Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp373652imj; Sat, 16 Feb 2019 02:15:24 -0800 (PST) X-Google-Smtp-Source: AHgI3IYl4sh8jBucArelV3wilwGyjX0gXOWA0yJCYGlM97Wk10mfVKPjoF5g6rlxXup78EIgAF2K X-Received: by 2002:a17:902:74cb:: with SMTP id f11mr12307974plt.180.1550312124628; Sat, 16 Feb 2019 02:15:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550312124; cv=none; d=google.com; s=arc-20160816; b=puqrRXInQn/lv7AfumNiaEo0oWKknMODTG2Fwjyhr/j6EuKnFoRL3ITEN8U9+Mxe4d LGwWyNxRE30X0d0H+RhgcLL1bJfrCLf3JhTUIORxpWZBHZNdAp2Vwjh8dkkl2ZtByOiP bf1fVM9UVKY+6gAX3xp84jbSEDQ92A0Dr11ZSvzeAh7irXTmM7xRsrKvX+MJ0A7iSm7h hETvGpzJAmzdTWAHE/mJ7b5SgLEh/jClC6Sbdh7OxS5HbkeQKAkNDy+bfJ2BMxSwsWxe iqGgaFgGvAOSZocAU4je1CyxB44RDC2lfy0xF2pA85ORIhpETVpLUNNaa9SlZlQIXWiz st3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=jfToRhCVM6PkCsG8ZiGa3BK6CoGhkDKPZVlbAuwN9eQ=; b=m8+/CYy7W443vG4rtTbXJL08vk3NFKBX0YSC1sLupBsX65IRR5jHgqxkDrxXZ3qeJu OV8hd/7Ofg4wH2KlzslTiEN60vQAqrztLd/8yKudKFGerUNGg2C13iyYO8Q2ZtIOnpbG dt8JWs5WpZ0MgQ6f1Z0xru0pLHpo7BoU+nD5uAd5fCOSi1YJjj0sf5EpAucFZFdtgGIR AAtiwjg071gvhL0YhX5NgAdUSC4a+qfwPAMfV1ELn0VcnU0tr+veGt1wLDg6qtHbA8p9 y2XeEBZjucGKhLuX4NgyKvcVzQ9LWUCsELS8NfF9gclt4hwCfe6gkMGDU+DG+2pmbBeu LImA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=wLAgU+7w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v25si7946523pfg.135.2019.02.16.02.15.08; Sat, 16 Feb 2019 02:15:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=wLAgU+7w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732009AbfBPBdA (ORCPT + 99 others); Fri, 15 Feb 2019 20:33:00 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:34437 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730194AbfBPBc7 (ORCPT ); Fri, 15 Feb 2019 20:32:59 -0500 Received: by mail-pl1-f196.google.com with SMTP id w4so5823788plz.1 for ; Fri, 15 Feb 2019 17:32:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jfToRhCVM6PkCsG8ZiGa3BK6CoGhkDKPZVlbAuwN9eQ=; b=wLAgU+7w2CJsE2jXukWH8xNd8hxWjaVTyP6YZ9XgVU0cMOHS2sWnIjVCBe4lw/hpYH /zBccqIp3nbHC8w3jvB9SYTzUVjAYGuvVgmdZNN+eq1/Zb66LASeKD95KNIdqAuipFT6 NlKMXddC3y5usCmNFEe6WtsCrO6u9DxHI7UwARSMvLNEm3mGOUNwtFl5AKjbjSJ97Dwv 2GcnU/zqHuvTmFHtK9BkUMbTHGGyHr7Tfr+8s5xOLf95l8A+FF87EAhLqpNsYww8/DFe dij8pGadKZ/QKhHeUJ9Fv6R+QUWekjK6khf6fDi5rfInBllhtW7wrd1n3wExyrVFmqyD vPpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jfToRhCVM6PkCsG8ZiGa3BK6CoGhkDKPZVlbAuwN9eQ=; b=L4uF9zIk1mzeHBHom/LsJ3Pi8/Vhy0krqckqzG1lv3ZlKiUJDgyeY7ZtmfcEqCtDbA M8WnERYOa5iVFJwxI7lFERVs7jCk/Sq9c1v3OwaFE25dVfrHVvdobo0Wjts4IcJpvpQW mgFJPZf7ge2L4AZ0C1W9njFKtBCDMyaRJ3cTOetK4Hn0I/NloysBD+tm9ZgQaDmSt4VW Seko2uZfjfr6rXRNDu3EgKdQMC18egKkdo/oPOI4Mvfb/KSr74Tm/pNkpbtbZSlDc1FW hWkNE8+iEbU1p5P2SnGQsSHjaFgIaDRwPyYw4XCrTsWNbYSyoFpY4k1cKsQQFXG7JxEX q4wg== X-Gm-Message-State: AHQUAuY7vlMYnzBeRTiGV2Rnfyb/JW8ngxBcyB6K4dnoYetg3WpB71/g 6rD4kRZ3GP9zr9TNTaGf5iu9lQ== X-Received: by 2002:a17:902:a03:: with SMTP id 3mr13311774plo.112.1550280779010; Fri, 15 Feb 2019 17:32:59 -0800 (PST) Received: from ?IPv6:2600:1010:b061:1c16:6868:625e:8d68:5c84? ([2600:1010:b061:1c16:6868:625e:8d68:5c84]) by smtp.gmail.com with ESMTPSA id z4sm7182172pgu.10.2019.02.15.17.32.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Feb 2019 17:32:57 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault From: Andy Lutomirski X-Mailer: iPhone Mail (16C101) In-Reply-To: <20190215191949.04604191@gandalf.local.home> Date: Fri, 15 Feb 2019 17:32:55 -0800 Cc: Linus Torvalds , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Andy Lutomirski Content-Transfer-Encoding: quoted-printable Message-Id: References: <20190215174712.372898450@goodmis.org> <20190215174945.557218316@goodmis.org> <20190215171539.4682f0b4@gandalf.local.home> <300C4516-A093-43AE-8707-1C42486807A4@amacapital.net> <20190215191949.04604191@gandalf.local.home> To: Steven Rostedt Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Feb 15, 2019, at 4:19 PM, Steven Rostedt wrote: >=20 > On Fri, 15 Feb 2019 15:49:35 -0800 > Andy Lutomirski wrote: >=20 >> I=E2=80=99m missing most of the context here, but even probe_kernel_...()= is >> unwise for a totally untrustworthy address. It could be MMIO, for >> example. >=20 > True, but kprobes are used like modules, and only allowed by root. They > are used to poke literally anywhere one wants. That's the entire > purpose of kprobes. >=20 >>=20 >> If needed, we could come up with a safe-ish helper for tracing. For >> direct-map addresses, probe_kernel_...() is probably okay. Same for >> the current stack. Otherwise we could walk the page tables and check >> that the address is cacheable, I suppose, although this is slightly >> dubious if we don=E2=80=99t also check MTRRs. We could also check that th= e PA >> is in main memory, I suppose, although this may have unfortunate >> interactions with the MCE code. >=20 > I added you just because I wanted help getting the change log correct, > as that's what Linus was complaining about. I kept using "kernel > address" when the sample bug used for the patch was really a > non-canonical address (as Linus said, it's just garbage. Neither kernel > or user space). But I pointed out that this can also bug if the > address is canonical and in the kernel address space. The old code > didn't complain about non-canonical or kernel address faulting before > commit 9da3f2b7405, which only talks about kernel address space > faulting (which is why I only mentioned that in my messages). >=20 > Would changing all the mention of "kernel address" to "non user space" > be accurate? >=20 I think =E2=80=9Ckernel address=E2=80=9D is right. It=E2=80=99s illegal to a= ccess anything that isn=E2=80=99t known to be a valid kernel address while i= n KERNEL_DS. The old __copy seems likely to have always been a bit bogus. BTW, what is this probe_mem_read() thing? Some minimal inspection suggests i= t=E2=80=99s a buggy reimplementation of probe_kernel_read(). Can you delete= it and just use probe_kernel_read() directly? > For reference: >=20 > http://lkml.kernel.org/r/20190215174945.557218316@goodmis.org > http://lkml.kernel.org/r/20190215142015.860423791@goodmis.org >=20 > -- Steve