lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 21 Mar 2016 10:47:43 +0530
From:	Pratyush Anand <>
To:	James Morse <>
Cc:	David Long <>,
	Will Deacon <>,
	Catalin Marinas <>,
	Sandeepa Prabhu <>,
	William Cohen <>,
	Steve Capper <>,,,
	Marc Zyngier <>,
	Dave P Martin <>,
	Mark Rutland <>,
	Robin Murphy <>,
	Ard Biesheuvel <>,
	Jens Wiklander <>,
	Christoffer Dall <>,
	Alex Bennée <>,
	Yang Shi <>,
	Greg Kroah-Hartman <>,
	Viresh Kumar <>,
	"Suzuki K. Poulose" <>,
	Kees Cook <>,
	Zi Shen Lim <>,
	John Blackwood <>,
	Feng Kan <>,
	Balamurugan Shanmugam <>,
	Vladimir Murzin <>,
	Mark Salyzyn <>,
	Petr Mladek <>,
	Andrew Morton <>,
	Mark Brown <>
Subject: Re: [PATCH v11 3/9] arm64: add copy_to/from_user to kprobes blacklist

Hi James,

On 18/03/2016:06:12:20 PM, James Morse wrote:
> Hi Pratyush,
> On 18/03/16 14:43, Pratyush Anand wrote:
> > On 18/03/2016:02:02:49 PM, James Morse wrote:
> >> In kernel/entry.S when entered from EL0 we test for TIF_SINGLESTEP in the
> >> thread_info flags, and use disable_step_tsk/enable_step_tsk to save/restore the
> >> single-step state.
> >>
> >> Could we do this regardless of which EL we came from?
> > 
> > Thanks for another idea. I think, we can not do this as it is, because
> > TIF_SINGLESTEP will not be set for kprobe events.
> Hmmm, I see kernel_enable_single_step() doesn't set it, but setup_singlestep()
> in patch 5 could...
> There is probably a good reason its never set for a kernel thread, I will have a
> look at where else it is used.
> > But, we can introduce a
> > variant disable_step_kernel and enable_step_kernel, which can be called in
> > el1_da. 
> What about sp/pc misalignment, or undefined instructions?
> Or worse... an irq occurs during your el1_da call (el1_da may re-enable irqs).
> el1_irq doesn't know you were careful not to unmask debug exceptions, it blindly
> turns them back on.
> The problem is the 'single step me' bit is still set, save/restoring it will
> save us having to consider every interaction, (and then missing some!).
> It would also mean you don't have to disable interrupts while single stepping in
> patch 5 (comment above kprobes_save_local_irqflag()).

I see.
kernel_enable_single_step() is called from watchpoint and kgdb handler. It seems
to me that, similar issue may arise there as well. So, it would be a good idea
to set TIF_SINGLESTEP in kernel_enable_single_step() and clear in

Meanwhile, I prepared a test case to reproduce the issue without this patch.
Instrumented a kprobe at an instruction of __copy_to_user() which stores in user
space memory. I can see a sea of messages "Unexpected kernel single-step
exception at EL1" within few seconds.  While with patch[1] applied, I do not see
any such messages. 

May be I can send [1] as RFC and seek feedback.



Powered by blists - more mailing lists