lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160613191345.6bdeb535@gandalf.local.home>
Date:	Mon, 13 Jun 2016 19:13:45 -0400
From:	Steven Rostedt <rostedt@...dmis.org>
To:	Masami Hiramatsu <mhiramat@...nel.org>
Cc:	Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
	Peter Zijlstra <peterz@...radead.org>,
	Ananth N Mavinakayanahalli <ananth@...ux.vnet.ibm.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	"H . Peter Anvin" <hpa@...or.com>,
	Andy Lutomirski <luto@...nel.org>, systemtap@...rceware.org,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	fenghua.yu@...el.com
Subject: Re: [PATCH tip/master] [BUGFIX] kprobes/x86: Fix to clear TF bit in
 fault-on-single-stepping

On Sat, 11 Jun 2016 23:06:53 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:

> Fix kprobe_fault_handler to clear TF (trap flag) bit of
> flags register in the case of fault fixup on single-stepping.
> 
> If we put a kprobe on the instruction which can cause a
> page fault (e.g. actual mov instructions in copy_user_*),
> that fault happens on a single-stepping buffer. In this
> case, kprobes resets running instance so that the CPU can
> retry execution on the original ip address.
> However, current code forgets reset TF bit. Since this
> fault happens with TF bit set for enabling single-stepping,
> when it retries, it causes a debug exception and kprobes
> can not handle it because it already reset itself.
> 
> On the most of x86-64 platform, it can be easily reproduced
> by using kprobe tracer. E.g.
> 
>   # cd /sys/kernel/debug/tracing
>   # echo p copy_user_enhanced_fast_string+5 > kprobe_events
>   # echo 1 > events/kprobes/enable
> 
> And you'll see a kernel panic on do_debug(), since the debug
> trap is not handled by kprobes.
> 
> To fix this problem, we just need to clear the TF bit when
> resetting running kprobe.
> 

This should definitely be marked for stable, and I bisected it all the
way down to this commit: f4cb1cc18f364d "x86-64, copy_user: Remove zero
byte check before copy user buffer."

I reverted that commit and sure enough, this bug goes away. I'm not
saying the revert should be done. I'm just doing an FYI, and showing how
changes that appear to be a nice clean up can have subtle effects. I'm
not even sure how that change caused this to be a problem with kprobes.

The proper fix is this patch.

Acked-by: Steven Rostedt <rostedt@...dmis.org>

Please add:

Cc: stable@...r.kernel.org # v3.14+

-- Steve


> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> ---
>  arch/x86/kernel/kprobes/core.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> index 38cf7a7..856df81 100644
> --- a/arch/x86/kernel/kprobes/core.c
> +++ b/arch/x86/kernel/kprobes/core.c
> @@ -961,6 +961,13 @@ int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
>  		 * normal page fault.
>  		 */
>  		regs->ip = (unsigned long)cur->addr;
> +		/*
> +		 * Trap flag has been set here because this fault happened
> +		 * where the single stepping will be done. So clear it with
> +		 * resetting current kprobe.
> +		 */
> +		regs->flags &= ~X86_EFLAGS_TF;
> +		/* If the TF was set before the kprobe hit, don't touch it */
>  		regs->flags |= kcb->kprobe_old_flags;
>  		if (kcb->kprobe_status == KPROBE_REENTER)
>  			restore_previous_kprobe(kcb);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ