lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 4 Jun 2021 22:45:44 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     linux-kernel@...r.kernel.org, Ingo Molnar <mingo@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Jacob Wen <jian.w.wen@...cle.com>,
        Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH 2/2] tracing: Add a verifier to check string pointers
 for trace events

On Fri, 4 Jun 2021 22:28:30 -0400
Steven Rostedt <rostedt@...dmis.org> wrote:

> What you described to me does not sound like a false positive, and
> converting to __string() is not a workaround but an actual fix, and
> would also need to be backported to stable.

If the event you are talking about is kvm_nested_vmenter_failed, which
records a pointer to the message, then, yes, that is unsafe and buggy.

If that event is defined by the kvm module, and used in kvm_intel. If
you have this:

	# echo 1 > /sys/kernel/tracing/events/kvm/kvm_nested_vmenter_failed

	# do_whatever_causes_that_to_trigger

	# rmmod kvm_intel

	# cat trace

Then that pointer to the string will point to some random memory.
Before this patch, it could even possibly crash the kernel!

There's two fixes you can do with this. One is to covert that to use
__string, the other is to do what RCU does, and use the
tracepoint_string() functionality.

RCU has:

	#define TPS(x)	tracepoint_string(x)

And wrap all strings with that TPS(), like in nested_vmx_reflect_vmexit():

        if (unlikely(vmx->fail)) {
                trace_kvm_nested_vmenter_failed(
-                       "hardware VM-instruction error: ",
+                       TPS("hardware VM-instruction error: "),
                        vmcs_read32(VM_INSTRUCTION_ERROR));
                exit_intr_info = 0;
                exit_qual = 0;
                goto reflect_vmexit;
        }

What the tracepoint_string does is to save the string into core kernel
memory (there's logic to use the same string if it is already
available), and it wont free it when the module is unloaded.

This makes the string safe to use by the trace event directly.

Not only is the TPS safe, it also allows userspace tools to know what
the string is, as it is exported in printk_formats. Otherwise trace-cmd
and perf will only display a pointer hex value as it has no idea what
its pointing to (both TPS and __string fixes this).

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ