ED: Fix potential task_struct double-frees when iterating over tasks

kerneltoast · kerneltoast · commit e53a69450e93 · 2025-03-03T14:13:56.000-08:00
get_task_struct() is used on every task iterated upon in p_seccomp_entry()
and p_iterate_processes() without a check to verify that the task_struct's
refcount isn't already zero. It is therefore possible for LKRG to increment
a dead task_struct's refcount from zero to one, thereby causing a double-
free on the task_struct when the complementary put_task_struct() call takes
place.

Since the memory for a task_struct pointer obtained via one of the task
list loop macros is protected via RCU, and RCU read lock protection already
encapsulates LKRG's task iterations, the {get|put}_task_struct() calls are
superfluous.

Drop the {get|put}_task_struct() calls entirely to fix the potential
double-free. This has the added bonus of speeding up the iteration because
LKRG's iteration will never put a task_struct's last reference and get
stuck doing task cleanup as a result.

Signed-off-by: Sultan Alsawaf &lt;sultan@ciq.com&gt;
diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
@@ -1139,10 +1139,8 @@ static unsigned int p_iterate_processes(int (*p_func)(void *), char p_ver) {
    do_each_thread(p_ptmp, p_tmp) {
 #endif
 
-      get_task_struct(p_tmp);
       /* do not touch kernel threads or the global init */
       if (!p_is_ed_task(p_tmp)) {
-         put_task_struct(p_tmp);
          continue;
       }
 
@@ -1156,7 +1154,6 @@ static unsigned int p_iterate_processes(int (*p_func)(void *), char p_ver) {
             }
          }
       }
-      put_task_struct(p_tmp);
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
    }
diff --git a/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c b/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c
@@ -67,7 +67,6 @@ int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
          rcu_read_lock();
          // Available since 3.14.0
          for_each_thread(p_father, p_threads) {
-            get_task_struct(p_threads);
             p_child_tmp = p_find_ed_by_pid(task_pid_nr(p_threads));
             if (p_child_tmp) {
 #ifdef P_LKRG_TASK_OFF_DEBUG
@@ -80,7 +79,6 @@ int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
                p_child_tmp->p_ed_task.p_sec.flag_sync_thread = 1;
                p_set_ed_process_off(p_child_tmp);
             }
-            put_task_struct(p_threads);
          }
          rcu_read_unlock();
       } else {

Original file line number	Diff line number	Diff line change
`@@ -1139,10 +1139,8 @@ static unsigned int p_iterate_processes(int (p_func)(void ), char p_ver) {`
`1139`	`1139`	`do_each_thread(p_ptmp, p_tmp) {`
`1140`	`1140`	`#endif`
`1141`	`1141`
`1142`		`- get_task_struct(p_tmp);`
`1143`	`1142`	`/* do not touch kernel threads or the global init */`
`1144`	`1143`	`if (!p_is_ed_task(p_tmp)) {`
`1145`		`- put_task_struct(p_tmp);`
`1146`	`1144`	`continue;`
`1147`	`1145`	`}`
`1148`	`1146`
`@@ -1156,7 +1154,6 @@ static unsigned int p_iterate_processes(int (p_func)(void ), char p_ver) {`
`1156`	`1154`	`}`
`1157`	`1155`	`}`
`1158`	`1156`	`}`
`1159`		`- put_task_struct(p_tmp);`
`1160`	`1157`
`1161`	`1158`	`#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)`
`1162`	`1159`	`}`