lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YxhQIBKzi+L0KDhc@hirez.programming.kicks-ass.net>
Date:   Wed, 7 Sep 2022 10:02:40 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     "Masami Hiramatsu (Google)" <mhiramat@...nel.org>
Cc:     Steven Rostedt <rostedt@...dmis.org>,
        Ingo Molnar <mingo@...nel.org>,
        Suleiman Souhlal <suleiman@...gle.com>,
        bpf <bpf@...r.kernel.org>, linux-kernel@...r.kernel.org,
        Borislav Petkov <bp@...e.de>,
        Josh Poimboeuf <jpoimboe@...nel.org>, x86@...nel.org
Subject: Re: [PATCH 1/2] x86/kprobes: Fix kprobes instruction boudary check
 with CONFIG_RETHUNK

On Wed, Sep 07, 2022 at 09:55:21AM +0900, Masami Hiramatsu (Google) wrote:

>  static int can_probe(unsigned long paddr)
>  {
>  	kprobe_opcode_t buf[MAX_INSN_SIZE];
> +	unsigned long addr, offset = 0;
> +	struct insn insn;
>  
>  	if (!kallsyms_lookup_size_offset(paddr, NULL, &offset))
>  		return 0;
>  
> +	/* The first address must be instruction boundary. */
> +	if (!offset)
> +		return 1;
>  
> +	/* Decode instructions */
> +	for_each_insn(&insn, paddr - offset, paddr, buf) {
>  		/*
> +		 * CONFIG_RETHUNK or CONFIG_SLS or another debug feature
> +		 * may install INT3.

Note: they are not debug features.

>  		 */
> +		if (insn.opcode.bytes[0] == INT3_INSN_OPCODE) {
> +			/* Find the next non-INT3 instruction address */
> +			addr = skip_padding_int3((unsigned long)insn.kaddr);
> +			if (!addr)
> +				return 0;
> +			/*
> +			 * This can be a padding INT3 for CONFIG_RETHUNK or
> +			 * CONFIG_SLS. If a branch jumps to the address next
> +			 * to the INT3 sequence, this is just for padding,
> +			 * then we can continue decoding.
> +			 */
> +			for_each_insn(&insn, paddr - offset, addr, buf) {
> +				if (insn_get_branch_addr(&insn) == addr)
> +					goto found;
> +			}
>  
> +			/* This INT3 can not be decoded safely. */
>  			return 0;
> +found:
> +			/* Set loop cursor */
> +			insn.next_byte = (void *)addr;
> +			continue;
> +		}
>  	}
>  
> +	return ((unsigned long)insn.next_byte == paddr);
>  }

If I understand correctly, it'll fail on something like this:

foo:	insn
	insn
	insn
	jmp 2f
	int3

1:	insn
	insn
2:	insn
	jcc 1b

	ret
	int3

Which isn't weird code by any means. And soon to be generated by
compilers.


Maybe something like:

struct queue {
	int head, tail;
	unsigned long val[16]; /* insufficient; probably should allocate something */
};

void push(struct queue *q, unsigned long val)
{
	/* break loops, been here already */
	for (int i = 0; i < q->head; i++) {
		if (q->val[i] == val)
			return;
	}

	q->val[q->head++] = val;

	WARN_ON(q->head > ARRAY_SIZE(q->val)
}

unsigned long pop(struct queue *q)
{
	if (q->tail == q->head)
		return 0;

	return q->val[q->tail++];
}

bool dead_end_insn(struct instruction *insn)
{
	switch (insn->opcode.bytes[0]) {
	case INT3_INSN_OPCODE:
	case JMP8_INSN_OPCODE:
	case JMP32_INSN_OPCODE:
		return true; /* no arch execution after these */

	case 0xff:
		/* jmp *%reg; jmpf */
		if (modrm_reg == 4 || modrm_reg == 5)
			return true;
		break;

	default:
		break;
	}

	return false;
}



	struct queue q;

	start = paddr - offset;
	end = start + size;
	push(&q, paddr - offset);

	while (start = pop(&q)) {
		for_each_insn(&insn, start, end, buf) {
			if (insn.kaddr == paddr)
				return 1;

			target = insn_get_branch_addr(&insn);
			if (target)
				push(&q, target);

			if (dead_end_insn(&insn))
				break;
		}
	}



It's a bit of a pain, but I think it should cover things.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ