| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Aug 2010 16:29:52 -0400
From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To: Mark Asselstine <mark.asselstine@...driver.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
Ingo Molnar <mingo@...e.hu>,
Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
Peter Zijlstra <peterz@...radead.org>
Subject: Re: [PATCH] x86: avoid using vmalloc_to_page on non-vmalloc'ed
addresses
* Mark Asselstine (mark.asselstine@...driver.com) wrote:
> It is possible that addresses passed to text_poke() fall beyond _etext
> but are also not vmalloc'ed and thus should be using virt_to_page() and
> not vmalloc_to_page(). Using is_vmalloc_addr() ensures the proper logic
> is used to retrieve the page.
>
> Signed-off-by: Mark Asselstine <mark.asselstine@...driver.com>
> ---
> At the moment I don't believe there are any situations where this is a
> problem in Linus' tree but I know that mixing LTTng and RT with things
> can cause this to be troublesome. LTTng introduces an immediate value
> optimization which makes use of text_poke and this can happen beyond
> _etext. The example I was looking at is in rd_load_image which results
> in
>
> rd_load_image --> kmalloc --> trace_kmalloc --> imv_read
>
> The imv_read will insert a 'mov $0x0,%al' in rd_load_image which will
> later be the site of the text_poke when arch_imv_update is called.
> Looking at the addresses of my build _etext = c1490b2c,
> rd_load_image = c1671034 and VMALLOC_START = d87fd000. So in this case
> I believe, and this is where I suspect I will get some feedback, it
> is *not* acceptable to be doing a vmalloc_to_page() operation on the
> address which was not vmalloc'ed.
Hrm, so basically you have something that allocates kernel text outside of the
standard module-based scheme, so e.g. you rely on kmalloc rather than vmalloc to
allocate this. Yep, in this case, the text_poke check will fail to see that you
are using the linear mapping will try to use vmalloc_to_page incorrectly.
You patch makes sense, and would apply to the current -tip tree. I'd like to
hear other opinions on this, so I add a few CC.
Thanks,
Mathieu
>
> arch/x86/kernel/alternative.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index f65ab8b..0c8c26c 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -555,7 +555,7 @@ void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
> struct page *pages[2];
> int i;
>
> - if (!core_kernel_text((unsigned long)addr)) {
> + if (is_vmalloc_addr(addr)) {
> pages[0] = vmalloc_to_page(addr);
> pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
> } else {
> --
> 1.7.1
>
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists