lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Mar 2020 08:28:04 +0200
From:   Christophe Leroy <christophe.leroy@....fr>
To:     "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Michael Ellerman <mpe@...erman.id.au>,
        Paul Mackerras <paulus@...ba.org>
Cc:     linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Subject: Re: [PATCH 10/12] powerpc/entry32: Blacklist exception entry points
 for kprobe.



Le 31/03/2020 à 08:17, Naveen N. Rao a écrit :
> Christophe Leroy wrote:
>>
>>
>> Le 30/03/2020 à 20:33, Christophe Leroy a écrit :
>>>
>>>
>>> Le 30/03/2020 à 19:08, Naveen N. Rao a écrit :
>>>> Christophe Leroy wrote:
>>>>> kprobe does not handle events happening in real mode.
>>>>>
>>>>> As exception entry points are running with MMU disabled,
>>>>> blacklist them.
>>>>>
>>>>> Signed-off-by: Christophe Leroy <christophe.leroy@....fr>
>>>>> ---
>>>>>  arch/powerpc/kernel/entry_32.S | 7 +++++++
>>>>>  1 file changed, 7 insertions(+)
>>>>>
>>>>> diff --git a/arch/powerpc/kernel/entry_32.S 
>>>>> b/arch/powerpc/kernel/entry_32.S
>>>>> index 94f78c03cb79..9a1a45d6038a 100644
>>>>> --- a/arch/powerpc/kernel/entry_32.S
>>>>> +++ b/arch/powerpc/kernel/entry_32.S
>>>>> @@ -51,6 +51,7 @@ mcheck_transfer_to_handler:
>>>>>      mfspr    r0,SPRN_DSRR1
>>>>>      stw    r0,_DSRR1(r11)
>>>>>      /* fall through */
>>>>> +_ASM_NOKPROBE_SYMBOL(mcheck_transfer_to_handler)
>>>>>
>>>>>      .globl    debug_transfer_to_handler
>>>>>  debug_transfer_to_handler:
>>>>> @@ -59,6 +60,7 @@ debug_transfer_to_handler:
>>>>>      mfspr    r0,SPRN_CSRR1
>>>>>      stw    r0,_CSRR1(r11)
>>>>>      /* fall through */
>>>>> +_ASM_NOKPROBE_SYMBOL(debug_transfer_to_handler)
>>>>>
>>>>>      .globl    crit_transfer_to_handler
>>>>>  crit_transfer_to_handler:
>>>>> @@ -94,6 +96,7 @@ crit_transfer_to_handler:
>>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>>      stw    r0,KSP_LIMIT(r8)
>>>>>      /* fall through */
>>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>>  #endif
>>>>>
>>>>>  #ifdef CONFIG_40x
>>>>> @@ -115,6 +118,7 @@ crit_transfer_to_handler:
>>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>>      stw    r0,KSP_LIMIT(r8)
>>>>>      /* fall through */
>>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>>  #endif
>>>>>
>>>>>  /*
>>>>> @@ -127,6 +131,7 @@ crit_transfer_to_handler:
>>>>>      .globl    transfer_to_handler_full
>>>>>  transfer_to_handler_full:
>>>>>      SAVE_NVGPRS(r11)
>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_full)
>>>>>      /* fall through */
>>>>>
>>>>>      .globl    transfer_to_handler
>>>>> @@ -286,6 +291,8 @@ reenable_mmu:
>>>>>      lwz    r2, GPR2(r11)
>>>>>      b    fast_exception_return
>>>>>  #endif
>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler)
>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_cont)
>>>>
>>>> These are added after 'reenable_mmu', which is itself not 
>>>> blacklisted. Is that intentional?
>>>
>>> Yes I put it as the complete end of the entry part, ie just before 
>>> stack_ovf which is a function by itself.
>>>
>>> Note that reenable_mmu is inside an #ifdef CONFIG_TRACE_IRQFLAGS.
>>>
>>> I'm not completely sure where to put the _ASM_NOKPROBE_SYMBOL()s, 
>>> that's the reason why I put it close to the symbol itself in my first 
>>> series.
>>>
>>> Could you have a look at the code and tell me what looks the most 
>>> appropriate as a location to you ?
>>>
>>> https://elixir.bootlin.com/linux/v5.6/source/arch/powerpc/kernel/entry_32.S#L230 
>>
>>
>> Ok, thinking about it once more, I guess we have a problem as 
>> everything after that reenable_mmu will be visible.
> 
> I see that we reach reenable_mmu through a 'rfi' with MSR_KERNEL, which 
> seems safe to me. So, I figured it can be probed without issues?

Yes it can. And that's the reason why I didn't blacklist it. However the 
4: and 7: which are after reenable_mmu are called from earlier, at a 
time we are still in real mode. So I need to do something about that I 
guess.

Christophe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ