lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <174220290574.14745.9132867025462242568.tip-bot2@tip-bot2>
Date: Mon, 17 Mar 2025 09:15:05 -0000
From: "tip-bot2 for Namhyung Kim" <tip-bot2@...utronix.de>
To: linux-tip-commits@...r.kernel.org
Cc: Matteo Rizzo <matteorizzo@...gle.com>, Namhyung Kim <namhyung@...nel.org>,
 Ingo Molnar <mingo@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
 x86@...nel.org, linux-kernel@...r.kernel.org
Subject:
 [tip: perf/urgent] perf/x86: Check data address for IBS software filter

The following commit has been merged into the perf/urgent branch of tip:

Commit-ID:     b0be17d8108bf3448a58be319d085155a128cf3a
Gitweb:        https://git.kernel.org/tip/b0be17d8108bf3448a58be319d085155a128cf3a
Author:        Namhyung Kim <namhyung@...nel.org>
AuthorDate:    Mon, 17 Mar 2025 01:10:58 -07:00
Committer:     Ingo Molnar <mingo@...nel.org>
CommitterDate: Mon, 17 Mar 2025 10:04:31 +01:00

perf/x86: Check data address for IBS software filter

The IBS software filter is filtering kernel samples for regular users in
PMI handler.  It checks the instruction address in the IBS register to
determine if it was in the kernel mode or not.

But it turns out that it's possible to report a kernel data address even
if the instruction address belongs to the user space.  Matteo Rizzo
found that when an instruction raises an exception, IBS can report some
kernel data address like IDT while holding the faulting instruction's
RIP.  To prevent an information leak, it should double check if the data
address in PERF_SAMPLE_DATA is in the kernel space as well.

Suggested-by: Matteo Rizzo <matteorizzo@...gle.com>
Signed-off-by: Namhyung Kim <namhyung@...nel.org>
Signed-off-by: Ingo Molnar <mingo@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>
Link: https://lore.kernel.org/r/20250317081058.1794729-1-namhyung@kernel.org
---
 arch/x86/events/amd/ibs.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index e7a8b87..24985c7 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -1147,6 +1147,13 @@ fail:
 	if (perf_ibs == &perf_ibs_op)
 		perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
 
+	if ((event->attr.config2 & IBS_SW_FILTER_MASK) &&
+	    (event->attr.sample_type & PERF_SAMPLE_ADDR) &&
+	    event->attr.exclude_kernel && !access_ok(data.addr)) {
+		throttle = perf_event_account_interrupt(event);
+		goto out;
+	}
+
 	/*
 	 * rip recorded by IbsOpRip will not be consistent with rsp and rbp
 	 * recorded as part of interrupt regs. Thus we need to use rip from

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ