| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z6sLthPEqVuGKQSL@krava>
Date: Tue, 11 Feb 2025 09:35:02 +0100
From: Jiri Olsa <olsajiri@...il.com>
To: Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Oleg Nesterov <oleg@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Andrii Nakryiko <andrii@...nel.org>, Kees Cook <kees@...nel.org>,
Eyal Birger <eyal.birger@...il.com>, stable@...r.kernel.org,
Jann Horn <jannh@...gle.com>, linux-kernel@...r.kernel.org,
linux-trace-kernel@...r.kernel.org, linux-api@...r.kernel.org,
x86@...nel.org, bpf@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Andy Lutomirski <luto@...nel.org>,
Deepak Gupta <debug@...osinc.com>,
Stephen Rothwell <sfr@...b.auug.org.au>
Subject: Re: [PATCH bpf-next] uprobes: Harden uretprobe syscall trampoline
check
On Mon, Feb 10, 2025 at 09:26:53AM -0800, Andrii Nakryiko wrote:
> On Sun, Feb 9, 2025 at 2:05 PM Jiri Olsa <jolsa@...nel.org> wrote:
> >
> > Jann reported [1] possible issue when trampoline_check_ip returns
> > address near the bottom of the address space that is allowed to
> > call into the syscall if uretprobes are not set up.
> >
> > Though the mmap minimum address restrictions will typically prevent
> > creating mappings there, let's make sure uretprobe syscall checks
> > for that.
> >
> > [1] https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf
> > Cc: Kees Cook <kees@...nel.org>
> > Cc: Eyal Birger <eyal.birger@...il.com>
> > Cc: stable@...r.kernel.org
> > Reported-by: Jann Horn <jannh@...gle.com>
> > Signed-off-by: Jiri Olsa <jolsa@...nel.org>
> > ---
> > arch/x86/kernel/uprobes.c | 14 +++++++++-----
> > 1 file changed, 9 insertions(+), 5 deletions(-)
> >
> > diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
> > index 5a952c5ea66b..109d6641a1b3 100644
> > --- a/arch/x86/kernel/uprobes.c
> > +++ b/arch/x86/kernel/uprobes.c
> > @@ -357,19 +357,23 @@ void *arch_uprobe_trampoline(unsigned long *psize)
> > return &insn;
> > }
> >
> > -static unsigned long trampoline_check_ip(void)
> > +static unsigned long trampoline_check_ip(unsigned long tramp)
> > {
> > - unsigned long tramp = uprobe_get_trampoline_vaddr();
> > -
> > return tramp + (uretprobe_syscall_check - uretprobe_trampoline_entry);
> > }
> >
> > SYSCALL_DEFINE0(uretprobe)
> > {
> > struct pt_regs *regs = task_pt_regs(current);
> > - unsigned long err, ip, sp, r11_cx_ax[3];
> > + unsigned long err, ip, sp, r11_cx_ax[3], tramp;
> > +
> > + /* If there's no trampoline, we are called from wrong place. */
> > + tramp = uprobe_get_trampoline_vaddr();
> > + if (tramp == -1)
>
> slight nit: mixing -1 and unsigned long looks sloppy. Maybe let's add
> something like
>
> #define UPROBE_NO_TRAMPOLINE_VADDR ((unsigned long)-1)
>
> and return that from uprobe_get_trampoline_vaddr()?
ok, will add that
thanks,
jirka
>
> > + goto sigill;
> >
> > - if (regs->ip != trampoline_check_ip())
> > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > + if (regs->ip != trampoline_check_ip(tramp))
> > goto sigill;
> >
> > err = copy_from_user(r11_cx_ax, (void __user *)regs->sp, sizeof(r11_cx_ax));
> > --
> > 2.48.1
> >
Powered by blists - more mailing lists