From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
To: Jinghao Jia <jinghao7@illinois.edu>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 1/2] x86/kprobes: Prohibit kprobing on INT and UD
Date: Sun, 28 Jan 2024 10:19:12 +0900 [thread overview]
Message-ID: <20240128101912.5ad6717347bd66089ecea03a@kernel.org> (raw)
In-Reply-To: <20240127044124.57594-2-jinghao7@illinois.edu>
On Fri, 26 Jan 2024 22:41:23 -0600
Jinghao Jia <jinghao7@illinois.edu> wrote:
> Both INTs (INT n, INT1, INT3, INTO) and UDs (UD0, UD1, UD2) serve
> special purposes in the kernel, e.g., INT3 is used by KGDB and UD2 is
> involved in LLVM-KCFI instrumentation. At the same time, attaching
> kprobes on these instructions (particularly UDs) will pollute the stack
> trace dumped in the kernel ring buffer, since the exception is triggered
> in the copy buffer rather than the original location.
>
> Check for INTs and UDs in can_probe and reject any kprobes trying to
> attach to these instructions.
>
Thanks for implement this check!
> Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
> Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
> ---
> arch/x86/kernel/kprobes/core.c | 33 ++++++++++++++++++++++++++-------
> 1 file changed, 26 insertions(+), 7 deletions(-)
>
> diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> index e8babebad7b8..792b38d22126 100644
> --- a/arch/x86/kernel/kprobes/core.c
> +++ b/arch/x86/kernel/kprobes/core.c
> @@ -252,6 +252,22 @@ unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long add
> return __recover_probed_insn(buf, addr);
> }
>
> +static inline int is_exception_insn(struct insn *insn)
> +{
> + if (insn->opcode.bytes[0] == 0x0f) {
> + /* UD0 / UD1 / UD2 */
> + return insn->opcode.bytes[1] == 0xff ||
> + insn->opcode.bytes[1] == 0xb9 ||
> + insn->opcode.bytes[1] == 0x0b;
> + } else {
If "else" block just return, you don't need this "else".
bool func()
{
if (cond)
return ...
return ...
}
Is preferrable because this puts "return val" always at the end of non-void
function.
> + /* INT3 / INT n / INTO / INT1 */
> + return insn->opcode.bytes[0] == 0xcc ||
> + insn->opcode.bytes[0] == 0xcd ||
> + insn->opcode.bytes[0] == 0xce ||
> + insn->opcode.bytes[0] == 0xf1;
> + }
> +}
> +
> /* Check if paddr is at an instruction boundary */
> static int can_probe(unsigned long paddr)
> {
> @@ -294,6 +310,16 @@ static int can_probe(unsigned long paddr)
> #endif
> addr += insn.length;
> }
> + __addr = recover_probed_instruction(buf, addr);
> + if (!__addr)
> + return 0;
> +
> + if (insn_decode_kernel(&insn, (void *)__addr) < 0)
> + return 0;
> +
> + if (is_exception_insn(&insn))
> + return 0;
> +
Please don't put this outside of decoding loop. You should put these in
the loop which decodes the instruction from the beginning of the function.
Since the x86 instrcution is variable length, can_probe() needs to check
whether that the address is instruction boundary and decodable.
Thank you,
> if (IS_ENABLED(CONFIG_CFI_CLANG)) {
> /*
> * The compiler generates the following instruction sequence
> @@ -308,13 +334,6 @@ static int can_probe(unsigned long paddr)
> * Also, these movl and addl are used for showing expected
> * type. So those must not be touched.
> */
> - __addr = recover_probed_instruction(buf, addr);
> - if (!__addr)
> - return 0;
> -
> - if (insn_decode_kernel(&insn, (void *)__addr) < 0)
> - return 0;
> -
> if (insn.opcode.value == 0xBA)
> offset = 12;
> else if (insn.opcode.value == 0x3)
> --
> 2.43.0
>
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>
next prev parent reply other threads:[~2024-01-28 1:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-27 4:41 [RFC PATCH 0/2] x86/kprobes: add exception opcode detector and boost more opcodes Jinghao Jia
2024-01-27 4:41 ` [RFC PATCH 1/2] x86/kprobes: Prohibit kprobing on INT and UD Jinghao Jia
2024-01-27 19:47 ` Xin Li
2024-01-28 21:09 ` Jinghao Jia
2024-01-28 1:19 ` Masami Hiramatsu [this message]
2024-01-28 21:25 ` Jinghao Jia
2024-01-30 1:44 ` Masami Hiramatsu
2024-01-30 2:50 ` Jinghao Jia
2024-01-30 11:30 ` Masami Hiramatsu
2024-01-27 4:41 ` [RFC PATCH 2/2] x86/kprobes: boost more instructions from grp2/3/4/5 Jinghao Jia
2024-01-28 2:22 ` Masami Hiramatsu
2024-01-28 21:30 ` Jinghao Jia
2024-01-30 1:45 ` Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240128101912.5ad6717347bd66089ecea03a@kernel.org \
--to=mhiramat@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jinghao7@illinois.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).