[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20170818000711.9ab51d1259fdf21f25078dea@kernel.org>
Date: Fri, 18 Aug 2017 00:07:11 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Ingo Molnar <mingo@...hat.com>, "H . Peter Anvin" <hpa@...or.com>,
x86@...nel.org, Ananth N Mavinakayanahalli <ananth@...ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
"David S . Miller" <davem@...emloft.net>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH -tip v2 0/2] kprobes/x86: RO text code bugfix and
cleanup
On Thu, 17 Aug 2017 11:55:30 +0200
Ingo Molnar <mingo@...nel.org> wrote:
>
> * Masami Hiramatsu <mhiramat@...nel.org> wrote:
>
> > Hi,
> >
> > This series fixes a kprobe-x86 bug related to RO text and
> > cleans up addressof operators.
> >
> > The first one is an obvious bug that misses to set memory
> > RO when the function fails. And the second one is just a
> > cleanup patch to remove addressof operators ("&") since
> > it is meaningless anymore.
> >
> > V2 has just a following update:
> > - [1/2] Use a helper variable instead of using p->ainsn.insn
> > directly.
> >
> > Thanks,
> >
> > ---
> >
> > Masami Hiramatsu (2):
> > kprobes/x86: Don't forget to set memory back to RO on failure
> > kprobes/x86: Remove addressof operators
> >
> >
> > arch/x86/include/asm/kprobes.h | 4 ++--
> > arch/x86/kernel/kprobes/core.c | 15 +++++++++------
> > arch/x86/kernel/kprobes/opt.c | 9 +++++----
> > 3 files changed, 16 insertions(+), 12 deletions(-)
>
> So I'm totally opposed to the whole approach of modifying the permissions of the
> kernel text virtual memory area.
>
> Firstly, it's racy against other kernel subsystems: what happens if some other
> code patching mechanism does a similar 'mark RWX and then back to RX'? Who
> provides the synchronization? set_memory_*() certainly does not.
Hmm, this sounds common problem for set_memory_*() users.
> Secondly, it's racy against attackers: if an attacker can time the attack to the
> time when a kprobe is installed, then the kernel is still vulnerable.
Right, since this is not against for attackers, but for some unexpected memory
corruption bugs. Yes, this is vulnerable against attackers.
> So how about avoiding the problem altogether by patching the kernel not in its
> virtual text address, but in the direct mappings? Then page permissions won't have
> to be modified, and the whole solution will be more robust and secure.
So would you mean using text_poke()?
OK, that's a good idea. I'll try to rewrite it again with text_poke().
Thank you!
>
> Is there anything I'm missing?
>
> Thanks,
>
> Ingo
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists