From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jinghao Jia <jinghao7@illinois.edu>,
"Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Subject: [PATCH 5.15 45/59] x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
Date: Sat, 13 Jan 2024 10:50:16 +0100 [thread overview]
Message-ID: <20240113094210.673448756@linuxfoundation.org> (raw)
In-Reply-To: <20240113094209.301672391@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinghao Jia <jinghao7@illinois.edu>
commit f5d03da48d062966c94f0199d20be0b3a37a7982 upstream.
kprobe_emulate_call_indirect currently uses int3_emulate_call to emulate
indirect calls. However, int3_emulate_call always assumes the size of
the call to be 5 bytes when calculating the return address. This is
incorrect for register-based indirect calls in x86, which can be either
2 or 3 bytes depending on whether REX prefix is used. At kprobe runtime,
the incorrect return address causes control flow to land onto the wrong
place after return -- possibly not a valid instruction boundary. This
can lead to a panic like the following:
[ 7.308204][ C1] BUG: unable to handle page fault for address: 000000000002b4d8
[ 7.308883][ C1] #PF: supervisor read access in kernel mode
[ 7.309168][ C1] #PF: error_code(0x0000) - not-present page
[ 7.309461][ C1] PGD 0 P4D 0
[ 7.309652][ C1] Oops: 0000 [#1] SMP
[ 7.309929][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.7.0-rc5-trace-for-next #6
[ 7.310397][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
[ 7.311068][ C1] RIP: 0010:__common_interrupt+0x52/0xc0
[ 7.311349][ C1] Code: 01 00 4d 85 f6 74 39 49 81 fe 00 f0 ff ff 77 30 4c 89 f7 4d 8b 5e 68 41 ba 91 76 d8 42 45 03 53 fc 74 02 0f 0b cc ff d3 65 48 <8b> 05 30 c7 ff 7e 65 4c 89 3d 28 c7 ff 7e 5b 41 5c 41 5e 41 5f c3
[ 7.312512][ C1] RSP: 0018:ffffc900000e0fd0 EFLAGS: 00010046
[ 7.312899][ C1] RAX: 0000000000000001 RBX: 0000000000000023 RCX: 0000000000000001
[ 7.313334][ C1] RDX: 00000000000003cd RSI: 0000000000000001 RDI: ffff888100d302a4
[ 7.313702][ C1] RBP: 0000000000000001 R08: 0ef439818636191f R09: b1621ff338a3b482
[ 7.314146][ C1] R10: ffffffff81e5127b R11: ffffffff81059810 R12: 0000000000000023
[ 7.314509][ C1] R13: 0000000000000000 R14: ffff888100d30200 R15: 0000000000000000
[ 7.314951][ C1] FS: 0000000000000000(0000) GS:ffff88813bc80000(0000) knlGS:0000000000000000
[ 7.315396][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.315691][ C1] CR2: 000000000002b4d8 CR3: 0000000003028003 CR4: 0000000000370ef0
[ 7.316153][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.316508][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.316948][ C1] Call Trace:
[ 7.317123][ C1] <IRQ>
[ 7.317279][ C1] ? __die_body+0x64/0xb0
[ 7.317482][ C1] ? page_fault_oops+0x248/0x370
[ 7.317712][ C1] ? __wake_up+0x96/0xb0
[ 7.317964][ C1] ? exc_page_fault+0x62/0x130
[ 7.318211][ C1] ? asm_exc_page_fault+0x22/0x30
[ 7.318444][ C1] ? __cfi_native_send_call_func_single_ipi+0x10/0x10
[ 7.318860][ C1] ? default_idle+0xb/0x10
[ 7.319063][ C1] ? __common_interrupt+0x52/0xc0
[ 7.319330][ C1] common_interrupt+0x78/0x90
[ 7.319546][ C1] </IRQ>
[ 7.319679][ C1] <TASK>
[ 7.319854][ C1] asm_common_interrupt+0x22/0x40
[ 7.320082][ C1] RIP: 0010:default_idle+0xb/0x10
[ 7.320309][ C1] Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 b8 0c 67 40 a5 66 90 0f 00 2d 09 b9 3b 00 fb f4 <fa> c3 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 b8 0c 67 40 a5 e9
[ 7.321449][ C1] RSP: 0018:ffffc9000009bee8 EFLAGS: 00000256
[ 7.321808][ C1] RAX: ffff88813bca8b68 RBX: 0000000000000001 RCX: 000000000001ef0c
[ 7.322227][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000001ef0c
[ 7.322656][ C1] RBP: ffffc9000009bef8 R08: 8000000000000000 R09: 00000000000008c2
[ 7.323083][ C1] R10: 0000000000000000 R11: ffffffff81058e70 R12: 0000000000000000
[ 7.323530][ C1] R13: ffff8881002b30c0 R14: 0000000000000000 R15: 0000000000000000
[ 7.323948][ C1] ? __cfi_lapic_next_deadline+0x10/0x10
[ 7.324239][ C1] default_idle_call+0x31/0x50
[ 7.324464][ C1] do_idle+0xd3/0x240
[ 7.324690][ C1] cpu_startup_entry+0x25/0x30
[ 7.324983][ C1] start_secondary+0xb4/0xc0
[ 7.325217][ C1] secondary_startup_64_no_verify+0x179/0x17b
[ 7.325498][ C1] </TASK>
[ 7.325641][ C1] Modules linked in:
[ 7.325906][ C1] CR2: 000000000002b4d8
[ 7.326104][ C1] ---[ end trace 0000000000000000 ]---
[ 7.326354][ C1] RIP: 0010:__common_interrupt+0x52/0xc0
[ 7.326614][ C1] Code: 01 00 4d 85 f6 74 39 49 81 fe 00 f0 ff ff 77 30 4c 89 f7 4d 8b 5e 68 41 ba 91 76 d8 42 45 03 53 fc 74 02 0f 0b cc ff d3 65 48 <8b> 05 30 c7 ff 7e 65 4c 89 3d 28 c7 ff 7e 5b 41 5c 41 5e 41 5f c3
[ 7.327570][ C1] RSP: 0018:ffffc900000e0fd0 EFLAGS: 00010046
[ 7.327910][ C1] RAX: 0000000000000001 RBX: 0000000000000023 RCX: 0000000000000001
[ 7.328273][ C1] RDX: 00000000000003cd RSI: 0000000000000001 RDI: ffff888100d302a4
[ 7.328632][ C1] RBP: 0000000000000001 R08: 0ef439818636191f R09: b1621ff338a3b482
[ 7.329223][ C1] R10: ffffffff81e5127b R11: ffffffff81059810 R12: 0000000000000023
[ 7.329780][ C1] R13: 0000000000000000 R14: ffff888100d30200 R15: 0000000000000000
[ 7.330193][ C1] FS: 0000000000000000(0000) GS:ffff88813bc80000(0000) knlGS:0000000000000000
[ 7.330632][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.331050][ C1] CR2: 000000000002b4d8 CR3: 0000000003028003 CR4: 0000000000370ef0
[ 7.331454][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.331854][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.332236][ C1] Kernel panic - not syncing: Fatal exception in interrupt
[ 7.332730][ C1] Kernel Offset: disabled
[ 7.333044][ C1] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
The relevant assembly code is (from objdump, faulting address
highlighted):
ffffffff8102ed9d: 41 ff d3 call *%r11
ffffffff8102eda0: 65 48 <8b> 05 30 c7 ff mov %gs:0x7effc730(%rip),%rax
The emulation incorrectly sets the return address to be ffffffff8102ed9d
+ 0x5 = ffffffff8102eda2, which is the 8b byte in the middle of the next
mov. This in turn causes incorrect subsequent instruction decoding and
eventually triggers the page fault above.
Instead of invoking int3_emulate_call, perform push and jmp emulation
directly in kprobe_emulate_call_indirect. At this point we can obtain
the instruction size from p->ainsn.size so that we can calculate the
correct return address.
Link: https://lore.kernel.org/all/20240102233345.385475-1-jinghao7@illinois.edu/
Fixes: 6256e668b7af ("x86/kprobes: Use int3 instead of debug trap for single-step")
Cc: stable@vger.kernel.org
Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/kprobes/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -563,7 +563,8 @@ static void kprobe_emulate_call_indirect
{
unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
- int3_emulate_call(regs, regs_get_register(regs, offs));
+ int3_emulate_push(regs, regs->ip - INT3_INSN_SIZE + p->ainsn.size);
+ int3_emulate_jmp(regs, regs_get_register(regs, offs));
}
NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);
next prev parent reply other threads:[~2024-01-13 10:01 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-13 9:49 [PATCH 5.15 00/59] 5.15.147-rc1 review Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 01/59] keys, dns: Fix missing size check of V1 server-list header Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 02/59] block: Dont invalidate pagecache for invalid falloc modes Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 03/59] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6 Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 04/59] Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()" Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 05/59] wifi: iwlwifi: pcie: dont synchronize IRQs from IRQ Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 06/59] drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 07/59] nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 08/59] octeontx2-af: Fix marking couple of structure as __packed Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 09/59] drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 10/59] i40e: Fix filter input checks to prevent config with invalid values Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 11/59] igc: Report VLAN EtherType matching back to user Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 12/59] igc: Check VLAN TCI mask Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 13/59] igc: Check VLAN EtherType mask Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 14/59] ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 15/59] mlxbf_gige: fix receive packet race condition Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 16/59] net: sched: em_text: fix possible memory leak in em_text_destroy() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 17/59] r8169: Fix PCI error on system resume Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 18/59] net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 19/59] can: raw: add support for SO_TXTIME/SCM_TXTIME Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 20/59] can: raw: add support for SO_MARK Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 21/59] net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 22/59] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 23/59] sfc: fix a double-free bug in efx_probe_filters Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 24/59] net: bcmgenet: Fix FCS generation for fragmented skbuffs Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 25/59] netfilter: nft_immediate: drop chain reference counter on error Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 26/59] net: Save and restore msg_namelen in sock_sendmsg Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 27/59] i40e: fix use-after-free in i40e_aqc_add_filters() Greg Kroah-Hartman
2024-01-13 9:49 ` [PATCH 5.15 28/59] ASoC: meson: g12a-toacodec: Validate written enum values Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 29/59] ASoC: meson: g12a-tohdmitx: " Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 30/59] ASoC: meson: g12a-toacodec: Fix event generation Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 31/59] ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 32/59] i40e: Restore VF MSI-X state during PCI reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 33/59] igc: Fix hicredit calculation Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 34/59] net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 35/59] octeontx2-af: Dont enable Pause frames by default Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 36/59] octeontx2-af: Set NIX link credits based on max LMAC Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 37/59] octeontx2-af: Always configure NIX TX link credits based on max frame size Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 38/59] octeontx2-af: Re-enable MAC TX in otx2_stop processing Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 39/59] asix: Add check for usbnet_get_endpoints Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 40/59] bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 41/59] net: Implement missing SO_TIMESTAMPING_NEW cmsg support Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 42/59] selftests: secretmem: floor the memory size to the multiple of page_size Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 43/59] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 44/59] firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards Greg Kroah-Hartman
2024-01-13 9:50 ` Greg Kroah-Hartman [this message]
2024-01-13 9:50 ` [PATCH 5.15 46/59] i2c: core: Fix atomic xfer check for non-preempt config Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 47/59] mm: fix unmap_mapping_range high bits shift bug Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 48/59] mmc: meson-mx-sdhc: Fix initialization frozen issue Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 49/59] mmc: rpmb: fixes pause retune on all RPMB partitions Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 50/59] mmc: core: Cancel delayed work before releasing host Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 51/59] mmc: sdhci-sprd: Fix eMMC init failure after hw reset Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 52/59] net: tls, update curr on splice as well Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 53/59] ipv6: remove max_size check inline with ipv4 Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 54/59] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 55/59] netfilter: nf_tables: Reject tables of unsupported family Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 56/59] kallsyms: Make module_kallsyms_on_each_symbol generally available Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 57/59] tracing/kprobes: Fix symbol counting logic by looking at modules as well Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 58/59] net: usb: ax88179_178a: remove redundant init code Greg Kroah-Hartman
2024-01-13 9:50 ` [PATCH 5.15 59/59] net: usb: ax88179_178a: move priv to driver_priv Greg Kroah-Hartman
2024-01-13 18:42 ` [PATCH 5.15 00/59] 5.15.147-rc1 review SeongJae Park
2024-01-14 9:41 ` Ron Economos
2024-01-15 10:01 ` Naresh Kamboju
2024-01-15 10:23 ` Jon Hunter
2024-01-15 11:35 ` Shreeya Patel
2024-01-15 16:26 ` Harshit Mogalapalli
2024-01-15 19:09 ` Florian Fainelli
2024-01-15 19:47 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240113094210.673448756@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jinghao7@illinois.edu \
--cc=mhiramat@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox