lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG48ez0Frp4-+xHZ=UhbHh0hC_h-1VtJfwHw=kDo6NahyMv1ig@mail.gmail.com>
Date:   Wed, 20 Nov 2019 13:14:47 +0100
From:   Jann Horn <jannh@...gle.com>
To:     Ingo Molnar <mingo@...nel.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        "the arch/x86 maintainers" <x86@...nel.org>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        kasan-dev <kasan-dev@...glegroups.com>,
        kernel list <linux-kernel@...r.kernel.org>,
        Andrey Konovalov <andreyknvl@...gle.com>,
        Andy Lutomirski <luto@...nel.org>,
        Sean Christopherson <sean.j.christopherson@...el.com>,
        Andi Kleen <ak@...ux.intel.com>
Subject: Re: [PATCH v3 2/4] x86/traps: Print non-canonical address on #GP

On Wed, Nov 20, 2019 at 12:19 PM Ingo Molnar <mingo@...nel.org> wrote:
> * Jann Horn <jannh@...gle.com> wrote:
>
> > A frequent cause of #GP exceptions are memory accesses to non-canonical
> > addresses. Unlike #PF, #GP doesn't come with a fault address in CR2, so
> > the kernel doesn't currently print the fault address for #GP.
> > Luckily, we already have the necessary infrastructure for decoding X86
> > instructions and computing the memory address that is being accessed;
> > hook it up to the #GP handler so that we can figure out whether the #GP
> > looks like it was caused by a non-canonical address, and if so, print
> > that address.
[...]
> > +/*
> > + * On 64-bit, if an uncaught #GP occurs while dereferencing a non-canonical
> > + * address, return that address.
> > + */
> > +static unsigned long get_kernel_gp_address(struct pt_regs *regs)
> > +{
> > +#ifdef CONFIG_X86_64
> > +     u8 insn_bytes[MAX_INSN_SIZE];
> > +     struct insn insn;
> > +     unsigned long addr_ref;
> > +
> > +     if (probe_kernel_read(insn_bytes, (void *)regs->ip, MAX_INSN_SIZE))
> > +             return 0;
> > +
> > +     kernel_insn_init(&insn, insn_bytes, MAX_INSN_SIZE);
> > +     insn_get_modrm(&insn);
> > +     insn_get_sib(&insn);
> > +     addr_ref = (unsigned long)insn_get_addr_ref(&insn, regs);
>
> I had to look twice to realize that the 'insn_bytes' isn't an integer
> that shows the number of bytes in the instruction, but the instruction
> buffer itself.
>
> Could we please do s/insn_bytes/insn_buf or such?

Will change it.

> > +
> > +     /* Bail out if insn_get_addr_ref() failed or we got a kernel address. */
> > +     if (addr_ref >= ~__VIRTUAL_MASK)
> > +             return 0;
> > +
> > +     /* Bail out if the entire operand is in the canonical user half. */
> > +     if (addr_ref + insn.opnd_bytes - 1 <= __VIRTUAL_MASK)
> > +             return 0;
>
> BTW., it would be nice to split this logic in two: return the faulting
> address to do_general_protection(), and print it out both for
> non-canonical and canonical addresses as well -and use the canonical
> check to *additionally* print out a short note when the operand is
> non-canonical?

You mean something like this?

========================
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 9b23c4bda243..16a6bdaccb51 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -516,32 +516,36 @@ dotraplinkage void do_bounds(struct pt_regs
*regs, long error_code)
  * On 64-bit, if an uncaught #GP occurs while dereferencing a non-canonical
  * address, return that address.
  */
-static unsigned long get_kernel_gp_address(struct pt_regs *regs)
+static bool get_kernel_gp_address(struct pt_regs *regs, unsigned long *addr,
+                                          bool *non_canonical)
 {
 #ifdef CONFIG_X86_64
        u8 insn_buf[MAX_INSN_SIZE];
        struct insn insn;
-       unsigned long addr_ref;

        if (probe_kernel_read(insn_buf, (void *)regs->ip, MAX_INSN_SIZE))
-               return 0;
+               return false;

        kernel_insn_init(&insn, insn_buf, MAX_INSN_SIZE);
        insn_get_modrm(&insn);
        insn_get_sib(&insn);
-       addr_ref = (unsigned long)insn_get_addr_ref(&insn, regs);
+       *addr = (unsigned long)insn_get_addr_ref(&insn, regs);

-       /* Bail out if insn_get_addr_ref() failed or we got a kernel address. */
-       if (addr_ref >= ~__VIRTUAL_MASK)
-               return 0;
+       if (*addr == (unsigned long)-1L)
+               return false;

-       /* Bail out if the entire operand is in the canonical user half. */
-       if (addr_ref + insn.opnd_bytes - 1 <= __VIRTUAL_MASK)
-               return 0;
+       /*
+        * Check that:
+        *  - the address is not in the kernel half or -1 (which means the
+        *    decoder failed to decode it)
+        *  - the last byte of the address is not in the user canonical half
+        */
+       *non_canonical = *addr < ~__VIRTUAL_MASK &&
+                        *addr + insn.opnd_bytes - 1 > __VIRTUAL_MASK;

-       return addr_ref;
+       return true;
 #else
-       return 0;
+       return false;
 #endif
 }

@@ -569,8 +573,10 @@ do_general_protection(struct pt_regs *regs, long
error_code)

        tsk = current;
        if (!user_mode(regs)) {
-               unsigned long non_canonical_addr = 0;
+               bool addr_resolved = false;
+               unsigned long gp_addr;
                unsigned long flags;
+               bool non_canonical;
                int sig;

                if (fixup_exception(regs, X86_TRAP_GP, error_code, 0))
@@ -595,18 +601,19 @@ do_general_protection(struct pt_regs *regs, long
error_code)
                if (error_code)
                        snprintf(desc, sizeof(desc), "segment-related " GPFSTR);
                else
-                       non_canonical_addr = get_kernel_gp_address(regs);
+                       addr_resolved = get_kernel_gp_address(regs, &gp_addr,
+                                                             &non_canonical);

-               if (non_canonical_addr)
+               if (addr_resolved)
                        snprintf(desc, sizeof(desc),
-                           GPFSTR " probably for non-canonical address 0x%lx",
-                           non_canonical_addr);
+                           GPFSTR " probably for %saddress 0x%lx",
+                           non_canonical ? "non-canonical " : "", gp_addr);

                flags = oops_begin();
                sig = SIGSEGV;
                __die_header(desc, regs, error_code);
-               if (non_canonical_addr)
-                       kasan_non_canonical_hook(non_canonical_addr);
+               if (addr_resolved && non_canonical)
+                       kasan_non_canonical_hook(gp_addr);
                if (__die_body(desc, regs, error_code))
                        sig = 0;
                oops_end(flags, regs, sig);
========================

I guess that could potentially be useful if a #GP is triggered by
something like an SSE alignment error? I'll add it in unless someone
else complains.

> > +#define GPFSTR "general protection fault"
> >  dotraplinkage void
>
> Please separate macro and function definitions by an additional newline.

Will change it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ