| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201211094950.6c3f040d@gandalf.local.home>
Date: Fri, 11 Dec 2020 09:49:50 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Ingo Molnar <mingo@...nel.org>, Adam Zabrocki <pi3@....com.pl>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Kees Cook <keescook@...omium.org>,
Borislav Petkov <bp@...en8.de>, x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org,
"Naveen N . Rao" <naveen.n.rao@...ux.ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
"David S . Miller" <davem@...emloft.net>,
Solar Designer <solar@...nwall.com>
Subject: Re: [PATCH] x86/kprobes: Fix optprobe to detect padding int3
correctly
On Fri, 11 Dec 2020 16:04:17 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:
> Fix optprobe to detect padding int3 correctly.
>
> Since commit 7705dc855797 ("x86/vmlinux: Use INT3 instead of NOP
> for linker fill bytes") changed the padding bytes between functions
> from nop to int3, when optprobe decodes a target function it finds
> int3 and gives up the jump optimization.
>
> Instead of giving up any int3 detection, this checks whether the
> rest of bytes to the end of the function are int3 or not. If all
> of those are int3, those come from the linker. In that case,
> optprobe continues jump optimization.
>
> Fixes: 7705dc855797 ("x86/vmlinux: Use INT3 instead of NOP for linker fill bytes")
> Cc: stable@...r.kernel.org
> Reported-by: Adam Zabrocki <pi3@....com.pl>
> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
Reviewed-by: Steven Rostedt (VMware) <rostedt@...dmis.org>
This should probably go in via tip.
-- Steve
> ---
> arch/x86/kernel/kprobes/opt.c | 22 ++++++++++++++++++++--
> 1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
> index 041f0b50bc27..b5cf39f1a855 100644
> --- a/arch/x86/kernel/kprobes/opt.c
> +++ b/arch/x86/kernel/kprobes/opt.c
> @@ -272,6 +272,19 @@ static int insn_is_indirect_jump(struct insn *insn)
> return ret;
> }
>
> +static bool is_padding_int3(unsigned long addr, unsigned long eaddr)
> +{
> + unsigned char ops;
> +
> + for (; addr < eaddr; addr++) {
> + if (get_kernel_nofault(ops, (void *)addr) < 0 ||
> + ops != INT3_INSN_OPCODE)
> + return false;
> + }
> +
> + return true;
> +}
> +
> /* Decode whole function to ensure any instructions don't jump into target */
> static int can_optimize(unsigned long paddr)
> {
> @@ -310,9 +323,14 @@ static int can_optimize(unsigned long paddr)
> return 0;
> kernel_insn_init(&insn, (void *)recovered_insn, MAX_INSN_SIZE);
> insn_get_length(&insn);
> - /* Another subsystem puts a breakpoint */
> + /*
> + * In the case of detecting unknown breakpoint, this could be
> + * a padding int3 between functions. Let's check that all the
> + * rest of the bytes are also int3.
> + */
> if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
> - return 0;
> + return is_padding_int3(addr, paddr - offset + size) ? 1 : 0;
> +
> /* Recover address */
> insn.kaddr = (void *)addr;
> insn.next_byte = (void *)(addr + insn.length);
Powered by blists - more mailing lists