lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170601182601.GM8951@wotan.suse.de>
Date:   Thu, 1 Jun 2017 20:26:01 +0200
From:   "Luis R. Rodriguez" <mcgrof@...nel.org>
To:     Jessica Yu <jeyu@...hat.com>
Cc:     Masami Hiramatsu <mhiramat@...nel.org>,
        "Luis R. Rodriguez" <mcgrof@...nel.org>,
        Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Steven Rostedt <rostedt@...dmis.org>,
        Kees Cook <keescook@...omium.org>,
        LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
        Peter Zijlstra <peterz@...radead.org>,
        Rusty Russell <rusty@...tcorp.com.au>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [BUGFIX PATCH] kprobes/x86: Fix to set RWX bits correctly before
 releasing trampoline

On Sat, May 27, 2017 at 06:46:12PM -0700, Jessica Yu wrote:
> +++ Masami Hiramatsu [26/05/17 09:24 +0900]:
> > On Thu, 25 May 2017 19:24:26 +0200
> > "Luis R. Rodriguez" <mcgrof@...nel.org> wrote:
> > 
> > > On Thu, May 25, 2017 at 07:38:17PM +0900, Masami Hiramatsu wrote:
> > > > Fix kprobes to set(recover) RWX bits correctly on trampoline
> > > > buffer before releasing it. Releasing readonly page to
> > > > module_memfree() crash the kernel.
> > > >
> > > > Without this fix, if kprobes user register a bunch of kprobes
> > > > in function body (since kprobes on function entry usually
> > > > use ftrace) and unregister it, kernel hits a BUG and crash.
> > > >
> > > > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > > > Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
> > > > ---
> > > >  arch/x86/kernel/kprobes/core.c |    9 +++++++++
> > > >  kernel/kprobes.c               |    2 +-
> > > >  2 files changed, 10 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> > > > index 5b2bbfb..6b87780 100644
> > > > --- a/arch/x86/kernel/kprobes/core.c
> > > > +++ b/arch/x86/kernel/kprobes/core.c
> > > > @@ -52,6 +52,7 @@
> > > >  #include <linux/ftrace.h>
> > > >  #include <linux/frame.h>
> > > >  #include <linux/kasan.h>
> > > > +#include <linux/moduleloader.h>
> > > >
> > > >  #include <asm/text-patching.h>
> > > >  #include <asm/cacheflush.h>
> > > > @@ -417,6 +418,14 @@ static void prepare_boost(struct kprobe *p, struct insn *insn)
> > > >  	}
> > > >  }
> > > >
> > > > +/* Recover page to RW mode before releasing it */
> > > > +void free_insn_page(void *page)
> > > > +{
> > > > +	set_memory_nx((unsigned long)page & PAGE_MASK, 1);
> > > > +	set_memory_rw((unsigned long)page & PAGE_MASK, 1);
> > > > +	module_memfree(page);
> > > > +}
> > > 
> > > Is this needed for all module_memfree() ? If so should / could it just do it
> > > for alloc users ?
> > 
> > Hmm, would you mean setting those bits in module_memfree()?
> > I think it should be discussed with other users, kmodule, bpf and ftrace.
> > It could be, but I'm not so sure about that because setting nx
> > timing would be critical for some users. As far as I can see,
> > for ftrace and kprobes, that is OK.
> 
> Memory does need to be rw before calling module_memfree(), although I
> think it might be better leave that responsibility/flexibility to the
> callers, instead of blanket calls to set_memory_rw/x. At least in the
> case of the module loader, we have finer-grained control of page
> protections; not all pages within the module_alloc'd region need
> set_memory_rw/x to be called before freeing (see disable_ro_nx() in
> module.c).

Is the module loader just a special case? If so then a special free, say
__module_memfree(), which *does* not the rw bit could be used by the module
loader ?

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ