lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7df0a1af432040d9908517661c32dc34@trendmicro.com>
Date:   Fri, 28 Aug 2020 13:11:15 +0000
From:   "Eddy_Wu@...ndmicro.com" <Eddy_Wu@...ndmicro.com>
To:     Peter Zijlstra <peterz@...radead.org>,
        Masami Hiramatsu <mhiramat@...nel.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "rostedt@...dmis.org" <rostedt@...dmis.org>,
        "naveen.n.rao@...ux.ibm.com" <naveen.n.rao@...ux.ibm.com>,
        "anil.s.keshavamurthy@...el.com" <anil.s.keshavamurthy@...el.com>,
        "linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
        "cameron@...dycamel.com" <cameron@...dycamel.com>,
        "oleg@...hat.com" <oleg@...hat.com>,
        "will@...nel.org" <will@...nel.org>,
        "paulmck@...nel.org" <paulmck@...nel.org>
Subject: RE: [RFC][PATCH 3/7] kprobes: Remove kretprobe hash

> -----Original Message-----
> From: Peter Zijlstra <peterz@...radead.org>
> Sent: Friday, August 28, 2020 12:13 AM
> To: linux-kernel@...r.kernel.org; mhiramat@...nel.org
> Cc: Eddy Wu (RD-TW) <Eddy_Wu@...ndmicro.com>; x86@...nel.org; davem@...emloft.net; rostedt@...dmis.org;
> naveen.n.rao@...ux.ibm.com; anil.s.keshavamurthy@...el.com; linux-arch@...r.kernel.org; cameron@...dycamel.com;
> oleg@...hat.com; will@...nel.org; paulmck@...nel.org; peterz@...radead.org
> Subject: [RFC][PATCH 3/7] kprobes: Remove kretprobe hash
>
> @@ -1935,71 +1932,45 @@ unsigned long __kretprobe_trampoline_han
>                                         unsigned long trampoline_address,
>                                         void *frame_pointer)
>  {
> // ... removed
> // NULL here
> +       first = node = current->kretprobe_instances.first;
> +       while (node) {
> +               ri = container_of(node, struct kretprobe_instance, llist);
>
> -               orig_ret_address = (unsigned long)ri->ret_addr;
> -               if (skipped)
> -                       pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
> -                               ri->rp->kp.addr);
> +               BUG_ON(ri->fp != frame_pointer);
>
> -               if (orig_ret_address != trampoline_address)
> +               orig_ret_address = (unsigned long)ri->ret_addr;
> +               if (orig_ret_address != trampoline_address) {
>                         /*
>                          * This is the real return address. Any other
>                          * instances associated with this task are for
>                          * other calls deeper on the call stack
>                          */
>                         break;
> +               }
> +
> +               node = node->next;
>         }
>

Hi, I found a NULL pointer dereference here, where current->kretprobe_instances.first == NULL in these two scenario:

1) In task "rs:main Q:Reg"
# insmod samples/kprobes/kretprobe_example.ko func=schedule
# pkill sddm-greeter

2) In task "llvmpipe-10"
# insmod samples/kprobes/kretprobe_example.ko func=schedule
login plasmashell session from sddm graphical interface

based on Masami's v2 + Peter's lockless patch, I'll try the new branch once I can compile kernel

Stacktrace may not be really useful here:
[  402.008630] BUG: kernel NULL pointer dereference, address: 0000000000000018
[  402.008633] #PF: supervisor read access in kernel mode
[  402.008642] #PF: error_code(0x0000) - not-present page
[  402.008644] PGD 0 P4D 0
[  402.008646] Oops: 0000 [#1] PREEMPT SMP PTI
[  402.008649] CPU: 7 PID: 1505 Comm: llvmpipe-10 Kdump: loaded Not tainted 5.9.0-rc2-00111-g72091ec08f03-dirty #45
[  402.008650] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[  402.008653] RIP: 0010:__kretprobe_trampoline_handler+0xb8/0x17f
[  402.008655] Code: 65 4c 8b 34 25 80 6d 01 00 4c 89 e2 48 c7 c7 91 6b 85 91 49 8d b6 38 07 00 00 e8 d1 1a f9 ff 48 85 db 74 06 48 3b 5d d0 75 16 <49> 8b 75 18 48 c7 c7 a0 6c 85 91 48
 8b 56 28 e8 b2 1a f9 ff 0f 0b
[  402.008655] RSP: 0018:ffffab408147bde0 EFLAGS: 00010246
[  402.008656] RAX: 0000000000000021 RBX: 0000000000000000 RCX: 0000000000000002
[  402.008657] RDX: 0000000080000002 RSI: ffffffff9189757d RDI: 00000000ffffffff
[  402.008658] RBP: ffffab408147be20 R08: 0000000000000001 R09: 000000000000955c
[  402.008658] R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000
[  402.008659] R13: 0000000000000000 R14: ffff90736d305f40 R15: 0000000000000000
[  402.008661] FS:  00007f20f6ffd700(0000) GS:ffff9073781c0000(0000) knlGS:0000000000000000
[  402.008675] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  402.008678] CR2: 0000000000000018 CR3: 00000001ed256006 CR4: 00000000003706e0
[  402.008684] Call Trace:
[  402.008689]  ? elfcorehdr_read+0x40/0x40
[  402.008690]  ? elfcorehdr_read+0x40/0x40
[  402.008691]  trampoline_handler+0x42/0x60
[  402.008692]  kretprobe_trampoline+0x2a/0x50
[  402.008693] RIP: 0010:kretprobe_trampoline+0x0/0x50

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ