From: Oleg Nesterov <oleg@redhat.com>
To: Andrii Nakryiko <andrii@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Cc: Liao Chang <liaochang1@huawei.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
Subject: [PATCH 7/7] uprobes: deny mremap(xol_vma)
Date: Sun, 29 Sep 2024 16:42:58 +0200 [thread overview]
Message-ID: <20240929144258.GA9492@redhat.com> (raw)
In-Reply-To: <20240929144201.GA9429@redhat.com>
kernel/events/uprobes.c assumes that xol_area->vaddr is always correct but
a malicious application can remap its "[uprobes]" vma to another adress to
confuse the kernel. Introduce xol_mremap() to make this impossible.
With this change utask->xol_vaddr in xol_free_insn_slot() can't be invalid,
we can turn the offset check into WARN_ON_ONCE(offset >= PAGE_SIZE).
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
kernel/events/uprobes.c | 30 +++++++++++++++++-------------
1 file changed, 17 insertions(+), 13 deletions(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index da45d0e5bcf4..20c58b6ee1ad 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1475,9 +1475,15 @@ static vm_fault_t xol_fault(const struct vm_special_mapping *sm,
return 0;
}
+static int xol_mremap(const struct vm_special_mapping *sm, struct vm_area_struct *new_vma)
+{
+ return -EPERM;
+}
+
static const struct vm_special_mapping xol_mapping = {
.name = "[uprobes]",
.fault = xol_fault,
+ .mremap = xol_mremap,
};
/* Slot allocation for XOL */
@@ -1670,21 +1676,19 @@ static void xol_free_insn_slot(struct uprobe_task *utask)
{
struct xol_area *area = current->mm->uprobes_state.xol_area;
unsigned long offset = utask->xol_vaddr - area->vaddr;
+ unsigned int slot_nr;
utask->xol_vaddr = 0;
- /*
- * xol_vaddr must fit into [area->vaddr, area->vaddr + PAGE_SIZE).
- * This check can only fail if the "[uprobes]" vma was mremap'ed.
- */
- if (offset < PAGE_SIZE) {
- int slot_nr = offset / UPROBE_XOL_SLOT_BYTES;
-
- clear_bit(slot_nr, area->bitmap);
- atomic_dec(&area->slot_count);
- smp_mb__after_atomic(); /* pairs with prepare_to_wait() */
- if (waitqueue_active(&area->wq))
- wake_up(&area->wq);
- }
+ /* xol_vaddr must fit into [area->vaddr, area->vaddr + PAGE_SIZE) */
+ if (WARN_ON_ONCE(offset >= PAGE_SIZE))
+ return;
+
+ slot_nr = offset / UPROBE_XOL_SLOT_BYTES;
+ clear_bit(slot_nr, area->bitmap);
+ atomic_dec(&area->slot_count);
+ smp_mb__after_atomic(); /* pairs with prepare_to_wait() */
+ if (waitqueue_active(&area->wq))
+ wake_up(&area->wq);
}
void __weak arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr,
--
2.25.1.362.g51ebf55
next prev parent reply other threads:[~2024-09-29 14:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-29 14:42 [PATCH 0/7] uprobes: deuglify xol_get_insn_slot/xol_free_insn_slot paths Oleg Nesterov
2024-09-29 14:42 ` [PATCH 1/7] uprobes: don't abuse get_utask() in pre_ssout() and prepare_uretprobe() Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 2/7] uprobes: sanitiize xol_free_insn_slot() Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 3/7] uprobes: kill the unnecessary put_uprobe/xol_free_insn_slot in uprobe_free_utask() Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 4/7] uprobes: simplify xol_take_insn_slot() and its caller Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 5/7] uprobes: move the initialization of utask->xol_vaddr from pre_ssout() to xol_get_insn_slot() Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` [PATCH 6/7] uprobes: pass utask to xol_get_insn_slot() and xol_free_insn_slot() Oleg Nesterov
2024-10-08 11:05 ` [tip: perf/core] " tip-bot2 for Oleg Nesterov
2024-09-29 14:42 ` Oleg Nesterov [this message]
2024-10-08 11:05 ` [tip: perf/core] uprobes: deny mremap(xol_vma) tip-bot2 for Oleg Nesterov
2024-09-30 8:10 ` [PATCH 0/7] uprobes: deuglify xol_get_insn_slot/xol_free_insn_slot paths Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240929144258.GA9492@redhat.com \
--to=oleg@redhat.com \
--cc=andrii@kernel.org \
--cc=jolsa@kernel.org \
--cc=liaochang1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.