Received: by 10.213.65.68 with SMTP id h4csp423317imn; Tue, 13 Mar 2018 08:36:06 -0700 (PDT) X-Google-Smtp-Source: AG47ELvL71rzjQtkI46cen7Q+7rmhuMNGI9Al5fdL+gw94nFv6cfLUcQLBIdERtlIRbB6RZYFbal X-Received: by 2002:a17:902:650c:: with SMTP id b12-v6mr954923plk.147.1520955366446; Tue, 13 Mar 2018 08:36:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520955366; cv=none; d=google.com; s=arc-20160816; b=mvdlVw/OIUAGy+td3AKbFkcuOiJ8E3KETCCAYakfQdX0KzyLFpNSKemBz/Jmscekjo IqND2UYG0Hgh7FZRvrbZfRwxeO9E+2+rQyzabU1uLnHwssfPskfb/FdpdJAslZycbYdb hxRK0qzTYNYatdOVrkUL+EjUQn+LFJ9UGPe1l3vYE+s7CoKUmQdicLNQFw3YEKUEucHP YH0FyuWli8Q8aDiMwE3EesXi0emk5mwv3Xenzsh2GZuDGLAuydnj62yT+bDf244E9q/S rp4bZg1BzV1f1zhLNyNbT2qLjAQ5eEy332zF5lpyfsO4YIsXTCBPA7pezYso14ZCKAGZ W+2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Rok51aOSWl2qk0gzhjMnt1NPOXRFgH8ojcNyLTIsoHA=; b=o75nqzvu8YVtylNFDbjMh0NFLx+hBJ8ml+dFs0DBhoyt1gRVhxv+asNDfGLltEcH9j RLspS4fAfXEhPEZYeLt0CRz2p3GZVFkLrYPBzwoQHY1/d+gWEJkCG4I6W585lfNEtnz8 R5tSOvu6JMQbD3HxOoFTVQhX+kgBWhHm9DLIrjqQtji2bclH1371p+r/TWsNYygyFjWw giWkr/sp3sqCBAUkZfXn/87yo7DKtUY8l2SNox+eq9Tjn4nxEAlIXXvLsMJXvL3jzK17 OSOSSlTtknba3gAh/6D7ICLceu0tLfpwxuU3tToPqcrLl32lxROp8cOyexKSz+LuLXHR sdKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g86si312075pfk.94.2018.03.13.08.35.51; Tue, 13 Mar 2018 08:36:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933597AbeCMPdj (ORCPT + 99 others); Tue, 13 Mar 2018 11:33:39 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60770 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753104AbeCMPdh (ORCPT ); Tue, 13 Mar 2018 11:33:37 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 1ABEDF65; Tue, 13 Mar 2018 15:33:36 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Francis Deslauriers , Thomas Gleixner , Andy Lutomirski , Borislav Petkov , Brian Gerst , Denys Vlasenko , "H. Peter Anvin" , Josh Poimboeuf , Linus Torvalds , Peter Zijlstra , mathieu.desnoyers@efficios.com, mhiramat@kernel.org, Ingo Molnar Subject: [PATCH 4.15 103/146] x86/kprobes: Fix kernel crash when probing .entry_trampoline code Date: Tue, 13 Mar 2018 16:24:30 +0100 Message-Id: <20180313152328.429220906@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152320.439085687@linuxfoundation.org> References: <20180313152320.439085687@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Francis Deslauriers commit c07a8f8b08ba683ea24f3ac9159f37ae94daf47f upstream. Disable the kprobe probing of the entry trampoline: .entry_trampoline is a code area that is used to ensure page table isolation between userspace and kernelspace. At the beginning of the execution of the trampoline, we load the kernel's CR3 register. This has the effect of enabling the translation of the kernel virtual addresses to physical addresses. Before this happens most kernel addresses can not be translated because the running process' CR3 is still used. If a kprobe is placed on the trampoline code before that change of the CR3 register happens the kernel crashes because int3 handling pages are not accessible. To fix this, add the .entry_trampoline section to the kprobe blacklist to prohibit the probing of code before all the kernel pages are accessible. Signed-off-by: Francis Deslauriers Reviewed-by: Thomas Gleixner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: mathieu.desnoyers@efficios.com Cc: mhiramat@kernel.org Link: http://lkml.kernel.org/r/1520565492-4637-2-git-send-email-francis.deslauriers@efficios.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/sections.h | 1 + arch/x86/kernel/kprobes/core.c | 10 +++++++++- arch/x86/kernel/vmlinux.lds.S | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) --- a/arch/x86/include/asm/sections.h +++ b/arch/x86/include/asm/sections.h @@ -10,6 +10,7 @@ extern struct exception_table_entry __st #if defined(CONFIG_X86_64) extern char __end_rodata_hpage_align[]; +extern char __entry_trampoline_start[], __entry_trampoline_end[]; #endif #endif /* _ASM_X86_SECTIONS_H */ --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -1168,10 +1168,18 @@ NOKPROBE_SYMBOL(longjmp_break_handler); bool arch_within_kprobe_blacklist(unsigned long addr) { + bool is_in_entry_trampoline_section = false; + +#ifdef CONFIG_X86_64 + is_in_entry_trampoline_section = + (addr >= (unsigned long)__entry_trampoline_start && + addr < (unsigned long)__entry_trampoline_end); +#endif return (addr >= (unsigned long)__kprobes_text_start && addr < (unsigned long)__kprobes_text_end) || (addr >= (unsigned long)__entry_text_start && - addr < (unsigned long)__entry_text_end); + addr < (unsigned long)__entry_text_end) || + is_in_entry_trampoline_section; } int __init arch_init_kprobes(void) --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -118,9 +118,11 @@ SECTIONS #ifdef CONFIG_X86_64 . = ALIGN(PAGE_SIZE); + VMLINUX_SYMBOL(__entry_trampoline_start) = .; _entry_trampoline = .; *(.entry_trampoline) . = ALIGN(PAGE_SIZE); + VMLINUX_SYMBOL(__entry_trampoline_end) = .; ASSERT(. - _entry_trampoline == PAGE_SIZE, "entry trampoline is too big"); #endif