Re: [PATCH] x86: ptrace debugreg checks rewrite

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: "Alexey Dobriyan" <adobriyan@gmail.com>,
	"Frédéric Weisbecker" <fweisbec@gmail.com>
Cc: mingo@redhat.com, tglx@linutronix.de, hpa@zytor.com,
	x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: ptrace debugreg checks rewrite
Date: Tue, 23 Jun 2009 10:55:50 +0200	[thread overview]
Message-ID: <20090623085550.GE14560@elte.hu> (raw)
In-Reply-To: <20090622210920.GB2331@x200.localdomain>


* Alexey Dobriyan <adobriyan@gmail.com> wrote:

> This is a mess.
> 
> Pre unified-x86 code did check for breakpoint addr
> to be "< TASK_SIZE - 3 (or 7)". This was fine from security POV,
> but banned valid breakpoint usage when address is close to TASK_SIZE.
> E. g. 1-byte breakpoint at TASK_SIZE - 1 should be allowed, but it wasn't.
> 
> Then came commit 84929801e14d968caeb84795bfbb88f04283fbd9
> ("[PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes")
> which for some reason touched ptrace as well and made effective
> TASK_SIZE of 32-bit process depending on IA32_PAGE_OFFSET
> which is not a constant!:
> 
> 	#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
> 				   ^^^^^^^
> Maximum addr for breakpoint became dependent on personality of ptracer.
> 
> Commit also relaxed danger zone for 32-bit processes from 8 bytes to 4
> not taking into account that 8-byte wide breakpoints are possible even
> for 32-bit processes. This was fine, however, because 64-bit kernel
> addresses are too far from 32-bit ones.
> 
> Then came utrace with commit 2047b08be67b70875d8765fc81d34ce28041bec3
> ("x86: x86 ptrace getreg/putreg merge") which copy-pasted and ifdeffed 32-bit
> part of TASK_SIZE_OF() leaving 8-byte issue as-is.
> 
> So, what patch fixes?
> 1) Too strict logic near TASK_SIZE boundary -- as long as we don't cross
>    TASK_SIZE_MAX, we're fine.
> 2) Too smart logic of using breakpoints over non-existent kernel
>    boundary -- we should only protect against setting up after
>    TASK_SIZE_MAX, the rest is none of kernel business. This fixes
>    IA32_PAGE_OFFSET beartrap as well.
> 
> As a bonus, remove uberhack and big comment determining DR7 validness,
> rewrite with clear algorithm when it's obvious what's going on.
> 
> Make DR validness checker suitable for C/R. On restart DR registers
> must be checked the same way they are checked on PTRACE_POKEUSR.
> 
> Question 1: TIF_DEBUG can set even if none of breakpoints is turned on,
> should this be optimized?
> 
> Question 2: Breakpoints are allowed to be globally enabled, is this a
> security risk?
> 
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>

Please base this on the latest x86 tree:

  http://people.redhat.com/mingo/tip.git/README

which has the hw-debug rework with debug register ops abstracted out 
already - making your patch not apply at all.

Thanks,

	Ingo

next prev parent reply	other threads:[~2009-06-23  8:56 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-22 21:09 [PATCH] x86: ptrace debugreg checks rewrite Alexey Dobriyan
2009-06-23  8:55 ` Ingo Molnar [this message]
2009-06-23  9:47   ` Alexey Dobriyan
2009-06-30 21:48     ` Ingo Molnar
  -- strict thread matches above, loose matches on Subject: below --
2009-05-04  0:16 Alexey Dobriyan
2009-05-04  0:16 Alexey Dobriyan
2009-05-04  0:24 ` Alexey Dobriyan
2009-05-06  9:56   ` Ingo Molnar
     [not found]     ` <20090506095629.GC15323-X9Un+BFzKDI@public.gmane.org>
2009-05-06 20:38       ` Roland McGrath
2009-05-06 20:38         ` Roland McGrath
     [not found]         ` <20090506203852.D9AC9FC39E-nL1rrgvulkc2UH6IwYuUx0EOCMrvLtNR@public.gmane.org>
2009-05-07  9:13           ` Ingo Molnar
2009-05-07  9:13         ` Ingo Molnar
2009-05-07  0:24       ` Oleg Nesterov
2009-05-07  0:24     ` Oleg Nesterov
     [not found]   ` <20090504002431.GA17556-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
2009-05-06  9:56     ` Ingo Molnar
     [not found] ` <20090504001601.GL16631-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
2009-05-04  0:24   ` Alexey Dobriyan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090623085550.GE14560@elte.hu \
    --to=mingo@elte.hu \
    --cc=adobriyan@gmail.com \
    --cc=fweisbec@gmail.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.