| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Oct 2018 19:28:40 -0700
From: Joel Fernandes <joel@...lfernandes.org>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Andy Lutomirski <luto@...capital.net>,
LKML <linux-kernel@...r.kernel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Peter Zijlstra <peterz@...radead.org>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...nel.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH v2] x86: ptrace.h: Make regs_get_kernel_stack_nth() not
fault on bad stack
On Wed, Oct 17, 2018 at 04:59:51PM -0400, Steven Rostedt wrote:
> From: "Steven Rostedt (VMware)" <rostedt@...dmis.org>
>
> Andy had some concerns about using regs_get_kernel_stack_nth() in a new
> function regs_get_kernel_argument() as if there's any error in the stack
> code, it could cause a bad memory access. To be on the safe side, call
> probe_kernel_read() on the stack address to be extra careful in accessing
> the memory. A helper function, regs_get_kernel_stack_nth_addr(), was added
> to just return the stack address (or NULL if not on the stack), that will be
> used to find the address (and could be used by other functions) and read the
> address with kernel_probe_read().
>
> Link: http://lkml.kernel.org/r/CALCETrXn9zKTb9i1LP3qoFcpqZHF34BdkuZ5D3N0uCmRr+VnbA@mail.gmail.com
> Requested-by: Andy Lutomirski <luto@...capital.net>
> Signed-off-by: Steven Rostedt (VMware) <rostedt@...dmis.org>
> ---
Reviewed-by: Joel Fernandes (Google) <joel@...lfernandes.org>
thanks,
- Joel
> Changes since v1:
>
> - Make regs_get_kernel_stack_nth() not fault, and not have a
> separate function. Only tracing uses it anyway.
>
> arch/x86/include/asm/ptrace.h | 43 ++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 36 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
> index c2304b25e2fd..055f632ce711 100644
> --- a/arch/x86/include/asm/ptrace.h
> +++ b/arch/x86/include/asm/ptrace.h
> @@ -237,23 +237,52 @@ static inline int regs_within_kernel_stack(struct pt_regs *regs,
> }
>
> /**
> + * regs_get_kernel_stack_nth_addr() - get the address of the Nth entry on stack
> + * @regs: pt_regs which contains kernel stack pointer.
> + * @n: stack entry number.
> + *
> + * regs_get_kernel_stack_nth() returns the address of the @n th entry of the
> + * kernel stack which is specified by @regs. If the @n th entry is NOT in
> + * the kernel stack, this returns NULL.
> + */
> +static inline unsigned long *regs_get_kernel_stack_nth_addr(struct pt_regs *regs,
> + unsigned int n)
> +{
> + unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
> +
> + addr += n;
> + if (regs_within_kernel_stack(regs, (unsigned long)addr))
> + return addr;
> + else
> + return NULL;
> +}
> +
> +/* To avoid include hell, we can't include uaccess.h */
> +extern long probe_kernel_read(void *dst, const void *src, size_t size);
> +
> +/**
> * regs_get_kernel_stack_nth() - get Nth entry of the stack
> * @regs: pt_regs which contains kernel stack pointer.
> * @n: stack entry number.
> *
> * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which
> - * is specified by @regs. If the @n th entry is NOT in the kernel stack,
> + * is specified by @regs. If the @n th entry is NOT in the kernel stack
> * this returns 0.
> */
> static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
> unsigned int n)
> {
> - unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs);
> - addr += n;
> - if (regs_within_kernel_stack(regs, (unsigned long)addr))
> - return *addr;
> - else
> - return 0;
> + unsigned long *addr;
> + unsigned long val;
> + long ret;
> +
> + addr = regs_get_kernel_stack_nth_addr(regs, n);
> + if (addr) {
> + ret = probe_kernel_read(&val, addr, sizeof(val));
> + if (!ret)
> + return val;
> + }
> + return 0;
> }
>
> /**
> --
> 2.13.6
>
Powered by blists - more mailing lists