lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210524143045.87d7ba5830c9662c2c9862a3@kernel.org>
Date:   Mon, 24 May 2021 14:30:45 +0900
From:   Masami Hiramatsu <mhiramat@...nel.org>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     Ingo Molnar <mingo@...nel.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        "Naveen N . Rao" <naveen.n.rao@...ux.vnet.ibm.com>,
        Ananth N Mavinakayanahalli <ananth@...ux.ibm.com>,
        linux-kernel@...r.kernel.org, x86@...nel.org
Subject: Re: [BUGFIX PATCH -tip] x86/kprobes: Fix to call previous kprobe's
 fault handler

On Mon, 24 May 2021 12:25:36 +0900
Masami Hiramatsu <mhiramat@...nel.org> wrote:

> Fix to call the previous kprobe's fault handler when a page fault
> occurred in reentered kprobes.
> This may happen if kprobes handler calls a function which can cause
> a page fault (e.g. access user page) and another kprobe probes that
> instruction.
> Without the 2nd kprobe, the 1st kprobe can handle the page fault,
> but with the 2nd kprobe, the 1st one can not handle it.
> 
> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>

BTW, this is a kind of a rare case bug, but exists from very early day.

E.g. reenter case has been decoupled in the kprobe_fault_handler()
by commit b4026513b88e ("[PATCH] kprobes: fix broken fault handling 
for i386"), but even without that commit, kprobes never call previous
kprobe fault handler.

So it seems that this bug has been there from the commit 417c8da6511b
 ("[PATCH] kprobes: Temporary disarming of reentrant probe for i386")
which introduces the "reenter" kprobes.

Fixes: 417c8da6511b ("[PATCH] kprobes: Temporary disarming of reentrant probe for i386")
Cc: stable@...r.kernel.org

Note that this patch itself can be cleanly applied from commit
2bbda764d720 ("kprobes/x86: Do not disable preempt on int3 path")

and before commit 6381c24cd6d5 ("kprobes/x86: Fix page-fault handling logic")
this needs the above commit.

BTW, there is another discussion to remove user fault_handler from
kprobes. In that case, this patch is not needed anymore.

Thank you,

> ---
>  arch/x86/kernel/kprobes/core.c |   19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> index 7c4d0736a998..ac2514f1e195 100644
> --- a/arch/x86/kernel/kprobes/core.c
> +++ b/arch/x86/kernel/kprobes/core.c
> @@ -1098,12 +1098,21 @@ int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
>  		 */
>  		regs->flags |= kcb->kprobe_old_flags;
>  
> -		if (kcb->kprobe_status == KPROBE_REENTER)
> -			restore_previous_kprobe(kcb);
> -		else
> +		if (kcb->kprobe_status != KPROBE_REENTER) {
>  			reset_current_kprobe();
> -	} else if (kcb->kprobe_status == KPROBE_HIT_ACTIVE ||
> -		   kcb->kprobe_status == KPROBE_HIT_SSDONE) {
> +			return 0;
> +		}
> +		restore_previous_kprobe(kcb);
> +		/*
> +		 * If reentered kprobes caused a page fault, it must be
> +		 * handled by the previous kprobe too. But we don't bother
> +		 * checking KPROBE_HIT_SS again because kprobes can not
> +		 * probe another kprobe's single stepping buffer.
> +		 */
> +	}
> +
> +	if (kcb->kprobe_status == KPROBE_HIT_ACTIVE ||
> +	    kcb->kprobe_status == KPROBE_HIT_SSDONE) {
>  		/*
>  		 * We increment the nmissed count for accounting,
>  		 * we can also use npre/npostfault count for accounting
> 


-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ