| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 May 2020 20:40:44 +0200
From: Christian Borntraeger <borntraeger@...ibm.com>
To: Oleg Nesterov <oleg@...hat.com>,
Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Guo Ren <guoren@...nel.org>,
"David S. Miller" <davem@...emloft.net>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Steven Rostedt <rostedt@...dmis.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>, Jann Horn <jannh@...gle.com>,
Al Viro <viro@...iv.linux.org.uk>,
Jens Axboe <axboe@...nel.dk>,
Security Officers <security@...nel.org>,
Andrea Arcangeli <aarcange@...hat.com>,
Ananth N Mavinakayanahalli <ananth@...ibm.com>,
Naveen Rao <naveen.n.rao@...ux.vnet.ibm.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, Vasily Gorbik <gor@...ux.ibm.com>,
Sven Schnelle <svens@...ux.ibm.com>
Subject: Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset
are properly aligned
On 04.05.20 18:47, Oleg Nesterov wrote:
> uprobe_write_opcode() must not cross page boundary; prepare_uprobe()
> relies on arch_uprobe_analyze_insn() which should validate "vaddr" but
> some architectures (csky, s390, and sparc) don't do this.
I think the idea was that the uprobe instruction is 2 bytes and instructions
are always aligned to 2 bytes on s390. (we can have 2,4 or 6 bytes).
>
> We can remove the BUG_ON() check in prepare_uprobe() and validate the
> offset early in __uprobe_register(). The new IS_ALIGNED() check matches
> the alignment check in arch_prepare_kprobe() on supported architectures,
> so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE.
Not sure if it would have been possible to try to create a uprobe on an
odd address. If yes, then the new IS_ALIGNED check certainly makes this
better for s390, so the patch looks sane. Adding Vasily and Sven to double
check.
>
> Another problem is __update_ref_ctr() which was wrong from the very
> beginning, it can read/write outside of kmap'ed page unless "vaddr" is
> aligned to sizeof(short), __uprobe_register() should check this too.
>
> Cc: stable@...r.kernel.org
> Reported-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Oleg Nesterov <oleg@...hat.com>
> ---
> kernel/events/uprobes.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index ece7e13f6e4a..cc2095607c74 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file,
> if (ret)
> goto out;
>
> - /* uprobe_write_opcode() assumes we don't cross page boundary */
> - BUG_ON((uprobe->offset & ~PAGE_MASK) +
> - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
> -
> smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
> set_bit(UPROBE_COPY_INSN, &uprobe->flags);
>
> @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, loff_t offset,
> if (offset > i_size_read(inode))
> return -EINVAL;
>
> + /*
> + * This ensures that copy_from_page(), copy_to_page() and
> + * __update_ref_ctr() can't cross page boundary.
> + */
> + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE))
> + return -EINVAL;
> + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short)))
> + return -EINVAL;
> +
> retry:
> uprobe = alloc_uprobe(inode, offset, ref_ctr_offset);
> if (!uprobe)
> @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
> uprobe_opcode_t opcode;
> int result;
>
> + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE)))
> + return -EINVAL;
> +
> pagefault_disable();
> result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr);
> pagefault_enable();
>
Powered by blists - more mailing lists