Merge pull request #120 from bytedance/b_allowlist_race

B allowlist race
bytedance · Aug 26, 2021 · 404c331 · 404c331
2 parents 67873a1 + dec1a9a
commit 404c331
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 45 deletions.
diff --git a/driver/LKM/src/filter.c b/driver/LKM/src/filter.c
@@ -129,7 +129,12 @@ int del_rb_by_data_exe_list(char *str)
         return 0;
 
     write_lock(&exe_allowlist_lock);
-    rb_erase(&data->node, &execve_exe_allowlist);
+    /* make sure node is still in rb tree */
+    data = search_rb(&execve_exe_allowlist, str);
+    if (data) {
+        rb_erase(&data->node, &execve_exe_allowlist);
+        execve_exe_allowlist_limit--;
+    }
     write_unlock(&exe_allowlist_lock);
 
     kfree(data->data);
@@ -145,7 +150,12 @@ int del_rb_by_data_argv_list(char *str)
         return 0;
 
     write_lock(&argv_allowlist_lock);
-    rb_erase(&data->node, &execve_argv_allowlist);
+    /* make sure node is still in rb tree */
+    data = search_rb(&execve_argv_allowlist, str);
+    if (data) {
+        rb_erase(&data->node, &execve_argv_allowlist);
+        execve_argv_allowlist_limit--;
+    }
     write_unlock(&argv_allowlist_lock);
 
     kfree(data->data);
@@ -168,23 +178,28 @@ static void rbtree_clear(struct rb_node *this_node)
     kfree(node);
 }
 
-static void add_execve_exe_allowlist(char *data)
+static int add_execve_exe_allowlist(char *data)
 {
     struct allowlist_node *node;
+    int rc = 0;
+
     if (!data)
-        return;
+        return -EINVAL;
 
     node = kzalloc(sizeof(struct allowlist_node), GFP_ATOMIC);
     if (!node)
-        return;
-
+        return -ENOMEM;
     node->data = data;
 
     write_lock(&exe_allowlist_lock);
-    if(!insert_rb(&execve_exe_allowlist, node))
+    rc = insert_rb(&execve_exe_allowlist, node);
+    if (rc)
+        execve_exe_allowlist_limit++;
+    else
         printk(KERN_INFO "[ELKEID] add_execve_exe_allowlist error\n");
     write_unlock(&exe_allowlist_lock);
 
+    return rc;
 }
 
 static int del_execve_exe_allowlist(char *data)
@@ -194,12 +209,11 @@ static int del_execve_exe_allowlist(char *data)
 
 static int del_all_execve_exe_allowlist(void)
 {
-    if (execve_exe_allowlist.rb_node != NULL) {
-        write_lock(&exe_allowlist_lock);
-        rbtree_clear(execve_exe_allowlist.rb_node);
-        execve_exe_allowlist = RB_ROOT;
-        write_unlock(&exe_allowlist_lock);
-    }
+    write_lock(&exe_allowlist_lock);
+    rbtree_clear(execve_exe_allowlist.rb_node);
+    execve_exe_allowlist = RB_ROOT;
+    execve_exe_allowlist_limit = 0;
+    write_unlock(&exe_allowlist_lock);
 
     return 0;
 }
@@ -232,22 +246,28 @@ int execve_exe_check(char *data)
     return res;
 }
 
-static void add_execve_argv_allowlist(char *data)
+static int add_execve_argv_allowlist(char *data)
 {
     struct allowlist_node *node;
+    int rc = 0;
+
     if (!data)
-        return;
+        return -EINVAL;
 
     node = kzalloc(sizeof(struct allowlist_node), GFP_ATOMIC);
     if (!node)
-        return;
-
+        return -ENOMEM;
     node->data = data;
 
     write_lock(&argv_allowlist_lock);
-    if(!insert_rb(&execve_argv_allowlist, node))
+    rc = insert_rb(&execve_argv_allowlist, node);
+    if (rc)
+        execve_argv_allowlist_limit++;
+    else
         printk(KERN_INFO "[ELKEID] add_execve_argv_allowlist error\n");
     write_unlock(&argv_allowlist_lock);
+
+    return rc;
 }
 
 static int del_execve_argv_allowlist(char *data)
@@ -263,6 +283,7 @@ static void del_all_execve_argv_allowlist(void)
     write_lock(&argv_allowlist_lock);
     rbtree_clear(execve_argv_allowlist.rb_node);
     execve_argv_allowlist = RB_ROOT;
+    execve_argv_allowlist_limit = 0;
     write_unlock(&argv_allowlist_lock);
 
 }
@@ -300,7 +321,6 @@ static ssize_t device_write(struct file *filp, const __user char *buff,
 {
     char *data_main;
     int res;
-    int del_res;
     char flag;
 
     if (len < ALLOWLIST_NODE_MIN || len > ALLOWLIST_NODE_MAX)
@@ -321,21 +341,17 @@ static ssize_t device_write(struct file *filp, const __user char *buff,
     switch (flag) {
         case ADD_EXECVE_EXE_SHITELIST:
             if (execve_exe_allowlist_limit <= 96){
-                execve_exe_allowlist_limit++;
                 /* assgin data_main to rb node */
                 add_execve_exe_allowlist(smith_strim(data_main));
                 data_main = NULL;
             }
             break;
 
         case DEL_EXECVE_EXE_SHITELIST:
-            del_res = del_execve_exe_allowlist(strim(data_main));
-            if (del_res == 1)
-                execve_exe_allowlist_limit--;
+            del_execve_exe_allowlist(strim(data_main));
             break;
 
         case DEL_ALL_EXECVE_EXE_SHITELIST:
-            execve_exe_allowlist_limit = 0;
             del_all_execve_exe_allowlist();
             break;
 
@@ -352,20 +368,17 @@ static ssize_t device_write(struct file *filp, const __user char *buff,
 
         case ADD_EXECVE_ARGV_SHITELIST:
             if (execve_argv_allowlist_limit <= 96){
-                execve_argv_allowlist_limit++;
                 /* assgin data_main to rb node */
                 add_execve_argv_allowlist(smith_strim(data_main));
                 data_main = NULL;
             }
             break;
 
         case DEL_EXECVE_ARGV_SHITELIST:
-            del_res = del_execve_argv_allowlist(strim(data_main));
-            execve_argv_allowlist_limit--;
+            del_execve_argv_allowlist(strim(data_main));
             break;
 
         case DEL_ALL_EXECVE_ARGV_SHITELIST:
-            execve_argv_allowlist_limit = 0;
             del_all_execve_argv_allowlist();
             break;
 

diff --git a/driver/LKM/src/smith_hook.c b/driver/LKM/src/smith_hook.c
@@ -12,8 +12,6 @@
 
 #define EXIT_PROTECT 0
 #define SANDBOX 0
-
-#define MAXACTIVE (24 * NR_CPUS)
 #define SMITH_MAX_ARG_STRINGS (16)
 
 // Hook on-off
@@ -2537,7 +2535,6 @@ struct kretprobe execveat_kretprobe = {
 	    .entry_handler = execveat_entry_handler,
 	    .data_size = sizeof(struct execve_data),
 	    .handler = execve_handler,
-	    .maxactive = MAXACTIVE,
 };
 #endif
 
@@ -2546,7 +2543,6 @@ struct kretprobe execve_kretprobe = {
         .entry_handler = execve_entry_handler,
         .data_size = sizeof(struct execve_data),
         .handler = execve_handler,
-        .maxactive = MAXACTIVE,
 };
 
 #ifdef CONFIG_COMPAT
@@ -2555,7 +2551,6 @@ struct kretprobe compat_execve_kretprobe = {
 	    .entry_handler = compat_execve_entry_handler,
 	    .data_size = sizeof(struct execve_data),
 	    .handler = execve_handler,
-	    .maxactive = MAXACTIVE,
 };
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,19,0)
@@ -2564,7 +2559,6 @@ struct kretprobe compat_execveat_kretprobe = {
 	    .entry_handler = compat_execveat_entry_handler,
 	    .data_size = sizeof(struct execve_data),
 	    .handler = execve_handler,
-	    .maxactive = MAXACTIVE,
 };
 #endif
 #endif
@@ -2611,7 +2605,6 @@ struct kretprobe udp_recvmsg_kretprobe = {
         .data_size = sizeof(struct udp_recvmsg_data),
         .handler = udp_recvmsg_handler,
         .entry_handler = udp_recvmsg_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 #if IS_ENABLED(CONFIG_IPV6)
@@ -2620,23 +2613,20 @@ struct kretprobe udpv6_recvmsg_kretprobe = {
 	    .data_size = sizeof(struct udp_recvmsg_data),
 	    .handler = udp_recvmsg_handler,
 	    .entry_handler = udpv6_recvmsg_entry_handler,
-	    .maxactive = MAXACTIVE,
 };
 
 struct kretprobe ip6_datagram_connect_kretprobe = {
 	    .kp.symbol_name = "ip6_datagram_connect",
 	    .data_size = sizeof(struct connect_data),
 	    .handler = connect_handler,
 	    .entry_handler = ip6_datagram_connect_entry_handler,
-	    .maxactive = MAXACTIVE,
 };
 
 struct kretprobe tcp_v6_connect_kretprobe = {
 	    .kp.symbol_name = "tcp_v6_connect",
 	    .data_size = sizeof(struct connect_data),
 	    .handler = connect_handler,
 	    .entry_handler = tcp_v6_connect_entry_handler,
-	    .maxactive = MAXACTIVE,
 };
 #endif
 
@@ -2645,39 +2635,34 @@ struct kretprobe ip4_datagram_connect_kretprobe = {
         .data_size = sizeof(struct connect_data),
         .handler = connect_handler,
         .entry_handler = ip4_datagram_connect_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kretprobe tcp_v4_connect_kretprobe = {
         .kp.symbol_name = "tcp_v4_connect",
         .data_size = sizeof(struct connect_data),
         .handler = connect_handler,
         .entry_handler = tcp_v4_connect_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kretprobe connect_syscall_kretprobe = {
         .kp.symbol_name = P_GET_SYSCALL_NAME(connect),
         .data_size = sizeof(struct connect_syscall_data),
         .handler = connect_syscall_handler,
         .entry_handler = connect_syscall_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kretprobe accept_kretprobe = {
         .kp.symbol_name = P_GET_SYSCALL_NAME(accept),
         .data_size = sizeof(struct accept_data),
         .handler = accept_handler,
         .entry_handler = accept_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kretprobe accept4_kretprobe = {
         .kp.symbol_name = P_GET_SYSCALL_NAME(accept4),
         .data_size = sizeof(struct accept_data),
         .handler = accept_handler,
         .entry_handler = accept4_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kprobe do_init_module_kprobe = {
@@ -2690,7 +2675,6 @@ struct kretprobe update_cred_kretprobe = {
         .data_size = sizeof(struct update_cred_data),
         .handler = update_cred_handler,
         .entry_handler = update_cred_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kprobe security_inode_create_kprobe = {
@@ -2703,7 +2687,6 @@ struct kretprobe bind_kretprobe = {
         .data_size = sizeof(struct bind_data),
         .handler = bind_handler,
         .entry_handler = bind_entry_handler,
-        .maxactive = MAXACTIVE,
 };
 
 struct kprobe mprotect_kprobe = {