Received: by 10.213.65.68 with SMTP id h4csp428274imn;
        Tue, 13 Mar 2018 08:45:25 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuQMSroCQedV5YoFECt7M7TBx+UkJJvecV2gmMN9jf/2po3K9ZQe48iBL1IVJwH0gDdRKvw
X-Received: by 2002:a17:902:1a4:: with SMTP id b33-v6mr970908plb.321.1520955925526;
        Tue, 13 Mar 2018 08:45:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520955925; cv=none;
        d=google.com; s=arc-20160816;
        b=MHEkeiEN9N2sePQZKj2n7EUuJT1dsUT/2jPb32nvc3wah2Sdih75V5mq+TRjPaF5gZ
         79gN/E1ACYuHZEuLlcHhEoXePb8y3jR5vgVXMUP3iywdFxPwBkr1ViRGn3JAuVA0LZiM
         qfIudWkoqElOqm74S9rngkl6cWeOjaNm6yHpw57CkMtWcOG6NNTCrhozhFyZS6RIyUm8
         1Rh5GjokNV0OopMr78CCK15Yeu3ZGBgr6lyyTTfv3BRrdr5Xc6ckoprnY4e0yWAvpHwT
         6c1a1i6ECwTPi14AG02nT3VzHzXIE13u3LlCj35ZrPKXYAYXbdbi3MyjcAHlEZh7gIeW
         eRaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=/9TXWOjWI8E0raK5XKs9G1mD3ZKqk20WuJHYjNqmv+c=;
        b=mKMuTM5NxreddHB2DXZa4e7ffghKjfaV/0+jMT3/fmzzp6KYX8vJu4C9dUhC9Vtwlr
         4UtInH9KTCikUIg5VLQrJIzd0VqUko617dBT59WgsKiwCTNhEHyIUTridksfBWXZd2Aa
         ukXxjAjQ8Cp46nUXIGyQPbfHWh0MtWPhmI+/COTd2oePthX1eXaYxb7Uy9xbq2Xihg75
         +zw4kRIHokoxUEa79SCDC0HdyAC4QA/NBSCE1WIctNdtRUN5+DY1p24qABNSwaa7/I8Q
         PsAH1gt7r3gZo+tq5Rd/tbHJwD2Vjmu+8+xl5Dp3ZFrwAMBysIloz/nzq+P166bGE5sv
         yT2g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c7si285753pfi.323.2018.03.13.08.45.11;
        Tue, 13 Mar 2018 08:45:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935024AbeCMPm3 (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Tue, 13 Mar 2018 11:42:29 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:37084 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S964864AbeCMPlo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 11:41:44 -0400
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8B73D122D;
        Tue, 13 Mar 2018 15:41:41 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Francis Deslauriers <francis.deslauriers@efficios.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Denys Vlasenko <dvlasenk@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        mathieu.desnoyers@efficios.com, mhiramat@kernel.org,
        Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.14 140/140] x86/kprobes: Fix kernel crash when probing .entry_trampoline code
Date:   Tue, 13 Mar 2018 16:25:43 +0100
Message-Id: <20180313152507.583580756@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180313152458.201155692@linuxfoundation.org>
References: <20180313152458.201155692@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Francis Deslauriers <francis.deslauriers@efficios.com>

commit c07a8f8b08ba683ea24f3ac9159f37ae94daf47f upstream.

Disable the kprobe probing of the entry trampoline:

.entry_trampoline is a code area that is used to ensure page table
isolation between userspace and kernelspace.

At the beginning of the execution of the trampoline, we load the
kernel's CR3 register. This has the effect of enabling the translation
of the kernel virtual addresses to physical addresses. Before this
happens most kernel addresses can not be translated because the running
process' CR3 is still used.

If a kprobe is placed on the trampoline code before that change of the
CR3 register happens the kernel crashes because int3 handling pages are
not accessible.

To fix this, add the .entry_trampoline section to the kprobe blacklist
to prohibit the probing of code before all the kernel pages are
accessible.

Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: mathieu.desnoyers@efficios.com
Cc: mhiramat@kernel.org
Link: http://lkml.kernel.org/r/1520565492-4637-2-git-send-email-francis.deslauriers@efficios.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/sections.h |    1 +
 arch/x86/kernel/kprobes/core.c  |   10 +++++++++-
 arch/x86/kernel/vmlinux.lds.S   |    2 ++
 3 files changed, 12 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/sections.h
+++ b/arch/x86/include/asm/sections.h
@@ -10,6 +10,7 @@ extern struct exception_table_entry __st
 
 #if defined(CONFIG_X86_64)
 extern char __end_rodata_hpage_align[];
+extern char __entry_trampoline_start[], __entry_trampoline_end[];
 #endif
 
 #endif	/* _ASM_X86_SECTIONS_H */
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -1149,10 +1149,18 @@ NOKPROBE_SYMBOL(longjmp_break_handler);
 
 bool arch_within_kprobe_blacklist(unsigned long addr)
 {
+	bool is_in_entry_trampoline_section = false;
+
+#ifdef CONFIG_X86_64
+	is_in_entry_trampoline_section =
+		(addr >= (unsigned long)__entry_trampoline_start &&
+		 addr < (unsigned long)__entry_trampoline_end);
+#endif
 	return  (addr >= (unsigned long)__kprobes_text_start &&
 		 addr < (unsigned long)__kprobes_text_end) ||
 		(addr >= (unsigned long)__entry_text_start &&
-		 addr < (unsigned long)__entry_text_end);
+		 addr < (unsigned long)__entry_text_end) ||
+		is_in_entry_trampoline_section;
 }
 
 int __init arch_init_kprobes(void)
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -118,9 +118,11 @@ SECTIONS
 
 #ifdef CONFIG_X86_64
 		. = ALIGN(PAGE_SIZE);
+		VMLINUX_SYMBOL(__entry_trampoline_start) = .;
 		_entry_trampoline = .;
 		*(.entry_trampoline)
 		. = ALIGN(PAGE_SIZE);
+		VMLINUX_SYMBOL(__entry_trampoline_end) = .;
 		ASSERT(. - _entry_trampoline == PAGE_SIZE, "entry trampoline is too big");
 #endif