| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <49809CCE.40409@redhat.com> Date: Wed, 28 Jan 2009 12:58:38 -0500 From: Masami Hiramatsu <mhiramat@...hat.com> To: Mathieu Desnoyers <mathieu.desnoyers@...ymtl.ca> CC: Nick Piggin <npiggin@...e.de>, LKML <linux-kernel@...r.kernel.org>, Ananth N Mavinakayanahalli <ananth@...ibm.com>, Jim Keniston <jkenisto@...ibm.com>, systemtap-ml <systemtap@...rces.redhat.com>, "Frank Ch. Eigler" <fche@...hat.com> Subject: Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Mathieu Desnoyers wrote: > * Masami Hiramatsu (mhiramat@...hat.com) wrote: >> Mathieu Desnoyers wrote: [...] >>> All this called in a loop. This would help isolating the "vmap" part of >>> the issue. If this test is not enough, then we should maybe try >>> something like this in a kernel module (which does what text_poke does >>> with vmalloc, more or less) in a loop : >>> >>> char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >>> char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >> Should both of them have PAGE_SIZE*2? >> > > Yes. > >>> void test_vmap(void) >>> } >>> struct page *pages[2]; >>> char *vaddr; >>> int i; >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> copydata[i] = somedata[i]; >>> page[0] = virt_to_page(&somedata); >>> BUG_ON(!page[0]); >>> page[1] = virt_to_page(&somedata + PAGE_SIZE); >>> BUG_ON(!page[1]); Oops, these should be vmalloc_to_page(), shouldn't it? >>> vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); >>> BUG_ON(!vaddr); >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> vaddr[i] = copydata[i] + 1; >>> >>> vunmap(vaddr); >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> BUG_ON(somedata[i] != copydata[i] + 1); >>> } >> Hmm, when I ran above code, it hit the last BUG_ON(). >> I checked that somedata[i] didn't updated. >> > > Do you hit the BUG_ON after the first loop ? At the first loop, it hit the BUG_ON. >>> Given you don't seem to have hit the >>> for (i = 0; i < len; i++) >>> BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); >>> test at the end of text_poke, >> However, when I ran kprobe-based test, it doesn't hit the BUG_ON() >> in text_poke(). >> > > The variable declarations should have been 2*PAGE_SIZE, hopefully you > fixed them. Sure, > There is also a sync_core() in text_poke. It should not matter, but > maybe that could help ? Adding sync_core() could not help me... anyway, I'll try again with using vmalloc_to_page(). >>> I suspect the write through the vmapped >>> area is correctly done, but that the problem may lay in the mm layer. >>> Maybe it's running out of pre-allocated vmap areas or something like >>> this ? >> I haven't seen vmalloc failure message on 2.6.29-rc2. >> > > It could be because the available vmalloc space is slightly higher. > Looking into the lazy vunmap threshold would be useful. > > You could also try with loop values higher than 400. OK, Thanks, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@...hat.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists