lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20180310001522.5b81074c7c7ec24cfb5f0a06@kernel.org>
Date:   Sat, 10 Mar 2018 00:15:22 +0900
From:   Masami Hiramatsu <mhiramat@...nel.org>
To:     Francis Deslauriers <francis.deslauriers@...icios.com>
Cc:     tglx@...utronix.de, mingo@...hat.com, peterz@...radead.org,
        mathieu.desnoyers@...icios.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/1] x86/kprobes: Prohibit probing of .entry_trampoline
 code

On Thu,  8 Mar 2018 22:18:11 -0500
Francis Deslauriers <francis.deslauriers@...icios.com> wrote:

> Hi all,
> 
> While fuzzing the Perf kprobe interface, I found that adding a probe on
> the 'entry_SYSCALL_64_trampoline' symbol will crash my 4.16-rc4
> kernel(661e50bc853209e41a5c14a290ca4decc43cbfd1) on a x86_64 Qemu VM.
> 
> How to reproduce:
> 	echo 'p:event1 entry_SYSCALL_64_trampoline' > ./kprobe_events
> 	echo 1 >  events/kprobes/enable
> Crash log:[1]
> 
> My understanding is that the userspace CR3 register has not yet been
> replaced by the kernel's CR3, when the kprobe is triggered. This means
> that the kernel addresses can not be translated, thus making the
> handling of the kprobe impossible.

Thanks for reporting!
And yes, all entry code must be nokprobe.

> 
> This can be fixed by blacklisting the .entry_trampoline section. See
> patch[1/1].
> 
> Here is the config I am using[2].
> 
> Thanks,
> 
> Francis Deslauriers
> EfficiOS inc.
> 
> 1:http://paste.ubuntu.com/p/djnpZCzQKv/
> 2:http://paste.ubuntu.com/p/3jrFYt6XQB/
> 
> Francis Deslauriers (1):
>   x86/kprobes: Prohibit probing of .entry_trampoline code
> 
>  arch/x86/include/asm/sections.h |  1 +
>  arch/x86/kernel/kprobes/core.c  | 10 +++++++++-
>  arch/x86/kernel/vmlinux.lds.S   |  2 ++
>  3 files changed, 12 insertions(+), 1 deletion(-)
> 
> -- 
> 2.7.4
> 


-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ