| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z8mFditQWBjxO2vn@gmail.com> Date: Thu, 6 Mar 2025 12:22:30 +0100 From: Ingo Molnar <mingo@...nel.org> To: Jiri Olsa <olsajiri@...il.com> Cc: Andy Lutomirski <luto@...nel.org>, Kees Cook <kees@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, Masami Hiramatsu <mhiramat@...nel.org>, Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Andrii Nakryiko <andrii@...nel.org>, Eyal Birger <eyal.birger@...il.com>, stable@...r.kernel.org, Jann Horn <jannh@...gle.com>, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, linux-api@...r.kernel.org, x86@...nel.org, bpf@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Deepak Gupta <debug@...osinc.com>, Stephen Rothwell <sfr@...b.auug.org.au>, Alexei Starovoitov <alexei.starovoitov@...il.com> Subject: Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check * Jiri Olsa <olsajiri@...il.com> wrote: > On Mon, Feb 17, 2025 at 01:09:43PM +0100, Jiri Olsa wrote: > > On Thu, Feb 13, 2025 at 09:58:29AM -0800, Andy Lutomirski wrote: > > > On Thu, Feb 13, 2025 at 1:16 AM Jiri Olsa <olsajiri@...il.com> wrote: > > > > > > > > On Wed, Feb 12, 2025 at 05:37:11PM -0800, Andy Lutomirski wrote: > > > > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@...nel.org> wrote: > > > > > > > > > > > > Jann reported [1] possible issue when trampoline_check_ip returns > > > > > > address near the bottom of the address space that is allowed to > > > > > > call into the syscall if uretprobes are not set up. > > > > > > > > > > > > Though the mmap minimum address restrictions will typically prevent > > > > > > creating mappings there, let's make sure uretprobe syscall checks > > > > > > for that. > > > > > > > > > > It would be a layering violation, but we could perhaps do better here: > > > > > > > > > > > - if (regs->ip != trampoline_check_ip()) > > > > > > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */ > > > > > > + if (unlikely(regs->ip != trampoline_check_ip(tramp))) > > > > > > goto sigill; > > > > > > > > > > Instead of SIGILL, perhaps this should do the seccomp action? So the > > > > > logic in seccomp would be (sketchily, with some real mode1 mess): > > > > > > > > > > if (is_a_real_uretprobe()) > > > > > skip seccomp; > > > > > > > > IIUC you want to move the address check earlier to the seccomp path.. > > > > with the benefit that we would kill not allowed caller sooner? > > > > > > The benefit would be that seccomp users that want to do something > > > other than killing a process (returning an error code, getting > > > notified, etc) could retain that functionality without the new > > > automatic hole being poked for uretprobe() in cases where uprobes > > > aren't in use or where the calling address doesn't match the uprobe > > > trampoline. IOW it would reduce the scope to which we're making > > > seccomp behave unexpectedly. > > > > Kees, any thoughts about this approach? > > ping, any idea? So in any case I think the seccomp QoL tie-in suggested by Andy should be done in a separate patch, and I've applied the -v3 patch to tip:perf/core as-is. ( I've added Alexei's Acked-by too, which as I've read the v2 thread's discussion was a given as long as his ~0 suggestion was implemented, which you did. ) Thanks, Ingo
Powered by blists - more mailing lists