lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1585635379.0xixuk2jdc.naveen@linux.ibm.com>
Date:   Tue, 31 Mar 2020 11:47:39 +0530
From:   "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>
To:     Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Christophe Leroy <christophe.leroy@....fr>,
        Michael Ellerman <mpe@...erman.id.au>,
        Paul Mackerras <paulus@...ba.org>
Cc:     linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Subject: Re: [PATCH 10/12] powerpc/entry32: Blacklist exception entry points
 for kprobe.

Christophe Leroy wrote:
> 
> 
> Le 30/03/2020 à 20:33, Christophe Leroy a écrit :
>> 
>> 
>> Le 30/03/2020 à 19:08, Naveen N. Rao a écrit :
>>> Christophe Leroy wrote:
>>>> kprobe does not handle events happening in real mode.
>>>>
>>>> As exception entry points are running with MMU disabled,
>>>> blacklist them.
>>>>
>>>> Signed-off-by: Christophe Leroy <christophe.leroy@....fr>
>>>> ---
>>>>  arch/powerpc/kernel/entry_32.S | 7 +++++++
>>>>  1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/arch/powerpc/kernel/entry_32.S 
>>>> b/arch/powerpc/kernel/entry_32.S
>>>> index 94f78c03cb79..9a1a45d6038a 100644
>>>> --- a/arch/powerpc/kernel/entry_32.S
>>>> +++ b/arch/powerpc/kernel/entry_32.S
>>>> @@ -51,6 +51,7 @@ mcheck_transfer_to_handler:
>>>>      mfspr    r0,SPRN_DSRR1
>>>>      stw    r0,_DSRR1(r11)
>>>>      /* fall through */
>>>> +_ASM_NOKPROBE_SYMBOL(mcheck_transfer_to_handler)
>>>>
>>>>      .globl    debug_transfer_to_handler
>>>>  debug_transfer_to_handler:
>>>> @@ -59,6 +60,7 @@ debug_transfer_to_handler:
>>>>      mfspr    r0,SPRN_CSRR1
>>>>      stw    r0,_CSRR1(r11)
>>>>      /* fall through */
>>>> +_ASM_NOKPROBE_SYMBOL(debug_transfer_to_handler)
>>>>
>>>>      .globl    crit_transfer_to_handler
>>>>  crit_transfer_to_handler:
>>>> @@ -94,6 +96,7 @@ crit_transfer_to_handler:
>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>      stw    r0,KSP_LIMIT(r8)
>>>>      /* fall through */
>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>  #endif
>>>>
>>>>  #ifdef CONFIG_40x
>>>> @@ -115,6 +118,7 @@ crit_transfer_to_handler:
>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>      stw    r0,KSP_LIMIT(r8)
>>>>      /* fall through */
>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>  #endif
>>>>
>>>>  /*
>>>> @@ -127,6 +131,7 @@ crit_transfer_to_handler:
>>>>      .globl    transfer_to_handler_full
>>>>  transfer_to_handler_full:
>>>>      SAVE_NVGPRS(r11)
>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_full)
>>>>      /* fall through */
>>>>
>>>>      .globl    transfer_to_handler
>>>> @@ -286,6 +291,8 @@ reenable_mmu:
>>>>      lwz    r2, GPR2(r11)
>>>>      b    fast_exception_return
>>>>  #endif
>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler)
>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_cont)
>>>
>>> These are added after 'reenable_mmu', which is itself not blacklisted. 
>>> Is that intentional?
>> 
>> Yes I put it as the complete end of the entry part, ie just before 
>> stack_ovf which is a function by itself.
>> 
>> Note that reenable_mmu is inside an #ifdef CONFIG_TRACE_IRQFLAGS.
>> 
>> I'm not completely sure where to put the _ASM_NOKPROBE_SYMBOL()s, that's 
>> the reason why I put it close to the symbol itself in my first series.
>> 
>> Could you have a look at the code and tell me what looks the most 
>> appropriate as a location to you ?
>> 
>> https://elixir.bootlin.com/linux/v5.6/source/arch/powerpc/kernel/entry_32.S#L230 
> 
> Ok, thinking about it once more, I guess we have a problem as everything 
> after that reenable_mmu will be visible.

I see that we reach reenable_mmu through a 'rfi' with MSR_KERNEL, which 
seems safe to me. So, I figured it can be probed without issues?

- Naveen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ