Received: by 10.213.65.68 with SMTP id h4csp428274imn; Tue, 13 Mar 2018 08:45:25 -0700 (PDT) X-Google-Smtp-Source: AG47ELuQMSroCQedV5YoFECt7M7TBx+UkJJvecV2gmMN9jf/2po3K9ZQe48iBL1IVJwH0gDdRKvw X-Received: by 2002:a17:902:1a4:: with SMTP id b33-v6mr970908plb.321.1520955925526; Tue, 13 Mar 2018 08:45:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520955925; cv=none; d=google.com; s=arc-20160816; b=MHEkeiEN9N2sePQZKj2n7EUuJT1dsUT/2jPb32nvc3wah2Sdih75V5mq+TRjPaF5gZ 79gN/E1ACYuHZEuLlcHhEoXePb8y3jR5vgVXMUP3iywdFxPwBkr1ViRGn3JAuVA0LZiM qfIudWkoqElOqm74S9rngkl6cWeOjaNm6yHpw57CkMtWcOG6NNTCrhozhFyZS6RIyUm8 1Rh5GjokNV0OopMr78CCK15Yeu3ZGBgr6lyyTTfv3BRrdr5Xc6ckoprnY4e0yWAvpHwT 6c1a1i6ECwTPi14AG02nT3VzHzXIE13u3LlCj35ZrPKXYAYXbdbi3MyjcAHlEZh7gIeW eRaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=/9TXWOjWI8E0raK5XKs9G1mD3ZKqk20WuJHYjNqmv+c=; b=mKMuTM5NxreddHB2DXZa4e7ffghKjfaV/0+jMT3/fmzzp6KYX8vJu4C9dUhC9Vtwlr 4UtInH9KTCikUIg5VLQrJIzd0VqUko617dBT59WgsKiwCTNhEHyIUTridksfBWXZd2Aa ukXxjAjQ8Cp46nUXIGyQPbfHWh0MtWPhmI+/COTd2oePthX1eXaYxb7Uy9xbq2Xihg75 +zw4kRIHokoxUEa79SCDC0HdyAC4QA/NBSCE1WIctNdtRUN5+DY1p24qABNSwaa7/I8Q PsAH1gt7r3gZo+tq5Rd/tbHJwD2Vjmu+8+xl5Dp3ZFrwAMBysIloz/nzq+P166bGE5sv yT2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c7si285753pfi.323.2018.03.13.08.45.11; Tue, 13 Mar 2018 08:45:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935024AbeCMPm3 (ORCPT + 99 others); Tue, 13 Mar 2018 11:42:29 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:37084 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964864AbeCMPlo (ORCPT ); Tue, 13 Mar 2018 11:41:44 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8B73D122D; Tue, 13 Mar 2018 15:41:41 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Francis Deslauriers , Thomas Gleixner , Andy Lutomirski , Borislav Petkov , Brian Gerst , Denys Vlasenko , "H. Peter Anvin" , Josh Poimboeuf , Linus Torvalds , Peter Zijlstra , mathieu.desnoyers@efficios.com, mhiramat@kernel.org, Ingo Molnar Subject: [PATCH 4.14 140/140] x86/kprobes: Fix kernel crash when probing .entry_trampoline code Date: Tue, 13 Mar 2018 16:25:43 +0100 Message-Id: <20180313152507.583580756@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152458.201155692@linuxfoundation.org> References: <20180313152458.201155692@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Francis Deslauriers commit c07a8f8b08ba683ea24f3ac9159f37ae94daf47f upstream. Disable the kprobe probing of the entry trampoline: .entry_trampoline is a code area that is used to ensure page table isolation between userspace and kernelspace. At the beginning of the execution of the trampoline, we load the kernel's CR3 register. This has the effect of enabling the translation of the kernel virtual addresses to physical addresses. Before this happens most kernel addresses can not be translated because the running process' CR3 is still used. If a kprobe is placed on the trampoline code before that change of the CR3 register happens the kernel crashes because int3 handling pages are not accessible. To fix this, add the .entry_trampoline section to the kprobe blacklist to prohibit the probing of code before all the kernel pages are accessible. Signed-off-by: Francis Deslauriers Reviewed-by: Thomas Gleixner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: mathieu.desnoyers@efficios.com Cc: mhiramat@kernel.org Link: http://lkml.kernel.org/r/1520565492-4637-2-git-send-email-francis.deslauriers@efficios.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/sections.h | 1 + arch/x86/kernel/kprobes/core.c | 10 +++++++++- arch/x86/kernel/vmlinux.lds.S | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) --- a/arch/x86/include/asm/sections.h +++ b/arch/x86/include/asm/sections.h @@ -10,6 +10,7 @@ extern struct exception_table_entry __st #if defined(CONFIG_X86_64) extern char __end_rodata_hpage_align[]; +extern char __entry_trampoline_start[], __entry_trampoline_end[]; #endif #endif /* _ASM_X86_SECTIONS_H */ --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -1149,10 +1149,18 @@ NOKPROBE_SYMBOL(longjmp_break_handler); bool arch_within_kprobe_blacklist(unsigned long addr) { + bool is_in_entry_trampoline_section = false; + +#ifdef CONFIG_X86_64 + is_in_entry_trampoline_section = + (addr >= (unsigned long)__entry_trampoline_start && + addr < (unsigned long)__entry_trampoline_end); +#endif return (addr >= (unsigned long)__kprobes_text_start && addr < (unsigned long)__kprobes_text_end) || (addr >= (unsigned long)__entry_text_start && - addr < (unsigned long)__entry_text_end); + addr < (unsigned long)__entry_text_end) || + is_in_entry_trampoline_section; } int __init arch_init_kprobes(void) --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -118,9 +118,11 @@ SECTIONS #ifdef CONFIG_X86_64 . = ALIGN(PAGE_SIZE); + VMLINUX_SYMBOL(__entry_trampoline_start) = .; _entry_trampoline = .; *(.entry_trampoline) . = ALIGN(PAGE_SIZE); + VMLINUX_SYMBOL(__entry_trampoline_end) = .; ASSERT(. - _entry_trampoline == PAGE_SIZE, "entry trampoline is too big"); #endif