| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D5AA209.7070309@hitachi.com> Date: Wed, 16 Feb 2011 00:55:53 +0900 From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> To: Jiri Olsa <jolsa@...hat.com> Cc: linux-kernel@...r.kernel.org Subject: Re: [RFC,PATCH] kprobes - optimized kprobes might crash before setting kernel stack (2011/02/15 21:30), Jiri Olsa wrote: > On Tue, Feb 15, 2011 at 06:41:58PM +0900, Masami Hiramatsu wrote: >> (2011/02/15 0:12), Jiri Olsa wrote: >>> hi, >>> >>> you can crash the kernel using kprobe tracer via: >>> >>> echo "p system_call_after_swapgs" > ./kprobe_events >>> echo 1 > ./events/kprobes/enable >> >> Ah, thank you very much! >> >>> The reason is that at the system_call_after_swapgs label, >>> the kernel stack is not set up. If optimized kprobes are >>> enabled, the user space stack is being used in this case >>> (see optimized kprobe template) and this might result in a crash. >> >> Verified here, and also it didn't occur when turning optimization >> off by sysctl. So this is a bug of kprobe jump optimization, not >> kprobes itself. >> >>> Looks like there are several places like this over the entry_$(BIT) >>> code. First I thought it'd be ok to localize those places, but >>> I haven't found any reasonable/maintainable way to disable only those >>> places. >> >> Hmm, agreed. >> >>> So I switched off the whole entry code from optimizing, but this >>> also switch many safe places (attached patch - tested on x86_64). >> >> I'm OK for this solution. I think possible another solution is using >> interrupt stack in optprobe template too. Anyway in short term, this >> solution will be good. > > ok, I'll test on 32 bits and resend to Ingo Thanks! And also, with deeply thinking about this problem, it seems that your idea could be the best way to fix, because kprobes can not know where the kernel stack is ready without those text section. >>> Also not sure this crash falls in to the area of that once such >>> probe is used, user should know consequences.. >> >> User can see that those probe is not optimized via sysfs. > > I cannot find this, where can I see this info? Ah, actually, that is under debugfs, which is usually mounted on /sys/kernel/debug. You can read "/sys/kernel/debug/kprobes/list" for getting a list of currently registered probes. Thank you, -- Masami HIRAMATSU 2nd Dept. Linux Technology Center Hitachi, Ltd., Systems Development Laboratory E-mail: masami.hiramatsu.pt@...achi.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists