| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jun 2017 20:26:01 +0200
From: "Luis R. Rodriguez" <mcgrof@...nel.org>
To: Jessica Yu <jeyu@...hat.com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>,
"Luis R. Rodriguez" <mcgrof@...nel.org>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Steven Rostedt <rostedt@...dmis.org>,
Kees Cook <keescook@...omium.org>,
LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Rusty Russell <rusty@...tcorp.com.au>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [BUGFIX PATCH] kprobes/x86: Fix to set RWX bits correctly before
releasing trampoline
On Sat, May 27, 2017 at 06:46:12PM -0700, Jessica Yu wrote:
> +++ Masami Hiramatsu [26/05/17 09:24 +0900]:
> > On Thu, 25 May 2017 19:24:26 +0200
> > "Luis R. Rodriguez" <mcgrof@...nel.org> wrote:
> >
> > > On Thu, May 25, 2017 at 07:38:17PM +0900, Masami Hiramatsu wrote:
> > > > Fix kprobes to set(recover) RWX bits correctly on trampoline
> > > > buffer before releasing it. Releasing readonly page to
> > > > module_memfree() crash the kernel.
> > > >
> > > > Without this fix, if kprobes user register a bunch of kprobes
> > > > in function body (since kprobes on function entry usually
> > > > use ftrace) and unregister it, kernel hits a BUG and crash.
> > > >
> > > > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > > > Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
> > > > ---
> > > > arch/x86/kernel/kprobes/core.c | 9 +++++++++
> > > > kernel/kprobes.c | 2 +-
> > > > 2 files changed, 10 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> > > > index 5b2bbfb..6b87780 100644
> > > > --- a/arch/x86/kernel/kprobes/core.c
> > > > +++ b/arch/x86/kernel/kprobes/core.c
> > > > @@ -52,6 +52,7 @@
> > > > #include <linux/ftrace.h>
> > > > #include <linux/frame.h>
> > > > #include <linux/kasan.h>
> > > > +#include <linux/moduleloader.h>
> > > >
> > > > #include <asm/text-patching.h>
> > > > #include <asm/cacheflush.h>
> > > > @@ -417,6 +418,14 @@ static void prepare_boost(struct kprobe *p, struct insn *insn)
> > > > }
> > > > }
> > > >
> > > > +/* Recover page to RW mode before releasing it */
> > > > +void free_insn_page(void *page)
> > > > +{
> > > > + set_memory_nx((unsigned long)page & PAGE_MASK, 1);
> > > > + set_memory_rw((unsigned long)page & PAGE_MASK, 1);
> > > > + module_memfree(page);
> > > > +}
> > >
> > > Is this needed for all module_memfree() ? If so should / could it just do it
> > > for alloc users ?
> >
> > Hmm, would you mean setting those bits in module_memfree()?
> > I think it should be discussed with other users, kmodule, bpf and ftrace.
> > It could be, but I'm not so sure about that because setting nx
> > timing would be critical for some users. As far as I can see,
> > for ftrace and kprobes, that is OK.
>
> Memory does need to be rw before calling module_memfree(), although I
> think it might be better leave that responsibility/flexibility to the
> callers, instead of blanket calls to set_memory_rw/x. At least in the
> case of the module loader, we have finer-grained control of page
> protections; not all pages within the module_alloc'd region need
> set_memory_rw/x to be called before freeing (see disable_ro_nx() in
> module.c).
Is the module loader just a special case? If so then a special free, say
__module_memfree(), which *does* not the rw bit could be used by the module
loader ?
Luis
Powered by blists - more mailing lists