| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240304174336.68929-1-jannh@google.com>
Date: Mon, 4 Mar 2024 18:43:36 +0100
From: Jann Horn <jannh@...gle.com>
To: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org
Cc: "H. Peter Anvin" <hpa@...or.com>,
linux-kernel@...r.kernel.org
Subject: [PATCH] x86/debug: Forbid tracing arch_uninstall_hw_breakpoint()
I tried using perf_event_open() to set hardware breakpoints on every
allowed address between the kernel's _text and _etext. (For reasons.)
arch_uninstall_hw_breakpoint() was the only function where this immediately
blew up, with DB0 set to the address of the instruction for
`dr7 = this_cpu_read(cpu_dr7)`, where the directly preceding instruction
does `*slot = NULL;`.
I think the issue there is that we clear the breakpoint tracking state
before actually disarming the breakpoint.
Signed-off-by: Jann Horn <jannh@...gle.com>
---
arch/x86/kernel/hw_breakpoint.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index b01644c949b2..f46a460dbd31 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -140,8 +140,11 @@ int arch_install_hw_breakpoint(struct perf_event *bp)
*
* Atomic: we hold the counter->ctx->lock and we only handle variables
* and registers local to this cpu.
+ *
+ * noinstr avoids getting hit with a breakpoint when the debug register is
+ * still active but we've already removed ourselves from bp_per_reg.
*/
-void arch_uninstall_hw_breakpoint(struct perf_event *bp)
+void noinstr arch_uninstall_hw_breakpoint(struct perf_event *bp)
{
struct arch_hw_breakpoint *info = counter_arch_bp(bp);
unsigned long dr7;
--
2.39.2
Powered by blists - more mailing lists