From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Masami Hiramatsu <mhiramat@kernel.org>,
Borislav Petkov <bp@alien8.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 3.18 13/39] kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed
Date: Thu, 11 May 2017 15:02:48 +0200 [thread overview]
Message-ID: <20170511130240.932704960@linuxfoundation.org> (raw)
In-Reply-To: <20170511130238.045434679@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu <mhiramat@kernel.org>
commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream.
Fix to the exception table entry check by using probed address
instead of the address of copied instruction.
This bug may cause unexpected kernel panic if user probe an address
where an exception can happen which should be fixup by __ex_table
(e.g. copy_from_user.)
Unless user puts a kprobe on such address, this doesn't
cause any problem.
This bug has been introduced years ago, by commit:
464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently").
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently")
Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/kprobes/common.h | 2 +-
arch/x86/kernel/kprobes/core.c | 6 +++---
arch/x86/kernel/kprobes/opt.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/arch/x86/kernel/kprobes/common.h
+++ b/arch/x86/kernel/kprobes/common.h
@@ -67,7 +67,7 @@
#endif
/* Ensure if the instruction can be boostable */
-extern int can_boost(kprobe_opcode_t *instruction);
+extern int can_boost(kprobe_opcode_t *instruction, void *addr);
/* Recover instruction if given address is probed */
extern unsigned long recover_probed_instruction(kprobe_opcode_t *buf,
unsigned long addr);
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -163,12 +163,12 @@ NOKPROBE_SYMBOL(skip_prefixes);
* Returns non-zero if opcode is boostable.
* RIP relative instructions are adjusted at copying time in 64 bits mode
*/
-int can_boost(kprobe_opcode_t *opcodes)
+int can_boost(kprobe_opcode_t *opcodes, void *addr)
{
kprobe_opcode_t opcode;
kprobe_opcode_t *orig_opcodes = opcodes;
- if (search_exception_tables((unsigned long)opcodes))
+ if (search_exception_tables((unsigned long)addr))
return 0; /* Page fault may occur on this address. */
retry:
@@ -385,7 +385,7 @@ static int arch_copy_kprobe(struct kprob
* __copy_instruction can modify the displacement of the instruction,
* but it doesn't affect boostable check.
*/
- if (can_boost(p->ainsn.insn))
+ if (can_boost(p->ainsn.insn, p->addr))
p->ainsn.boostable = 0;
else
p->ainsn.boostable = -1;
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -177,7 +177,7 @@ static int copy_optimized_instructions(u
while (len < RELATIVEJUMP_SIZE) {
ret = __copy_instruction(dest + len, src + len);
- if (!ret || !can_boost(dest + len))
+ if (!ret || !can_boost(dest + len, src + len))
return -EINVAL;
len += ret;
}
next prev parent reply other threads:[~2017-05-11 13:04 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 13:02 [PATCH 3.18 00/39] 3.18.53-stable review Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 01/39] 9p: fix a potential acl leak Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 02/39] tty: remove platform_sysrq_reset_seq Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 03/39] mtd: cfi: reduce stack size Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 04/39] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 05/39] cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 06/39] powerpc/powernv: Fix opal_exit tracepoint opcode Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 07/39] power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 08/39] power: supply: bq24190_charger: Call set_mode_host() on pm_resume() Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 09/39] ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 10/39] mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 11/39] mwifiex: Avoid skipping WEP key deletion for AP Greg Kroah-Hartman
2017-05-11 13:02 ` Greg Kroah-Hartman [this message]
2017-05-11 13:02 ` [PATCH 3.18 14/39] x86/platform/intel-mid: Correct MSI IRQ line for watchdog device Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 16/39] usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 17/39] usb: host: ohci-exynos: " Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 18/39] USB: serial: keyspan_pda: fix receive sanity checks Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 19/39] USB: serial: digi_acceleport: fix incomplete rx sanity check Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 20/39] USB: serial: ssu100: fix control-message error handling Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 21/39] USB: serial: io_edgeport: fix epic-descriptor handling Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 22/39] USB: serial: ti_usb_3410_5052: fix control-message error handling Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 23/39] USB: serial: ark3116: fix open " Greg Kroah-Hartman
2017-05-11 13:02 ` [PATCH 3.18 24/39] USB: serial: ftdi_sio: fix latency-timer " Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 25/39] USB: serial: quatech2: fix control-message " Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 26/39] USB: serial: mct_u232: fix modem-status " Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 27/39] USB: serial: io_edgeport: fix descriptor " Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 28/39] USB: serial: sierra: fix bogus alternate-setting assumption Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 29/39] scsi: scsi_dh_emc: return success in clariion_std_inquiry() Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 30/39] brcmfmac: Ensure pointer correctly set if skb data location changes Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 31/39] brcmfmac: Make skb header writable before use Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 32/39] staging: emxx_udc: remove incorrect __init annotations Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 33/39] tcp: do not underestimate skb->truesize in tcp_trim_head() Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 34/39] ipv4, ipv6: ensure raw socket message is big enough to hold an IP header Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 35/39] ipv6: initialize route null entry in addrconf_init() Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 36/39] ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 37/39] tcp: fix wraparound issue in tcp_lp Greg Kroah-Hartman
2017-05-11 13:03 ` [PATCH 3.18 38/39] f2fs: sanity check segment count Greg Kroah-Hartman
2017-05-11 21:16 ` [PATCH 3.18 00/39] 3.18.53-stable review Guenter Roeck
2017-05-11 21:31 ` Matthijs van Duin
2017-05-11 21:46 ` Tony Lindgren
2017-05-12 9:37 ` Greg Kroah-Hartman
2017-05-12 10:15 ` Arnd Bergmann
2017-05-12 10:44 ` Greg Kroah-Hartman
2017-05-12 15:23 ` Shuah Khan
2017-05-12 19:47 ` Guenter Roeck
2017-05-14 10:56 ` Greg Kroah-Hartman
2017-05-14 14:02 ` Guenter Roeck
2017-05-14 20:58 ` Greg Kroah-Hartman
2017-05-14 23:38 ` Guenter Roeck
2017-05-15 6:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170511130240.932704960@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).