| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Dec 2013 19:53:40 +0900 From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> To: Ingo Molnar <mingo@...nel.org> Cc: Ananth N Mavinakayanahalli <ananth@...ibm.com>, Sandeepa Prabhu <sandeepa.prabhu@...aro.org>, x86@...nel.org, lkml <linux-kernel@...r.kernel.org>, "Steven Rostedt (Red Hat)" <rostedt@...dmis.org>, systemtap@...rceware.org, "David S. Miller" <davem@...emloft.net> Subject: Re: Re: Re: [PATCH -tip v4 0/6] kprobes: introduce NOKPROBE_SYMBOL() and fixes crash bugs Hi Ingo, (2013/12/13 14:34), Masami Hiramatsu wrote: >>>>> And also, even if we can detect the recursion, we can't stop the >>>>> kernel, we need to skip the probe. This means that we need to >>>>> recover to the main execution path by doing single step. As you >>>>> may know, since the single stepping involves the debug exception, >>>>> we have to avoid proving on that path too. Or we'll have an >>>>> infinite recursion again. >>>> >>>> I don't see why this is needed: if a "probing is disabled" >>>> recursion flag is set the moment the first probe fires, and if >>>> it's only cleared once all processing is finished, then any >>>> intermediate probes should simply return early from int3 and not >>>> fire. >>> >>> No, because the int3 already changes the original instruction. >>> This means that you cannot skip singlestep(or emulate) the >>> instruction which is copied to execution buffer (ainsn->insn), >>> even if you have such the flag. >>> So, kprobe requires the annotations on the singlestep path. >> >> I don't understand this reasoning. >> >> Lets assume we allow a probe to be inserted in the single-step path. >> Such a probe will be an INT3 instruction and if it hits we get a >> recursive INT3 invocation. In that case the INT3 handler should simply >> restore the original instruction and _leave it so_. There's no >> single-stepping needed - the probe is confused and must be discarded. > > But how can we restore the protected kernel text? > If we use text_poke, we also need to prohibit probing on the text_poke > and functions called in the text_poke too. That just shifts the annotated > area to the text_poke. :( OK, I've checked current text_poke() and thought how we can do that. The current text_poke() uses special fixmap to make alias pages for avoiding kernel-text readonly protection. For protecting the fixmap pages, we are currently using text_mutex and this is why we can't use it in exception path. There are other minor issues, but it seems to be fixed easily. :) Thus, for recovering original instruction in the int3 handler, I'd like to propose adding another text_poke like function, which requires another fixmap page and protects it by using raw_spinlock (to avoid tracing), and just support one-byte poke (this means it never across the page boundary). Perhaps, it can be implemented inside kprobes, because it is not useful for other subsystems. Thank you! -- Masami HIRAMATSU IT Management Research Dept. Linux Technology Center Hitachi, Ltd., Yokohama Research Laboratory E-mail: masami.hiramatsu.pt@...achi.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists