[PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration
       [not found] <20160915151352.21306-1-alexander.shishkin@linux.intel.com>
@ 2016-09-15 15:13 ` Alexander Shishkin
  2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
  2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
  2 siblings, 0 replies; 3+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ingo Molnar, linux-kernel, vince, eranian,
	Arnaldo Carvalho de Melo, Alexander Shishkin, stable

PT address filter configuration requires that a range is specified by
its first and last address, but at the moment we're obtaining the end
of the range by adding user specified size to its start, which is off
by one from what it actually needs to be.

Fix this and make sure that zero-sized filters don't pass the filter
validation.

Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
 arch/x86/events/intel/pt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 04bb5fb5a8..5ec0100e3f 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
 
 	list_for_each_entry(filter, filters, entry) {
 		/* PT doesn't support single address triggers */
-		if (!filter->range)
+		if (!filter->range || !filter->size)
 			return -EOPNOTSUPP;
 
 		if (!filter->inode && !kernel_ip(filter->offset))
@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(struct perf_event *event)
 		} else {
 			/* apply the offset */
 			msr_a = filter->offset + offs[range];
-			msr_b = filter->size + msr_a;
+			msr_b = filter->size + msr_a - 1;
 		}
 
 		filters->filter[range].msr_a  = msr_a;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation
       [not found] <20160915151352.21306-1-alexander.shishkin@linux.intel.com>
  2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
@ 2016-09-15 15:13 ` Alexander Shishkin
  2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
  2 siblings, 0 replies; 3+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ingo Molnar, linux-kernel, vince, eranian,
	Arnaldo Carvalho de Melo, Alexander Shishkin, stable

The kernel_ip() filter is used mostly by the DS/LBR code to look at the
branch addresses, but Intel PT also uses it to validate the address
filter offsets for kernel addresses, for which it is not sufficient:
supplying something in bits 64:48 that's not a sign extension of the lower
address bits (like 0xf00d000000000000) throws a #GP.

This patch adds address validation for the user supplied kernel filters.

Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
 arch/x86/events/intel/pt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 5ec0100e3f..1f94963a28 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct perf_event *event)
 	event->hw.addr_filters = NULL;
 }
 
+static inline bool valid_kernel_ip(unsigned long ip)
+{
+	return virt_addr_valid(ip) && kernel_ip(ip);
+}
+
 static int pt_event_addr_filters_validate(struct list_head *filters)
 {
 	struct perf_addr_filter *filter;
@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
 		if (!filter->range || !filter->size)
 			return -EOPNOTSUPP;
 
-		if (!filter->inode && !kernel_ip(filter->offset))
+		if (!filter->inode && !valid_kernel_ip(filter->offset))
 			return -EINVAL;
 
 		if (++range > pt_cap_get(PT_CAP_num_address_ranges))
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter
       [not found] <20160915151352.21306-1-alexander.shishkin@linux.intel.com>
  2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
  2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
@ 2016-09-15 15:13 ` Alexander Shishkin
  2 siblings, 0 replies; 3+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ingo Molnar, linux-kernel, vince, eranian,
	Arnaldo Carvalho de Melo, Alexander Shishkin, stable

Right now, the kernel address filters in PT are prone to integer overflow
that may happen in adding filter's size to its offset to obtain the end
of the range. Such an overflow would also throw a #GP in the PT event
configuration path.

Fix this by explicitly validating the result of this calculation.

Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
 arch/x86/events/intel/pt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 1f94963a28..861a7d9cb6 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
 		if (!filter->range || !filter->size)
 			return -EOPNOTSUPP;
 
-		if (!filter->inode && !valid_kernel_ip(filter->offset))
-			return -EINVAL;
+		if (!filter->inode) {
+			if (!valid_kernel_ip(filter->offset))
+				return -EINVAL;
+
+			if (!valid_kernel_ip(filter->offset + filter->size))
+				return -EINVAL;
+		}
 
 		if (++range > pt_cap_get(PT_CAP_num_address_ranges))
 			return -EOPNOTSUPP;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-09-15 15:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20160915151352.21306-1-alexander.shishkin@linux.intel.com>
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).