This commit:
commit 6f6343f53d133bae516caf3d254bce37d8774625
Author: Masami Hiramatsu <[email protected]>
Date: Thu Apr 17 17:17:33 2014 +0900
kprobes/x86: Call exception handlers directly from do_int3/do_debug
appears to have inadvertently dropped a check that the int3 came
from kernel mode. Trying to dereference addr when addr is
user-controlled is completely bogus.
Signed-off-by: Andy Lutomirski <[email protected]>
---
Changes from v1: Fixed the changelog message
arch/x86/kernel/kprobes/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 7596df6..67e6d19 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -574,6 +574,9 @@ int kprobe_int3_handler(struct pt_regs *regs)
struct kprobe *p;
struct kprobe_ctlblk *kcb;
+ if (user_mode_vm(regs))
+ return 0;
+
addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
/*
* We don't want to be preempted for the entire
--
1.9.3
(2014/07/12 2:27), Andy Lutomirski wrote:
> This commit:
>
> commit 6f6343f53d133bae516caf3d254bce37d8774625
> Author: Masami Hiramatsu <[email protected]>
> Date: Thu Apr 17 17:17:33 2014 +0900
>
> kprobes/x86: Call exception handlers directly from do_int3/do_debug
>
> appears to have inadvertently dropped a check that the int3 came
> from kernel mode. Trying to dereference addr when addr is
> user-controlled is completely bogus.
Oops, right!
Acked-by: Masami Hiramatsu <[email protected]>
Thank you very much!
>
> Signed-off-by: Andy Lutomirski <[email protected]>
> ---
>
> Changes from v1: Fixed the changelog message
>
> arch/x86/kernel/kprobes/core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
> index 7596df6..67e6d19 100644
> --- a/arch/x86/kernel/kprobes/core.c
> +++ b/arch/x86/kernel/kprobes/core.c
> @@ -574,6 +574,9 @@ int kprobe_int3_handler(struct pt_regs *regs)
> struct kprobe *p;
> struct kprobe_ctlblk *kcb;
>
> + if (user_mode_vm(regs))
> + return 0;
> +
> addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
> /*
> * We don't want to be preempted for the entire
>
--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: [email protected]
Commit-ID: 0cdd192cf40fb6dbf03ec3af1c670068de3fd26c
Gitweb: http://git.kernel.org/tip/0cdd192cf40fb6dbf03ec3af1c670068de3fd26c
Author: Andy Lutomirski <[email protected]>
AuthorDate: Fri, 11 Jul 2014 10:27:01 -0700
Committer: Ingo Molnar <[email protected]>
CommitDate: Wed, 16 Jul 2014 14:16:32 +0200
kprobes/x86: Don't try to resolve kprobe faults from userspace
This commit:
commit 6f6343f53d133bae516caf3d254bce37d8774625
Author: Masami Hiramatsu <[email protected]>
Date: Thu Apr 17 17:17:33 2014 +0900
kprobes/x86: Call exception handlers directly from do_int3/do_debug
appears to have inadvertently dropped a check that the int3 came
from kernel mode. Trying to dereference addr when addr is
user-controlled is completely bogus.
Signed-off-by: Andy Lutomirski <[email protected]>
Acked-by: Masami Hiramatsu <[email protected]>
Link: http://lkml.kernel.org/r/c4e339882c121aa76254f2adde3fcbdf502faec2.1405099506.git.luto@amacapital.net
Signed-off-by: Ingo Molnar <[email protected]>
---
arch/x86/kernel/kprobes/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 7596df6..67e6d19 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -574,6 +574,9 @@ int kprobe_int3_handler(struct pt_regs *regs)
struct kprobe *p;
struct kprobe_ctlblk *kcb;
+ if (user_mode_vm(regs))
+ return 0;
+
addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
/*
* We don't want to be preempted for the entire