lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Aug 2010 15:29:16 -0400
From:	Mark Asselstine <mark.asselstine@...driver.com>
To:	linux-kernel@...r.kernel.org, x86@...nel.org,
	mathieu.desnoyers@...icios.com
Subject: [PATCH] x86: avoid using vmalloc_to_page on non-vmalloc'ed addresses

It is possible that addresses passed to text_poke() fall beyond _etext
but are also not vmalloc'ed and thus should be using virt_to_page() and
not vmalloc_to_page(). Using is_vmalloc_addr() ensures the proper logic
is used to retrieve the page.

Signed-off-by: Mark Asselstine <mark.asselstine@...driver.com>
---
At the moment I don't believe there are any situations where this is a
problem in Linus' tree but I know that mixing LTTng and RT with things
can cause this to be troublesome. LTTng introduces an immediate value
optimization which makes use of text_poke and this can happen beyond
_etext. The example I was looking at is in rd_load_image which results
in

rd_load_image --> kmalloc  --> trace_kmalloc --> imv_read

The imv_read will insert a 'mov $0x0,%al' in rd_load_image which will
later be the site of the text_poke when arch_imv_update is called.
Looking at the addresses of my build _etext = c1490b2c,
rd_load_image = c1671034 and VMALLOC_START = d87fd000. So in this case
I believe, and this is where I suspect I will get some feedback, it
is *not* acceptable to be doing a vmalloc_to_page() operation on the
address which was not vmalloc'ed.

 arch/x86/kernel/alternative.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index f65ab8b..0c8c26c 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -555,7 +555,7 @@ void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
 	struct page *pages[2];
 	int i;
 
-	if (!core_kernel_text((unsigned long)addr)) {
+	if (is_vmalloc_addr(addr)) {
 		pages[0] = vmalloc_to_page(addr);
 		pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
 	} else {
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ