From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Masami Hiramatsu <mhiramat@kernel.org>,
"Steven Rostedt (VMware)" <rostedt@goodmis.org>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.4 11/72] kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
Date: Fri, 6 Apr 2018 15:23:12 +0200 [thread overview]
Message-ID: <20180406084306.028363826@linuxfoundation.org> (raw)
In-Reply-To: <20180406084305.210085169@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu <mhiramat@kernel.org>
commit c93f5cf571e7795f97d49ef51b766cf25e328545 upstream.
Fix kprobes to set(recover) RWX bits correctly on trampoline
buffer before releasing it. Releasing readonly page to
module_memfree() crash the kernel.
Without this fix, if kprobes user register a bunch of kprobes
in function body (since kprobes on function entry usually
use ftrace) and unregister it, kernel hits a BUG and crash.
Link: http://lkml.kernel.org/r/149570868652.3518.14120169373590420503.stgit@devbox
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: d0381c81c2f7 ("kprobes/x86: Set kprobes pages read-only")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/kprobes/core.c | 9 +++++++++
kernel/kprobes.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -49,6 +49,7 @@
#include <linux/kdebug.h>
#include <linux/kallsyms.h>
#include <linux/ftrace.h>
+#include <linux/moduleloader.h>
#include <asm/cacheflush.h>
#include <asm/desc.h>
@@ -402,6 +403,14 @@ int __copy_instruction(u8 *dest, u8 *src
return length;
}
+/* Recover page to RW mode before releasing it */
+void free_insn_page(void *page)
+{
+ set_memory_nx((unsigned long)page & PAGE_MASK, 1);
+ set_memory_rw((unsigned long)page & PAGE_MASK, 1);
+ module_memfree(page);
+}
+
static int arch_copy_kprobe(struct kprobe *p)
{
int ret;
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
return module_alloc(PAGE_SIZE);
}
-static void free_insn_page(void *page)
+void __weak free_insn_page(void *page)
{
module_memfree(page);
}
next prev parent reply other threads:[~2018-04-06 13:31 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 13:23 [PATCH 4.4 00/72] 4.4.127-stable review Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 01/72] mtd: jedec_probe: Fix crash in jedec_read_mfr() Greg Kroah-Hartman
2018-05-14 15:16 ` Ben Hutchings
2018-04-06 13:23 ` [PATCH 4.4 02/72] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 03/72] ALSA: pcm: potential uninitialized return values Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 04/72] perf/hwbp: Simplify the perf-hwbp code, fix documentation Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 05/72] partitions/msdos: Unable to mount UFS 44bsd partitions Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 06/72] usb: gadget: define free_ep_req as universal function Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 07/72] usb: gadget: change len to size_t on alloc_ep_req() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 08/72] usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 09/72] usb: gadget: align buffer size when allocating for OUT endpoint Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 10/72] usb: gadget: f_hid: fix: Prevent accessing released memory Greg Kroah-Hartman
2018-04-06 13:23 ` Greg Kroah-Hartman [this message]
2018-04-06 13:23 ` [PATCH 4.4 12/72] ACPI, PCI, irq: remove redundant check for null string pointer Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 13/72] writeback: fix the wrong congested state variable definition Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 14/72] PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 15/72] dm ioctl: remove double parentheses Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 16/72] Input: mousedev - fix implicit conversion warning Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 17/72] netfilter: nf_nat_h323: fix logical-not-parentheses warning Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 18/72] genirq: Use cpumask_available() for check of cpumask variable Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 19/72] cpumask: Add helper cpumask_available() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 20/72] selinux: Remove unnecessary check of array base in selinux_set_mapping() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 21/72] fs: compat: Remove warning from COMPATIBLE_IOCTL Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 22/72] jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 23/72] frv: declare jiffies to be located in the .data section Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 24/72] audit: add tty field to LOGIN event Greg Kroah-Hartman
2018-05-14 16:18 ` Ben Hutchings
2018-05-17 8:56 ` Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 25/72] tty: provide tty_name() even without CONFIG_TTY Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 26/72] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 27/72] selinux: Remove redundant check for unknown labeling behavior Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 28/72] arm64: avoid overflow in VA_START and PAGE_OFFSET Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 29/72] xfrm_user: uncoditionally validate esn replay attribute struct Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 30/72] RDMA/ucma: Check AF family prior resolving address Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 31/72] RDMA/ucma: Fix use-after-free access in ucma_close Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 32/72] RDMA/ucma: Ensure that CM_ID exists prior to access it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 33/72] RDMA/ucma: Check that device is connected " Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 34/72] RDMA/ucma: Check that device exists prior to accessing it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 35/72] RDMA/ucma: Dont allow join attempts for unsupported AF family Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 36/72] RDMA/ucma: Introduce safer rdma_addr_size() variants Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 37/72] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 38/72] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 39/72] netfilter: bridge: ebt_among: add more missing match size checks Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 40/72] netfilter: x_tables: add and use xt_check_proc_name Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 41/72] Bluetooth: Fix missing encryption refresh on Security Request Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 42/72] llist: clang: introduce member_address_is_nonnull() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 43/72] scsi: virtio_scsi: always read VPD pages for multiqueue too Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 44/72] usb: dwc2: Improve gadget state disconnection handling Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 45/72] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 46/72] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 47/72] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 48/72] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 49/72] media: usbtv: prevent double free in error case Greg Kroah-Hartman
2018-05-14 17:41 ` Ben Hutchings
2018-05-15 9:53 ` Oliver Neukum
2018-04-06 13:23 ` [PATCH 4.4 50/72] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 51/72] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 52/72] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 53/72] fs/proc: Stop trying to report thread stacks Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 54/72] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 55/72] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 56/72] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 57/72] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.4 58/72] Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 59/72] ARM: dts: dra7: Add power hold and power controller properties to palmas Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 60/72] ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 61/72] md/raid10: reset the first at the end of loop Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 62/72] net: hns: Fix ethtool private flags Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 63/72] nospec: Move array_index_nospec() parameter checking into separate macro Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 64/72] nospec: Kill array_index_nospec_mask_check() Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 65/72] Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 66/72] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 67/72] Revert "ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 68/72] Revert "cpufreq: Fix governor module removal race" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 69/72] Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 70/72] spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 71/72] net: cavium: liquidio: fix up "Avoid dma_unmap_single on uninitialized ndata" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.4 72/72] Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman
2018-04-06 16:25 ` [PATCH 4.4 00/72] 4.4.127-stable review Nathan Chancellor
2018-04-07 6:10 ` Greg Kroah-Hartman
2018-04-06 22:18 ` Shuah Khan
2018-04-07 6:46 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180406084306.028363826@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).