| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Dec 2018 22:49:58 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Ingo Molnar <mingo@...hat.com>,
Steven Rostedt <rostedt@...dmis.org>,
Ravi Bangoria <ravi.bangoria@...ux.ibm.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Michael Rodin <michael@...in.online>,
linux-kernel@...r.kernel.org
Subject: Re: [BUGFIX PATCH -tip] kprobes/x86: Fix to copy RIP relative
instruction correctly
On Tue, 4 Dec 2018 09:13:35 +0100
Ingo Molnar <mingo@...nel.org> wrote:
>
> * Masami Hiramatsu <mhiramat@...nel.org> wrote:
>
> > Since copy_optimized_instructions() misses to update real RIP
> > address while copying several instructions to working buffer,
> > it adjusts RIP-relative instruction with wrong RIP address for
> > the 2nd and subsequent instructions.
> >
> > This may break the kernel (like kernel freeze) because
> > probed instruction can refer a wrong data. For example,
> > putting kprobes on cpumask_next hit this bug.
> >
> > cpumask_next is normally like below if CONFIG_CPUMASK_OFFSTACK=y
> > (in this case nr_cpumask_bits is an alias of nr_cpu_ids)
> >
> > <cpumask_next>:
> > 48 89 f0 mov %rsi,%rax
> > 8b 35 7b fb e2 00 mov 0xe2fb7b(%rip),%esi
> > # ffffffff82db9e64 <nr_cpu_ids>
> > 55 push %rbp
> > ...
> >
> > If we put a kprobe on it and optimized with jump, it becomes
> > like this.
> >
> > e9 95 7d 07 1e jmpq 0xffffffffa000207a
> > 7b fb jnp 0xffffffff81f8a2e2 <cpumask_next+2>
> > e2 00 loop 0xffffffff81f8a2e9 <cpumask_next+9>
> > 55 push %rbp
> >
> > This shows first 2 "mov" instructions are copied to trampoline
> > buffer at 0xffffffffa000207a. Here is the disassembled result.
> > (skipped optprobe template instructions)
> >
> > Dump of assembler code from 0xffffffffa000207a to 0xffffffffa00020ea:
> > 54 push %rsp
> > ...
> > 48 83 c4 08 add $0x8,%rsp
> > 9d popfq
> > 48 89 f0 mov %rsi,%rax
> > 8b 35 82 7d db e2 mov -0x1d24827e(%rip),%esi
> > # 0xffffffff82db9e67 <nr_cpu_ids+3>
> >
> > As it shows, the 2nd mov accesses *(nr_cpu_ids+3) instead of
> > *nr_cpu_ids. This leads a kernel freeze because cpumask_next()
> > always returns 0 and for_each_cpu() never ended.
> >
> > Fixing this by adding len correctly to real RIP address while
> > copying.
> >
> > Fixes: 63fef14fc98a ("kprobes/x86: Make insn buffer always ROX and use text_poke()")
> > Reported-by: Michael Rodin <michael@...in.online>
> > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > Cc: stable@...r.kernel.org
> > ---
> > arch/x86/kernel/kprobes/opt.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
> > index eaf02f2e7300..e92672b8b490 100644
> > --- a/arch/x86/kernel/kprobes/opt.c
> > +++ b/arch/x86/kernel/kprobes/opt.c
> > @@ -189,7 +189,8 @@ static int copy_optimized_instructions(u8 *dest, u8 *src, u8 *real)
> > int len = 0, ret;
> >
> > while (len < RELATIVEJUMP_SIZE) {
> > - ret = __copy_instruction(dest + len, src + len, real, &insn);
> > + ret = __copy_instruction(dest + len, src + len, real + len,
> > + &insn);
>
> I applied this, except that I unbroke the line: please ignore checkpatch
> in such cases where the cure is worse than the disease ...
Thanks Ingo!
>
> I.e. even if slightly over 80 cols, this is more readable:
>
> ret = __copy_instruction(dest + len, src + len, real + len, &insn);
Got it.
BTW, this ugry "+ len" repeat would be avoided. I would better make a new inline
function to wrap it.
Thank you,
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists