Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1267607yba; Wed, 24 Apr 2019 18:46:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6GwyBMwTMm7KDrkIfrPqeLKFkYwQcxxDXZ3b2zY5zg46D4pd7xvinjgEBITk7sa4CL7AN X-Received: by 2002:aa7:820c:: with SMTP id k12mr36937948pfi.177.1556156781501; Wed, 24 Apr 2019 18:46:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556156781; cv=none; d=google.com; s=arc-20160816; b=DjrCqoShbnj8kN8wAAC9000+/VK5zur9x1/X9vs115VRRmcAABkJvx1qUS6lZSPxr4 R5iavA28Bm99aBBvSa2DutqxepyFlta5l9xhNtPQj7PEiTk8peUDvcHJL3HOsTqr26SH w++5eg1vJ672V9NJV/YyfMBMFPO6DYJxIwYm+q55QxDPXAsI1z4haLUbxV/JIh9gD5cn MXQN033suGEg/F7tLxEGlNuz2AkKfDiRJfqGO5MLQQf5GGbxTCRsxWuGapIjhX4YSWUT 73hdh0MuFKsG+eoFuwyIM+QRanF3ho6lymSdwQYCShqzqyDKlvsn7DAhiGG2i4TSWWIx Ze8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8WnVXhffqFs8oVLE6LCalwWz166pbreG/TnqH428n64=; b=f459RkdHZ2N5mC8WTAIW2qzBoGYj2TOrd/HiF7HeujiLbI8SWuAiU3w7oOCTcnL/88 ZVPHGCLntlDzuEhRz+UJWezU71BROrFqQfEx4ZqzNNUpnQG/0vmh97WbtHuJONR9Moz5 U6LEWNErbPbibr4nuwjthP0mgC6+GFNvXxNMHWyMtvQS8ayFZmQpu+Mka5Fcl+SYVf4K zVPWVP7fApkWLMv8r9GynAUXYqPLKzWf8cZhWsWcBdgudXFjNDsv8bzY32DcnliDMoIw q4RKzE8lLKKEcEgN5rTnw/cuyZjofO/jxUspDgFRZnVnxTFVVsWcvhEgQI7MCVmqB+16 dfRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QttRZli8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 10si11807321pgp.481.2019.04.24.18.46.06; Wed, 24 Apr 2019 18:46:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QttRZli8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403989AbfDXRhK (ORCPT + 99 others); Wed, 24 Apr 2019 13:37:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:35956 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403957AbfDXRhF (ORCPT ); Wed, 24 Apr 2019 13:37:05 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 672BE21905; Wed, 24 Apr 2019 17:37:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127423; bh=QaC7OLSae2UqYGEOi94elRqZQDNj3+TzPqTEdw9m+yo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QttRZli8o1zdE/NMOG7jbsQu7mESR9a4a/ZTFfweMTGTU7P3gMOdPFJy+cl8VvISP nEtiyc3nu7/M2JZgTpWqpT0UVYYGLUfhtkngbfMHpHS8iWSoIsVLBF25qMkB5HPJUp 4L4jc65IqZzQx5bxUOSA5KhKsd4PBNNvgMfDLhqs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrea Righi , Masami Hiramatsu , Steven Rostedt , Linus Torvalds , Mathieu Desnoyers , Peter Zijlstra , Thomas Gleixner , Ingo Molnar Subject: [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Date: Wed, 24 Apr 2019 19:10:23 +0200 Message-Id: <20190424170929.987703426@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170924.797924502@linuxfoundation.org> References: <20190424170924.797924502@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Masami Hiramatsu commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. Verify the stack frame pointer on kretprobe trampoline handler, If the stack frame pointer does not match, it skips the wrong entry and tries to find correct one. This can happen if user puts the kretprobe on the function which can be used in the path of ftrace user-function call. Such functions should not be probed, so this adds a warning message that reports which function should be blacklisted. Tested-by: Andrea Righi Signed-off-by: Masami Hiramatsu Acked-by: Steven Rostedt Cc: Linus Torvalds Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ include/linux/kprobes.h | 1 + 2 files changed, 27 insertions(+) --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -569,6 +569,7 @@ void arch_prepare_kretprobe(struct kretp unsigned long *sara = stack_addr(regs); ri->ret_addr = (kprobe_opcode_t *) *sara; + ri->fp = sara; /* Replace the return addr with trampoline addr */ *sara = (unsigned long) &kretprobe_trampoline; @@ -759,15 +760,21 @@ static __used void *trampoline_handler(s unsigned long flags, orig_ret_address = 0; unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; kprobe_opcode_t *correct_ret_addr = NULL; + void *frame_pointer; + bool skipped = false; INIT_HLIST_HEAD(&empty_rp); kretprobe_hash_lock(current, &head, &flags); /* fixup registers */ #ifdef CONFIG_X86_64 regs->cs = __KERNEL_CS; + /* On x86-64, we use pt_regs->sp for return address holder. */ + frame_pointer = ®s->sp; #else regs->cs = __KERNEL_CS | get_kernel_rpl(); regs->gs = 0; + /* On x86-32, we use pt_regs->flags for return address holder. */ + frame_pointer = ®s->flags; #endif regs->ip = trampoline_address; regs->orig_ax = ~0UL; @@ -789,8 +796,25 @@ static __used void *trampoline_handler(s if (ri->task != current) /* another task is sharing our hash bucket */ continue; + /* + * Return probes must be pushed on this hash list correct + * order (same as return order) so that it can be poped + * correctly. However, if we find it is pushed it incorrect + * order, this means we find a function which should not be + * probed, because the wrong order entry is pushed on the + * path of processing other kretprobe itself. + */ + if (ri->fp != frame_pointer) { + if (!skipped) + pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); + skipped = true; + continue; + } orig_ret_address = (unsigned long)ri->ret_addr; + if (skipped) + pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", + ri->rp->kp.addr); if (orig_ret_address != trampoline_address) /* @@ -808,6 +832,8 @@ static __used void *trampoline_handler(s if (ri->task != current) /* another task is sharing our hash bucket */ continue; + if (ri->fp != frame_pointer) + continue; orig_ret_address = (unsigned long)ri->ret_addr; if (ri->rp && ri->rp->handler) { --- a/include/linux/kprobes.h +++ b/include/linux/kprobes.h @@ -173,6 +173,7 @@ struct kretprobe_instance { struct kretprobe *rp; kprobe_opcode_t *ret_addr; struct task_struct *task; + void *fp; char data[0]; };