lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 31 Mar 2020 12:14:27 +0530
From:   "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>
To:     Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Christophe Leroy <christophe.leroy@....fr>,
        Michael Ellerman <mpe@...erman.id.au>,
        Paul Mackerras <paulus@...ba.org>
Cc:     linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org
Subject: Re: [PATCH 10/12] powerpc/entry32: Blacklist exception entry points
 for kprobe.

Christophe Leroy wrote:
> 
> 
> Le 31/03/2020 à 08:17, Naveen N. Rao a écrit :
>> Christophe Leroy wrote:
>>>
>>>
>>> Le 30/03/2020 à 20:33, Christophe Leroy a écrit :
>>>>
>>>>
>>>> Le 30/03/2020 à 19:08, Naveen N. Rao a écrit :
>>>>> Christophe Leroy wrote:
>>>>>> kprobe does not handle events happening in real mode.
>>>>>>
>>>>>> As exception entry points are running with MMU disabled,
>>>>>> blacklist them.
>>>>>>
>>>>>> Signed-off-by: Christophe Leroy <christophe.leroy@....fr>
>>>>>> ---
>>>>>>  arch/powerpc/kernel/entry_32.S | 7 +++++++
>>>>>>  1 file changed, 7 insertions(+)
>>>>>>
>>>>>> diff --git a/arch/powerpc/kernel/entry_32.S 
>>>>>> b/arch/powerpc/kernel/entry_32.S
>>>>>> index 94f78c03cb79..9a1a45d6038a 100644
>>>>>> --- a/arch/powerpc/kernel/entry_32.S
>>>>>> +++ b/arch/powerpc/kernel/entry_32.S
>>>>>> @@ -51,6 +51,7 @@ mcheck_transfer_to_handler:
>>>>>>      mfspr    r0,SPRN_DSRR1
>>>>>>      stw    r0,_DSRR1(r11)
>>>>>>      /* fall through */
>>>>>> +_ASM_NOKPROBE_SYMBOL(mcheck_transfer_to_handler)
>>>>>>
>>>>>>      .globl    debug_transfer_to_handler
>>>>>>  debug_transfer_to_handler:
>>>>>> @@ -59,6 +60,7 @@ debug_transfer_to_handler:
>>>>>>      mfspr    r0,SPRN_CSRR1
>>>>>>      stw    r0,_CSRR1(r11)
>>>>>>      /* fall through */
>>>>>> +_ASM_NOKPROBE_SYMBOL(debug_transfer_to_handler)
>>>>>>
>>>>>>      .globl    crit_transfer_to_handler
>>>>>>  crit_transfer_to_handler:
>>>>>> @@ -94,6 +96,7 @@ crit_transfer_to_handler:
>>>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>>>      stw    r0,KSP_LIMIT(r8)
>>>>>>      /* fall through */
>>>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>>>  #endif
>>>>>>
>>>>>>  #ifdef CONFIG_40x
>>>>>> @@ -115,6 +118,7 @@ crit_transfer_to_handler:
>>>>>>      rlwinm    r0,r1,0,0,(31 - THREAD_SHIFT)
>>>>>>      stw    r0,KSP_LIMIT(r8)
>>>>>>      /* fall through */
>>>>>> +_ASM_NOKPROBE_SYMBOL(crit_transfer_to_handler)
>>>>>>  #endif
>>>>>>
>>>>>>  /*
>>>>>> @@ -127,6 +131,7 @@ crit_transfer_to_handler:
>>>>>>      .globl    transfer_to_handler_full
>>>>>>  transfer_to_handler_full:
>>>>>>      SAVE_NVGPRS(r11)
>>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_full)
>>>>>>      /* fall through */
>>>>>>
>>>>>>      .globl    transfer_to_handler
>>>>>> @@ -286,6 +291,8 @@ reenable_mmu:
>>>>>>      lwz    r2, GPR2(r11)
>>>>>>      b    fast_exception_return
>>>>>>  #endif
>>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler)
>>>>>> +_ASM_NOKPROBE_SYMBOL(transfer_to_handler_cont)
>>>>>
>>>>> These are added after 'reenable_mmu', which is itself not 
>>>>> blacklisted. Is that intentional?
>>>>
>>>> Yes I put it as the complete end of the entry part, ie just before 
>>>> stack_ovf which is a function by itself.
>>>>
>>>> Note that reenable_mmu is inside an #ifdef CONFIG_TRACE_IRQFLAGS.
>>>>
>>>> I'm not completely sure where to put the _ASM_NOKPROBE_SYMBOL()s, 
>>>> that's the reason why I put it close to the symbol itself in my first 
>>>> series.
>>>>
>>>> Could you have a look at the code and tell me what looks the most 
>>>> appropriate as a location to you ?
>>>>
>>>> https://elixir.bootlin.com/linux/v5.6/source/arch/powerpc/kernel/entry_32.S#L230 
>>>
>>>
>>> Ok, thinking about it once more, I guess we have a problem as 
>>> everything after that reenable_mmu will be visible.
>> 
>> I see that we reach reenable_mmu through a 'rfi' with MSR_KERNEL, which 
>> seems safe to me. So, I figured it can be probed without issues?
> 
> Yes it can. And that's the reason why I didn't blacklist it. However the 
> 4: and 7: which are after reenable_mmu are called from earlier, at a 
> time we are still in real mode. So I need to do something about that I 
> guess.

Ah yes, good catch. Makes sense to move 'reenable_mmu' after all.

Thanks,
Naveen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ