lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 2 Dec 2019 14:43:54 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     Ingo Molnar <mingo@...nel.org>,
        Steven Rostedt <rostedt@...dmis.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org, bristot@...hat.com,
        jbaron@...mai.com, torvalds@...ux-foundation.org,
        tglx@...utronix.de, namit@...are.com, hpa@...or.com,
        luto@...nel.org, ard.biesheuvel@...aro.org, jpoimboe@...hat.com,
        jeyu@...nel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH -tip 1/2] x86/alternative: Sync bp_patching update for
 avoiding NULL pointer exception

On Mon, Dec 02, 2019 at 08:50:12PM +0900, Masami Hiramatsu wrote:
> On Mon, 2 Dec 2019 10:15:19 +0100
> Peter Zijlstra <peterz@...radead.org> wrote:
> > On Wed, Nov 27, 2019 at 02:56:52PM +0900, Masami Hiramatsu wrote:

> > > --- a/arch/x86/kernel/alternative.c
> > > +++ b/arch/x86/kernel/alternative.c
> > > @@ -1134,8 +1134,14 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
> > >  	 * sync_core() implies an smp_mb() and orders this store against
> > >  	 * the writing of the new instruction.
> > >  	 */
> > > -	bp_patching.vec = NULL;
> > >  	bp_patching.nr_entries = 0;
> > > +	/*
> > > +	 * This sync_core () ensures that all int3 handlers in progress
> > > +	 * have finished. This allows poke_int3_handler () after this to
> > > +	 * avoid touching bp_paching.vec by checking nr_entries == 0.
> > > +	 */
> > > +	text_poke_sync();
> > > +	bp_patching.vec = NULL;
> > >  }
> > 
> > Hurm.. is there no way we can merge that with the 'last'
> > text_poke_sync() ? It seems a little daft to do 2 back-to-back IPI
> > things like that.
> 
> Maybe we can add a NULL check of bp_patchig.vec in poke_int3_handler()
> but it doesn't ensure the fundamental safeness, because the array
> pointed by bp_patching.vec itself can be released while
> poke_int3_handler() accesses it.

No, what I mean is something like:

diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 30e86730655c..347a234a7c52 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1119,17 +1119,13 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
 	 * Third step: replace the first byte (int3) by the first byte of
 	 * replacing opcode.
 	 */
-	for (do_sync = 0, i = 0; i < nr_entries; i++) {
+	for (i = 0; i < nr_entries; i++) {
 		if (tp[i].text[0] == INT3_INSN_OPCODE)
 			continue;
 
 		text_poke(text_poke_addr(&tp[i]), tp[i].text, INT3_INSN_SIZE);
-		do_sync++;
 	}
 
-	if (do_sync)
-		text_poke_sync();
-
 	/*
 	 * sync_core() implies an smp_mb() and orders this store against
 	 * the writing of the new instruction.


Or is that unsafe ?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ