *env)