lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 5 Jun 2015 23:40:03 +0200
From:	Oleg Nesterov <oleg@...hat.com>
To:	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	Anton Arapov <arapov@...il.com>,
	David Long <dave.long@...aro.org>,
	Denys Vlasenko <dvlasenk@...hat.com>,
	"Frank Ch. Eigler" <fche@...hat.com>,
	Ingo Molnar <mingo@...nel.org>,
	Jan Willeke <willeke@...ibm.com>,
	Jim Keniston <jkenisto@...ibm.com>,
	Mark Wielaard <mjw@...hat.com>,
	Pratyush Anand <panand@...hat.com>,
	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 09/10] uprobes: Change prepare_uretprobe() to (try to)
	flush the dead frames

On 05/04, Oleg Nesterov wrote:
>
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -1522,6 +1522,16 @@ static unsigned long get_trampoline_vaddr(void)
>  	return trampoline_vaddr;
>  }
>  
> +static void cleanup_return_instances(struct uprobe_task *utask, struct pt_regs *regs)
> +{
> +	struct return_instance *ri = utask->return_instances;
> +	while (ri && !arch_uretprobe_is_alive(&ri->auret, regs)) {
> +		ri = free_ret_instance(ri);
> +		utask->depth--;
> +	}
> +	utask->return_instances = ri;
> +}
> +
>  static void prepare_uretprobe(struct uprobe *uprobe, struct pt_regs *regs)
>  {
>  	struct return_instance *ri;
> @@ -1576,6 +1586,9 @@ static void prepare_uretprobe(struct uprobe *uprobe, struct pt_regs *regs)
>  	ri->orig_ret_vaddr = orig_ret_vaddr;
>  	ri->chained = chained;
>  
> +	if (utask->depth) /* drop the entries invalidated by longjmp() */
> +		cleanup_return_instances(utask, regs);
> +

Self nack ;)

Note that that prepare_uretprobe() does

	if (orig_ret_vaddr == trampoline_vaddr) {
		if (!utask->return_instances) {
			/*
			 * This situation is not possible. Likely we have an
			 * attack from user-space.
			 */
			pr_warn("uprobe: unable to set uretprobe pid/tgid=%d/%d\n",
						current->pid, current->tgid);
			goto fail;

_before_ we do cleanup_return_instances().

This is actually fine in a sense that ->return_instances == NULL after
cleanup_return_instances() is not possible if chained, there should be
another _alive() frame. But malicious user can obviously fool the kernel.

Easy to fix. But after discussion with Srikar and Pratyush (thanks!) I
decided to update 6-10.

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ