lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20191202233927.1f85f6967fc8d784be329fe4@kernel.org>
Date:   Mon, 2 Dec 2019 23:39:27 +0900
From:   Masami Hiramatsu <mhiramat@...nel.org>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Ingo Molnar <mingo@...nel.org>,
        Steven Rostedt <rostedt@...dmis.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org, bristot@...hat.com,
        jbaron@...mai.com, torvalds@...ux-foundation.org,
        tglx@...utronix.de, namit@...are.com, hpa@...or.com,
        luto@...nel.org, ard.biesheuvel@...aro.org, jpoimboe@...hat.com,
        jeyu@...nel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH -tip 1/2] x86/alternative: Sync bp_patching update for
 avoiding NULL pointer exception

On Mon, 2 Dec 2019 14:43:54 +0100
Peter Zijlstra <peterz@...radead.org> wrote:

> On Mon, Dec 02, 2019 at 08:50:12PM +0900, Masami Hiramatsu wrote:
> > On Mon, 2 Dec 2019 10:15:19 +0100
> > Peter Zijlstra <peterz@...radead.org> wrote:
> > > On Wed, Nov 27, 2019 at 02:56:52PM +0900, Masami Hiramatsu wrote:
> 
> > > > --- a/arch/x86/kernel/alternative.c
> > > > +++ b/arch/x86/kernel/alternative.c
> > > > @@ -1134,8 +1134,14 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
> > > >  	 * sync_core() implies an smp_mb() and orders this store against
> > > >  	 * the writing of the new instruction.
> > > >  	 */
> > > > -	bp_patching.vec = NULL;
> > > >  	bp_patching.nr_entries = 0;
> > > > +	/*
> > > > +	 * This sync_core () ensures that all int3 handlers in progress
> > > > +	 * have finished. This allows poke_int3_handler () after this to
> > > > +	 * avoid touching bp_paching.vec by checking nr_entries == 0.
> > > > +	 */
> > > > +	text_poke_sync();
> > > > +	bp_patching.vec = NULL;
> > > >  }
> > > 
> > > Hurm.. is there no way we can merge that with the 'last'
> > > text_poke_sync() ? It seems a little daft to do 2 back-to-back IPI
> > > things like that.
> > 
> > Maybe we can add a NULL check of bp_patchig.vec in poke_int3_handler()
> > but it doesn't ensure the fundamental safeness, because the array
> > pointed by bp_patching.vec itself can be released while
> > poke_int3_handler() accesses it.
> 
> No, what I mean is something like:
> 
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index 30e86730655c..347a234a7c52 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -1119,17 +1119,13 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
>  	 * Third step: replace the first byte (int3) by the first byte of
>  	 * replacing opcode.
>  	 */
> -	for (do_sync = 0, i = 0; i < nr_entries; i++) {
> +	for (i = 0; i < nr_entries; i++) {
>  		if (tp[i].text[0] == INT3_INSN_OPCODE)
>  			continue;
>  
>  		text_poke(text_poke_addr(&tp[i]), tp[i].text, INT3_INSN_SIZE);
> -		do_sync++;
>  	}
>  
> -	if (do_sync)
> -		text_poke_sync();
> -
>  	/*
>  	 * sync_core() implies an smp_mb() and orders this store against
>  	 * the writing of the new instruction.
> 
> 
> Or is that unsafe ?

OK, let's check it. 

text_poke_bp_batch() {
  update vec
  update nr_entries
  smp_wmb()
  write int3
  text_poke_sync()
  write rest_bytes
  text_poke_sync() if rest_bytes
  write first_byte
  text_poke_sync() if first_byte ... (*)
  update nr_entries
  text_poke_sync() ... (**)
  update vec
}

Before (*), the first byte can be new opcode or int3, thus
poke_int3_handler() can be called. But anyway, at that point
nr_entries != 0, thus poke_int3_handler() correctly emulate
the new instruction.

Before (**), all int3 should be removed, so nr_entries must
not accessed, EXCEPT for writing int3 case.

If we just remove the (*) as you say, the poke_int3_handler()
can see nr_entries = 0 before (**). So it is still unsafe.

I considered another way that skipping (**) if !first_byte,
since (*) ensured the target address(text) doesn't hit int3
anymore.
However, this will be also unsafe because there can be another
int3 (by kprobes) has been hit while updating nr_entries and vec.


Thank you,

-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ