[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJF2gTTCFPsn+8NJaQyHan9h9b7=UzjY-+H4_qi4DaGXJ_kD3w@mail.gmail.com>
Date: Sat, 28 Jan 2023 11:52:47 +0800
From: Guo Ren <guoren@...nel.org>
To: "liaochang (A)" <liaochang1@...wei.com>
Cc: palmer@...belt.com, paul.walmsley@...ive.com, mhiramat@...nel.org,
conor.dooley@...rochip.com, penberg@...nel.org,
mark.rutland@....com, linux-riscv@...ts.infradead.org,
linux-kernel@...r.kernel.org, Guo Ren <guoren@...ux.alibaba.com>
Subject: Re: [PATCH] riscv: kprobe: Fixup kernel panic when probing an illegal position
On Sat, Jan 28, 2023 at 11:46 AM Guo Ren <guoren@...nel.org> wrote:
>
> On Sat, Jan 28, 2023 at 10:55 AM liaochang (A) <liaochang1@...wei.com> wrote:
> >
> >
> >
> > 在 2023/1/26 21:05, guoren@...nel.org 写道:
> > > From: Guo Ren <guoren@...ux.alibaba.com>
> > >
> > > The kernel would panic when probed for an illegal position. eg:
> > >
> > > (CONFIG_RISCV_ISA_C=n)
> > >
> > > echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events
> > > echo 1 > events/kprobes/hello/enable
> > > cat trace
> > >
> > > Kernel panic - not syncing: stack-protector: Kernel stack
> > > is corrupted in: __do_sys_newfstatat+0xb8/0xb8
> > > CPU: 0 PID: 111 Comm: sh Not tainted
> > > 6.2.0-rc1-00027-g2d398fe49a4d #490
> > > Hardware name: riscv-virtio,qemu (DT)
> > > Call Trace:
> > > [<ffffffff80007268>] dump_backtrace+0x38/0x48
> > > [<ffffffff80c5e83c>] show_stack+0x50/0x68
> > > [<ffffffff80c6da28>] dump_stack_lvl+0x60/0x84
> > > [<ffffffff80c6da6c>] dump_stack+0x20/0x30
> > > [<ffffffff80c5ecf4>] panic+0x160/0x374
> > > [<ffffffff80c6db94>] generic_handle_arch_irq+0x0/0xa8
> > > [<ffffffff802deeb0>] sys_newstat+0x0/0x30
> > > [<ffffffff800158c0>] sys_clone+0x20/0x30
> > > [<ffffffff800039e8>] ret_from_syscall+0x0/0x4
> > > ---[ end Kernel panic - not syncing: stack-protector:
> > > Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---
> > >
> > > That is because the kprobe's ebreak instruction broke the kernel's
> > > original code. The user should guarantee the correction of the probe
> > > position, but it couldn't make the kernel panic.
> > >
> > > This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an
> > > illegal position (Such as the middle of an instruction).
> > >
> > > Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported")
> > > Signed-off-by: Guo Ren <guoren@...ux.alibaba.com>
> > > Signed-off-by: Guo Ren <guoren@...nel.org>
> > > ---
> > > arch/riscv/kernel/probes/kprobes.c | 18 ++++++++++++++++++
> > > 1 file changed, 18 insertions(+)
> > >
> > > diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c
> > > index f21592d20306..475989f06d6d 100644
> > > --- a/arch/riscv/kernel/probes/kprobes.c
> > > +++ b/arch/riscv/kernel/probes/kprobes.c
> > > @@ -48,6 +48,21 @@ static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
> > > post_kprobe_handler(p, kcb, regs);
> > > }
> > >
> > > +static bool __kprobes arch_check_kprobe(struct kprobe *p)
> > > +{
> > > + unsigned long tmp = (unsigned long)p->addr - p->offset;
> > > + unsigned long addr = (unsigned long)p->addr;
> > > +
> > > + while (tmp <= addr) {
> > > + if (tmp == addr)
> > > + return true;
> > > +
> > > + tmp += GET_INSN_LENGTH(*(kprobe_opcode_t *)tmp);
> > > + }
> > > +
> > > + return false;
> > > +}
> >
> > LGTM.
> >
> > I have submit a patch to fix the same problem, found at:
> Oh, I missed that patch. Our goal is the same.
>
> But it would be best if you reused p->offset, not
> kallsyms_lookup_size_offset, the p->addr added by _kprobe_addr
> (kernel/kprobes.c), not just kallsyms_lookup_size_offset. Sure, it
> works around for the current riscv, but that's not correct.
Sorry, the above description is a little bit confusing. What I mean is that:
The p->addr = func_entry + p->offset. Not kallsyms_lookup_size_offset.
Your patch could get the wrong func_entry.
>
> >
> > https://lore.kernel.org/lkml/20230127130541.1250865-11-chenguokai17@mails.ucas.ac.cn/
> >
> > So this boundary check is necessary no matter CONFIG_RISCV_ISA_C is enable or not, right?
> Yes, my panic example in the commit log is based on the
> !CONFIG_RISCV_ISA_C, you couldn't miss that.
>
> >
> >
> > > +
> > > int __kprobes arch_prepare_kprobe(struct kprobe *p)
> > > {
> > > unsigned long probe_addr = (unsigned long)p->addr;
> > > @@ -55,6 +70,9 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
> > > if (probe_addr & 0x1)
> > > return -EILSEQ;
> > >
> > > + if (!arch_check_kprobe(p))
> > > + return -EILSEQ;
> > > +
> > > /* copy instruction */
> > > p->opcode = *p->addr;
> > >
> >
> > --
> > BR,
> > Liao, Chang
>
>
>
> --
> Best Regards
> Guo Ren
--
Best Regards
Guo Ren
Powered by blists - more mailing lists