From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Srikar Dronamraju <srikar@linux.vnet.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Steven Rostedt <rostedt@goodmis.org>
Subject: [PATCH 4.14 46/46] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
Date: Tue, 9 Jun 2020 19:45:02 +0200 [thread overview]
Message-ID: <20200609174031.164572429@linuxfoundation.org> (raw)
In-Reply-To: <20200609174022.938987501@linuxfoundation.org>
From: Oleg Nesterov <oleg@redhat.com>
commit 013b2deba9a6b80ca02f4fafd7dedf875e9b4450 upstream.
uprobe_write_opcode() must not cross page boundary; prepare_uprobe()
relies on arch_uprobe_analyze_insn() which should validate "vaddr" but
some architectures (csky, s390, and sparc) don't do this.
We can remove the BUG_ON() check in prepare_uprobe() and validate the
offset early in __uprobe_register(). The new IS_ALIGNED() check matches
the alignment check in arch_prepare_kprobe() on supported architectures,
so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE.
Another problem is __update_ref_ctr() which was wrong from the very
beginning, it can read/write outside of kmap'ed page unless "vaddr" is
aligned to sizeof(short), __uprobe_register() should check this too.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Sven Schnelle <svens@linux.ibm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/uprobes.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -612,10 +612,6 @@ static int prepare_uprobe(struct uprobe
if (ret)
goto out;
- /* uprobe_write_opcode() assumes we don't cross page boundary */
- BUG_ON((uprobe->offset & ~PAGE_MASK) +
- UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
-
smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
set_bit(UPROBE_COPY_INSN, &uprobe->flags);
@@ -894,6 +890,15 @@ int uprobe_register(struct inode *inode,
if (offset > i_size_read(inode))
return -EINVAL;
+ /*
+ * This ensures that copy_from_page(), copy_to_page() and
+ * __update_ref_ctr() can't cross page boundary.
+ */
+ if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE))
+ return -EINVAL;
+ if (!IS_ALIGNED(ref_ctr_offset, sizeof(short)))
+ return -EINVAL;
+
retry:
uprobe = alloc_uprobe(inode, offset);
if (!uprobe)
@@ -1704,6 +1709,9 @@ static int is_trap_at_addr(struct mm_str
uprobe_opcode_t opcode;
int result;
+ if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE)))
+ return -EINVAL;
+
pagefault_disable();
result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr);
pagefault_enable();
next prev parent reply other threads:[~2020-06-09 18:14 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:44 [PATCH 4.14 00/46] 4.14.184-rc1 review Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 01/46] scsi: scsi_devinfo: fixup string compare Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 02/46] libnvdimm: Fix endian conversion issues Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 03/46] scsi: hisi_sas: Check sas_port before using it Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 04/46] spi: dw: use "smp_mb()" to avoid sending spi data error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 05/46] s390/ftrace: save traced function caller Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 06/46] pppoe: only process PADT targeted at local interfaces Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 07/46] ARC: Fix ICCM & DCCM runtime size checks Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 08/46] ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 09/46] i2c: altera: Fix race between xfer_msg and isr thread Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 10/46] x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 11/46] net: bmac: Fix read of MAC address from ROM Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 12/46] net/ethernet/freescale: rework quiesce/activate for ucc_geth Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 13/46] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 14/46] net: smsc911x: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 15/46] mm: Fix mremap not considering huge pmd devmap Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 16/46] HID: sony: Fix for broken buttons on DS3 USB dongles Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 17/46] HID: i2c-hid: add Schneider SCL142ALM to descriptor override Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 18/46] p54usb: add AirVasT USB stick device-id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 19/46] kernel/relay.c: handle alloc_percpu returning NULL in relay_open Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 20/46] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 21/46] scsi: ufs: Release clock if DMA map fails Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 22/46] airo: Fix read overflows sending packets Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 23/46] devinet: fix memleak in inetdev_init() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 24/46] l2tp: do not use inet_hash()/inet_unhash() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 25/46] net: usb: qmi_wwan: add Telit LE910C1-EUX composition Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 26/46] NFC: st21nfca: add missed kfree_skb() in an error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 27/46] vsock: fix timeout in vsock_accept() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 28/46] net: check untrusted gso_size at kernel entry Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 29/46] l2tp: add sk_family checks to l2tp_validate_socket Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 30/46] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 31/46] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 32/46] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 33/46] usb: musb: start session in resume for host port Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 34/46] usb: musb: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 35/46] vt: keyboard: avoid signed integer overflow in k_ascii Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 36/46] tty: hvc_console, fix crashes on parallel open/close Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 37/46] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 38/46] CDC-ACM: heed quirk also in error handling Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 39/46] nvmem: qfprom: remove incorrect write support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 40/46] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 41/46] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 42/46] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.14 43/46] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.14 44/46] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 4.14 45/46] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-09 17:45 ` Greg Kroah-Hartman [this message]
2020-06-09 19:04 ` [PATCH 4.14 00/46] 4.14.184-rc1 review Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609174031.164572429@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=borntraeger@de.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=rostedt@goodmis.org \
--cc=srikar@linux.vnet.ibm.com \
--cc=stable@vger.kernel.org \
--cc=svens@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.