From: Namhyung Kim <namhyung@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Matteo Rizzo <matteorizzo@google.com>,
Ravi Bangoria <ravi.bangoria@amd.com>
Subject: [PATCH] perf/x86: Check data address for IBS software filter
Date: Mon, 17 Mar 2025 01:10:58 -0700 [thread overview]
Message-ID: <20250317081058.1794729-1-namhyung@kernel.org> (raw)
IBS software filter was to filter kernel samples for regular users in
PMI handler. It checks the instruction address in the IBS register to
determine if it was in the kernel more or not.
But it turns out that it's possible to report a kernel data address even
if the instruction address belongs to the user space. Matteo Rizzo
found that when an instruction raises an exception, IBS can report some
kernel data address like IDT while holding the faulting instruction's
RIP. To prevent an information leak, it should double check if the data
address in PERF_SAMPLE_DATA is in the kernel space as well.
Suggested-by: Matteo Rizzo <matteorizzo@google.com>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
---
arch/x86/events/amd/ibs.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index 7b52b8e3a185157f..8b3b76fad587b3ff 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -1286,6 +1286,13 @@ static int perf_ibs_handle_irq(struct perf_ibs *perf_ibs, struct pt_regs *iregs)
if (perf_ibs == &perf_ibs_op)
perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
+ if ((event->attr.config2 & IBS_SW_FILTER_MASK) &&
+ (event->attr.sample_type & PERF_SAMPLE_ADDR) &&
+ event->attr.exclude_kernel && !access_ok(data.addr)) {
+ throttle = perf_event_account_interrupt(event);
+ goto out;
+ }
+
/*
* rip recorded by IbsOpRip will not be consistent with rsp and rbp
* recorded as part of interrupt regs. Thus we need to use rip from
--
2.49.0.rc1.451.g8f38331e32-goog
next reply other threads:[~2025-03-17 8:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 8:10 Namhyung Kim [this message]
2025-03-17 9:15 ` [tip: perf/urgent] perf/x86: Check data address for IBS software filter tip-bot2 for Namhyung Kim
2025-03-17 10:10 ` Borislav Petkov
2025-03-17 15:57 ` Namhyung Kim
2025-03-17 10:15 ` Peter Zijlstra
2025-03-17 16:01 ` Namhyung Kim
2025-03-17 13:29 ` [PATCH] " Ravi Bangoria
2025-03-17 16:02 ` Namhyung Kim
2025-03-17 16:23 ` Namhyung Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250317081058.1794729-1-namhyung@kernel.org \
--to=namhyung@kernel.org \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=kan.liang@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=matteorizzo@google.com \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=ravi.bangoria@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox