lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130407114859.GC2186@linux.vnet.ibm.com>
Date:	Sun, 7 Apr 2013 17:18:59 +0530
From:	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
To:	Anton Arapov <anton@...hat.com>
Cc:	Oleg Nesterov <oleg@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Josh Stone <jistone@...hat.com>,
	Frank Eigler <fche@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...e.hu>,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	adrian.m.negreanu@...el.com, Torsten.Polle@....de
Subject: Re: [PATCH v1 3/9] uretprobes/x86: Hijack return address

* Anton Arapov <anton@...hat.com> [2013-04-03 18:00:33]:

> Hijack the return address and replace it with a trampoline address.
> 
> v1 changes:
> * use force_sig_info()
> * rework and simplify logic
> 
> RFCv5 changes:
> * change the fail return code, because orig_ret_vaddr=0 is possible
> * style fixup
> RFCv2 changes:
> * remove ->doomed flag, kill task immediately
> 
> Signed-off-by: Anton Arapov <anton@...hat.com>

Acked-by: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>

> ---
>  arch/x86/include/asm/uprobes.h |  1 +
>  arch/x86/kernel/uprobes.c      | 29 +++++++++++++++++++++++++++++
>  2 files changed, 30 insertions(+)
> 
> diff --git a/arch/x86/include/asm/uprobes.h b/arch/x86/include/asm/uprobes.h
> index 8ff8be7..6e51979 100644
> --- a/arch/x86/include/asm/uprobes.h
> +++ b/arch/x86/include/asm/uprobes.h
> @@ -55,4 +55,5 @@ extern int  arch_uprobe_post_xol(struct arch_uprobe *aup, struct pt_regs *regs);
>  extern bool arch_uprobe_xol_was_trapped(struct task_struct *tsk);
>  extern int  arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data);
>  extern void arch_uprobe_abort_xol(struct arch_uprobe *aup, struct pt_regs *regs);
> +extern unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs);
>  #endif	/* _ASM_UPROBES_H */
> diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
> index 0ba4cfb..2ed8459 100644
> --- a/arch/x86/kernel/uprobes.c
> +++ b/arch/x86/kernel/uprobes.c
> @@ -697,3 +697,32 @@ bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
>  		send_sig(SIGTRAP, current, 0);
>  	return ret;
>  }
> +
> +unsigned long
> +arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
> +{
> +	int rasize, ncopied;
> +	unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
> +
> +	rasize = is_ia32_task() ? 4 : 8;
> +	ncopied = copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize);
> +	if (unlikely(ncopied))
> +		return -1;
> +
> +	/* check whether address has been already hijacked */
> +	if (orig_ret_vaddr == trampoline_vaddr)
> +		return orig_ret_vaddr;
> +
> +	ncopied = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
> +	if (likely(!ncopied))
> +		return orig_ret_vaddr;
> +
> +	if (ncopied != rasize) {
> +		pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
> +			"%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
> +
> +		force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
> +	}
> +
> +	return -1;
> +}
> -- 
> 1.8.1.4
> 

-- 
Thanks and Regards
Srikar Dronamraju

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ