Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2738744imj; Mon, 18 Feb 2019 11:14:43 -0800 (PST) X-Google-Smtp-Source: AHgI3Ib2HyRKKTQ8F1DyoTqhJN8qXjs7xIa3Gyjg0h7efBezusqdQUoShiajp6f0TiLEb/sFK0zz X-Received: by 2002:a62:33c1:: with SMTP id z184mr25518493pfz.104.1550517283338; Mon, 18 Feb 2019 11:14:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550517283; cv=none; d=google.com; s=arc-20160816; b=PklPyTEEkwnizqHjx/t6c6wL9vaFyXHsjTmX6tKPO2vE4mvnrae2zqxgciYLWQftNk AtSyB5iSwxVPUBmLvzWloY8HZjwk1thDgWqvpKxQxpgXBdv2nEq5s6OolPzOxCVQoq2w Mp0jbkChbEgXg4V58LD6qSPAeuOsZrqGCoRcjJU/9KcUIVBllnDOy1kBf3rlJRxbAuMq YB2x6+KX4dtB3ZrZ2P9xyYryfwOBvjJw4RIRz3+7H3Er1Tb8D8/GlrmIueu38JiMxH8X SRcCkVTKKxVLvzjoghcWRRG0TvgGRVguDaZHWkMHlQ0T8rqFMxbggtQRlQWKuMBGAjeG M/5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=BZSrGBeMt8miQsxUb0HHnQwJnv/0AoLI/ruohepXj4A=; b=f60PeyJOPW4uYLr6N0Ph7JzAYISz8jK1Urf8s9+YQk4fYF/6DOnjFMYJu8uxw6Jl2z Se5eWUxV5vRgiCbwxyMBnIeff7HN4wiLfmqIUkNwfVuyuH7muWTx9o8XxWZKFtxuJWqg 9udTYyw2sopGE0zZ8BSr8Fw2QUDJJi7tl6WlCsSDNQ28I1hqWpmMf4RpxIHMahQSZCGk oFjcG5yjcHigQ/8xjp+9oQm/yG9hB90pa+BZ39xpNUx330oFgT2gTRQxbRc7pROksuEl rxrNATcrCDhPf/aLU2a2yEp8BR1AhvEZgkPboLc3dTIifMqNnwI9Yk9Njp7B6KWwnxTJ o/bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=bcffL92+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v6si473649pgr.191.2019.02.18.11.14.27; Mon, 18 Feb 2019 11:14:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=bcffL92+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391762AbfBRR7H (ORCPT + 99 others); Mon, 18 Feb 2019 12:59:07 -0500 Received: from mail-lj1-f193.google.com ([209.85.208.193]:46131 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391701AbfBRR7E (ORCPT ); Mon, 18 Feb 2019 12:59:04 -0500 Received: by mail-lj1-f193.google.com with SMTP id v16so15097200ljg.13 for ; Mon, 18 Feb 2019 09:59:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BZSrGBeMt8miQsxUb0HHnQwJnv/0AoLI/ruohepXj4A=; b=bcffL92+OgnG/ODd3BcH05qeWSmqCDg8HJ0Loh3CX++i3nu7xeU902kZgS1f3plb7h gAxdyhj1v7IVbGmZa053r4tFZ2PAT+ovnhQX9K/4fEjR9tjoQXjacTRB0ZiaWIWzEqIW 3noKgeKms5w7N+sW/+mAx1nHhPtn2Tz4HZraY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BZSrGBeMt8miQsxUb0HHnQwJnv/0AoLI/ruohepXj4A=; b=P4gxwJ9xBuIM4+0h6pYfPmqONe9ys18e0rELeh5fJgv49drlhr4eAMxDSbpafYa9kL wK/Q7dYI+ExMxRqBVXA7UQnak6xOwxLsEuSJxG5j7bOWm7XBfhFHROO9Dg9RHgX+IfN2 /7f5gKy49Kp9jX6+1/D8ub1o0Cr9M47GXSkbuOl4HsmkFBQOsaEU1Zpf9I/dS3TBeaBu 2IHQw8GqWKZdPh7I9TsCvAS52AuH1pYreS9sbioEeG96GUaJFEowHb7qcmj/pL/Jb7/E thEHS3uJEIe+BKv3O5oZimqe5wLca/WYocny68Zm5/2u4Es8H3W6x0bYFtYGQV5fU3ve MFIQ== X-Gm-Message-State: AHQUAuah+vQYJ1RWhC96r8cw063EfyQPLafDamujce7uioEtR1auSNr3 6bYiKLHDudje+NEw1iF1HEf97F+Mzko= X-Received: by 2002:a2e:85cf:: with SMTP id h15mr14662494ljj.73.1550512741833; Mon, 18 Feb 2019 09:59:01 -0800 (PST) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com. [209.85.167.45]) by smtp.gmail.com with ESMTPSA id j14sm3610180lji.32.2019.02.18.09.59.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Feb 2019 09:59:01 -0800 (PST) Received: by mail-lf1-f45.google.com with SMTP id g12so3332739lfb.13 for ; Mon, 18 Feb 2019 09:59:00 -0800 (PST) X-Received: by 2002:ac2:4433:: with SMTP id w19mr14380382lfl.67.1550512740346; Mon, 18 Feb 2019 09:59:00 -0800 (PST) MIME-Version: 1.0 References: <20190215174712.372898450@goodmis.org> <20190215174945.557218316@goodmis.org> <20190215171539.4682f0b4@gandalf.local.home> <300C4516-A093-43AE-8707-1C42486807A4@amacapital.net> <20190215191949.04604191@gandalf.local.home> In-Reply-To: <20190215191949.04604191@gandalf.local.home> From: Linus Torvalds Date: Mon, 18 Feb 2019 09:58:44 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault To: Steven Rostedt Cc: Andy Lutomirski , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Sorry for not looking at this earlier, I have family in town so I was mostly busy over the weekend... ] On Fri, Feb 15, 2019 at 4:19 PM Steven Rostedt wrote: > > Would changing all the mention of "kernel address" to "non user space" > be accurate? That would have worked, but in the meantime I just decided to pull the existing tag, because it's not _horribly_ misleading any more and now we're just talking details of what is a "kernel address" etc. And the patch itself is better than what we used to have. That said, I do agree with Andy that both the old _copy_from_user_inatomic() thing and the new probe_mem_read() are just fundamentally broken, nasty and slow. It just so happens that probe_mem_read() works _reasonably_ well in practice on x86. Basically, probe_mem_read() -> probe_kernel_read() really only works on true kernel addresses. And some of that is very fundamental: some architectures can have two entirely different address spaces for user and kernel memory, so if you give _any_ function an "try to read this address", it fundamentally has to be one or the other. The fact that on x86, there is a unified address space for kernel/user, and it can work for one or the other, is just happenstance (and admittedly the common case). So I've pulled the existing pull request, because it papers over one particular issue, but the real fix would require: - knowing whether it's kernel or user space you access - actually using that knowledge to then limit the addresses we are willing to probe, and _how_ we probe them. The user-space case is fairly easy: just check the address with "access_ok()", and then use _copy_user_atomic() without any set_fs() games. That should "JustWork(tm)". And if it's truly supposed to be a kernel address, then we probably need to add a "is this possibly a valid kernel data pointer" interface. Before we then do what "probe_kernel_read()" currently does. Linus