The arm compiler internally interprets an inline assembly label
as an unsigned long value, not a pointer. As a result, under
CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
of a label is 4 bytes, which was tripping the runtime checks. Instead,
we can just cast the label (as done with the size calculations earlier)
to avoid the problem.
Reported-by: William Cohen <[email protected]>
Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
---
arch/arm/probes/kprobes/opt-arm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
index b2aa9b32bff2..2c118a6ab358 100644
--- a/arch/arm/probes/kprobes/opt-arm.c
+++ b/arch/arm/probes/kprobes/opt-arm.c
@@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
}
/* Copy arch-dep-instance from template. */
- memcpy(code, &optprobe_template_entry,
+ memcpy(code, (unsigned char *)optprobe_template_entry,
TMPL_END_IDX * sizeof(kprobe_opcode_t));
/* Adjust buffer according to instruction. */
--
2.17.1
--
Kees Cook
Pixel Security
On 10/22/2018 02:30 AM, Kees Cook wrote:
> The arm compiler internally interprets an inline assembly label
> as an unsigned long value, not a pointer. As a result, under
> CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
> of a label is 4 bytes, which was tripping the runtime checks. Instead,
> we can just cast the label (as done with the size calculations earlier)
> to avoid the problem.
>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1639397
Acked-by: Laura Abbott <[email protected]>
> Reported-by: William Cohen <[email protected]>
> Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
> ---
> arch/arm/probes/kprobes/opt-arm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
> index b2aa9b32bff2..2c118a6ab358 100644
> --- a/arch/arm/probes/kprobes/opt-arm.c
> +++ b/arch/arm/probes/kprobes/opt-arm.c
> @@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
> }
>
> /* Copy arch-dep-instance from template. */
> - memcpy(code, &optprobe_template_entry,
> + memcpy(code, (unsigned char *)optprobe_template_entry,
> TMPL_END_IDX * sizeof(kprobe_opcode_t));
>
> /* Adjust buffer according to instruction. */
>
On Mon, 22 Oct 2018 02:30:23 -0700
Kees Cook <[email protected]> wrote:
> The arm compiler internally interprets an inline assembly label
> as an unsigned long value, not a pointer. As a result, under
> CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
> of a label is 4 bytes, which was tripping the runtime checks. Instead,
> we can just cast the label (as done with the size calculations earlier)
> to avoid the problem.
>
> Reported-by: William Cohen <[email protected]>
> Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
Good catch! This looks good to me.
Acked-by: Masami Hiramatsu <[email protected]>
Thank you,
> ---
> arch/arm/probes/kprobes/opt-arm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
> index b2aa9b32bff2..2c118a6ab358 100644
> --- a/arch/arm/probes/kprobes/opt-arm.c
> +++ b/arch/arm/probes/kprobes/opt-arm.c
> @@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
> }
>
> /* Copy arch-dep-instance from template. */
> - memcpy(code, &optprobe_template_entry,
> + memcpy(code, (unsigned char *)optprobe_template_entry,
> TMPL_END_IDX * sizeof(kprobe_opcode_t));
>
> /* Adjust buffer according to instruction. */
> --
> 2.17.1
>
>
> --
> Kees Cook
> Pixel Security
--
Masami Hiramatsu <[email protected]>
On 10/22/18 5:30 AM, Kees Cook wrote:
> The arm compiler internally interprets an inline assembly label
> as an unsigned long value, not a pointer. As a result, under
> CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
> of a label is 4 bytes, which was tripping the runtime checks. Instead,
> we can just cast the label (as done with the size calculations earlier)
> to avoid the problem.
>
> Reported-by: William Cohen <[email protected]>
> Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
> ---
> arch/arm/probes/kprobes/opt-arm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
> index b2aa9b32bff2..2c118a6ab358 100644
> --- a/arch/arm/probes/kprobes/opt-arm.c
> +++ b/arch/arm/probes/kprobes/opt-arm.c
> @@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
> }
>
> /* Copy arch-dep-instance from template. */
> - memcpy(code, &optprobe_template_entry,
> + memcpy(code, (unsigned char *)optprobe_template_entry,
> TMPL_END_IDX * sizeof(kprobe_opcode_t));
>
> /* Adjust buffer according to instruction. */
>
The patch fixes the issue for kretprobes. It looks good to me.
Thanks,
-Will
On Tue, 30 Oct 2018 13:40:27 -0400
William Cohen <[email protected]> wrote:
> On 10/22/18 5:30 AM, Kees Cook wrote:
> > The arm compiler internally interprets an inline assembly label
> > as an unsigned long value, not a pointer. As a result, under
> > CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
> > of a label is 4 bytes, which was tripping the runtime checks. Instead,
> > we can just cast the label (as done with the size calculations earlier)
> > to avoid the problem.
> >
> > Reported-by: William Cohen <[email protected]>
> > Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
> > Cc: [email protected]
> > Signed-off-by: Kees Cook <[email protected]>
> > ---
> > arch/arm/probes/kprobes/opt-arm.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
> > index b2aa9b32bff2..2c118a6ab358 100644
> > --- a/arch/arm/probes/kprobes/opt-arm.c
> > +++ b/arch/arm/probes/kprobes/opt-arm.c
> > @@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
> > }
> >
> > /* Copy arch-dep-instance from template. */
> > - memcpy(code, &optprobe_template_entry,
> > + memcpy(code, (unsigned char *)optprobe_template_entry,
> > TMPL_END_IDX * sizeof(kprobe_opcode_t));
> >
> > /* Adjust buffer according to instruction. */
> >
>
> The patch fixes the issue for kretprobes. It looks good to me.
This looks good to me too. Thank you for finding and fixing it :)
Acked-by: Masami Hiramatsu <[email protected]>
Thanks!
>
> Thanks,
>
> -Will
--
Masami Hiramatsu <[email protected]>
On Thu, Nov 1, 2018 at 7:41 AM, Masami Hiramatsu <[email protected]> wrote:
> On Tue, 30 Oct 2018 13:40:27 -0400
> William Cohen <[email protected]> wrote:
>
>> On 10/22/18 5:30 AM, Kees Cook wrote:
>> > The arm compiler internally interprets an inline assembly label
>> > as an unsigned long value, not a pointer. As a result, under
>> > CONFIG_FORTIFY_SOURCE, the size of the array pointed to by an address
>> > of a label is 4 bytes, which was tripping the runtime checks. Instead,
>> > we can just cast the label (as done with the size calculations earlier)
>> > to avoid the problem.
>> >
>> > Reported-by: William Cohen <[email protected]>
>> > Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions")
>> > Cc: [email protected]
>> > Signed-off-by: Kees Cook <[email protected]>
>> > ---
>> > arch/arm/probes/kprobes/opt-arm.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
>> > index b2aa9b32bff2..2c118a6ab358 100644
>> > --- a/arch/arm/probes/kprobes/opt-arm.c
>> > +++ b/arch/arm/probes/kprobes/opt-arm.c
>> > @@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or
>> > }
>> >
>> > /* Copy arch-dep-instance from template. */
>> > - memcpy(code, &optprobe_template_entry,
>> > + memcpy(code, (unsigned char *)optprobe_template_entry,
>> > TMPL_END_IDX * sizeof(kprobe_opcode_t));
>> >
>> > /* Adjust buffer according to instruction. */
>> >
>>
>> The patch fixes the issue for kretprobes. It looks good to me.
>
> This looks good to me too. Thank you for finding and fixing it :)
>
> Acked-by: Masami Hiramatsu <[email protected]>
>
> Thanks!
Thanks for acks and testing. I've tossed this at the arm patch tracker:
http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=8806/1
--
Kees Cook