Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp356505imj; Sat, 16 Feb 2019 01:49:49 -0800 (PST) X-Google-Smtp-Source: AHgI3IZv3E2Yy2g/nBvoIAgOJlu/J3P2yISz/MYtVL7kUEnTy5FZuYWIMo9SVvHKRfZiiFATdHrr X-Received: by 2002:aa7:80c8:: with SMTP id a8mr14016733pfn.27.1550310589906; Sat, 16 Feb 2019 01:49:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550310589; cv=none; d=google.com; s=arc-20160816; b=of23SLLbGBYVoPNZeQ9z/jqMMKHzZ9C/kG7DUPEJnS7Wkm8C03Be//NmDVgeWTQg1+ jfzdeyp8Nx7YTPBPPVWufirZ7UPaOFuDOQ+c9gjX+5V1BBNOTU8P2RWz+t1HEpxVa/aI 7WSYA6kGL4psBqXVyNmJ9W0nkHNgRA0SvBlsOu8YtApnh3pJqBJQqzNZ5/nKg69EyYiU F04dKf/TPk5jldjdDzuqKZxUUNzC4RvfPUawOCD41QjGxYE/m9gO65YLnevVKVk6j6bR ErXXuJ0W2rOgkVwxD1xNkI3r1VIJxDSnwKomycZkbOKR71JWVe4/EJYh0EiL/6/bPQju 9i8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=1hOy1RJTexlCFGGHnKmeiOO7PwoJWq6JpBi6ESR8zog=; b=qgJkvdg9rdSpS6R+o1A9hi/7ktnrR71ppjBZaw9lXTwPy7z8gRdddhs/hKjkz6xQGx DlnSADSFcdq92nVr5vkItZOwi2/pqBefY+pj9MHIeHkIpkCz31kd9PwBjQijkiH0kbIt j9HXirSZsfGPZGTGdvt8h5Hr8Ws5dkLQ3q+MYuzkNCZPw1nH0ZlcXm/K1/O9Z4cAmOsE FRPLx0ESHwYjerCMYaM5Vwjx4Dt7jsbshOQG76LmmY5vjHRktUD6hq8sr8vHLR2BcNrD WfgNwekCzy1oi2tZkMpLz8etSbX/3zZzLgQmHb6jDjhe40C+9/4lixkvmG2UlgmJir19 oVMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i17si7552061pgk.233.2019.02.16.01.49.34; Sat, 16 Feb 2019 01:49:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390887AbfBPATx convert rfc822-to-8bit (ORCPT + 99 others); Fri, 15 Feb 2019 19:19:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:58836 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390732AbfBPATw (ORCPT ); Fri, 15 Feb 2019 19:19:52 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0EEEB222D9; Sat, 16 Feb 2019 00:19:50 +0000 (UTC) Date: Fri, 15 Feb 2019 19:19:49 -0500 From: Steven Rostedt To: Andy Lutomirski Cc: Linus Torvalds , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Andy Lutomirski Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault Message-ID: <20190215191949.04604191@gandalf.local.home> In-Reply-To: <300C4516-A093-43AE-8707-1C42486807A4@amacapital.net> References: <20190215174712.372898450@goodmis.org> <20190215174945.557218316@goodmis.org> <20190215171539.4682f0b4@gandalf.local.home> <300C4516-A093-43AE-8707-1C42486807A4@amacapital.net> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 15 Feb 2019 15:49:35 -0800 Andy Lutomirski wrote: > I’m missing most of the context here, but even probe_kernel_...() is > unwise for a totally untrustworthy address. It could be MMIO, for > example. True, but kprobes are used like modules, and only allowed by root. They are used to poke literally anywhere one wants. That's the entire purpose of kprobes. > > If needed, we could come up with a safe-ish helper for tracing. For > direct-map addresses, probe_kernel_...() is probably okay. Same for > the current stack. Otherwise we could walk the page tables and check > that the address is cacheable, I suppose, although this is slightly > dubious if we don’t also check MTRRs. We could also check that the PA > is in main memory, I suppose, although this may have unfortunate > interactions with the MCE code. I added you just because I wanted help getting the change log correct, as that's what Linus was complaining about. I kept using "kernel address" when the sample bug used for the patch was really a non-canonical address (as Linus said, it's just garbage. Neither kernel or user space). But I pointed out that this can also bug if the address is canonical and in the kernel address space. The old code didn't complain about non-canonical or kernel address faulting before commit 9da3f2b7405, which only talks about kernel address space faulting (which is why I only mentioned that in my messages). Would changing all the mention of "kernel address" to "non user space" be accurate? For reference: http://lkml.kernel.org/r/20190215174945.557218316@goodmis.org http://lkml.kernel.org/r/20190215142015.860423791@goodmis.org -- Steve