Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2420291ybi; Sun, 28 Jul 2019 08:38:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqxJOemQNRlY1fnHTUPLN1s+iVEhbPsANHvSA7im2JyQXwLxu1bYSbTuF5xfmF6mw86YBPJv X-Received: by 2002:a17:90a:ad86:: with SMTP id s6mr108355254pjq.42.1564328337427; Sun, 28 Jul 2019 08:38:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564328337; cv=none; d=google.com; s=arc-20160816; b=Ru1fSnemnMob93OSEr9ek5sQlTBT3xXDyyg31sokRdj4KyZK6xCf6OgPbK8tUhU24y +//1GHlIbR6TCgW9rqYLocozM2Jhpw+vqn3hOpJipeCNFIGKEw7R46hsnXxyx+IwcYFh 2ar524wJLSEEiRCP1xwwhEx2oaUl1LBhQXKRO8XE7Wr8nmODeuO59qBOD+VU5wn8+JDt 7XEjKfaIs0DGP5BWwzLNQHZ184nE+3I3AyIprXL/UIkYVp0BMxh4/7+adShgBkEnHcIi rykmbLCF6j7nzHJ6za3c2Kvna1mOdMSP2fOQ1V4Vbx+v39/AcJVxI0Pu5kOzx6Nf/Wwc XtYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=71FxAUQjnzv2j4qqgDoMFk3VeNdKFNwKxT1YuGIIY4U=; b=0sG43yULnaSNr1SFhWt4QiMttuFSHcf3jwNL+BOp88ZMBWxVfWyslb/qVKlmQj4Rdh 1/kWCKviOEHUbgsHKLFZ9NJYQKUbJB8Mjc9rmtGf3kWCecJsXF1McmmESFVCIyxIJhYR grtoBYgLZXJSbUuDTOUXh2xFMnLv0i+ZcOClmABv1GWYkxPoCtD33cRYju4s0LuIRTvW FSXVW+4jEZe3DA2OSyj4zHdwHFT1ct2h0AxSw00977MB3ofu4nFu/WQqw8xp5wN0ABvx 5/YdYYKt4UWZQzfeu7jmBWbDGJc4+Au2v6mGczTBv/P3FrqCUNy6NOciLgjKDEYTEWKd 3kfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sam.st header.s=default header.b=WbITrxD0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sam.st Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w2si24186634pfi.183.2019.07.28.08.38.42; Sun, 28 Jul 2019 08:38:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@sam.st header.s=default header.b=WbITrxD0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sam.st Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726174AbfG1Pgf (ORCPT + 99 others); Sun, 28 Jul 2019 11:36:35 -0400 Received: from sam.st ([5.44.101.18]:47691 "EHLO mail.sam.st" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726082AbfG1Pgf (ORCPT ); Sun, 28 Jul 2019 11:36:35 -0400 X-Greylist: delayed 562 seconds by postgrey-1.27 at vger.kernel.org; Sun, 28 Jul 2019 11:36:33 EDT Received: from workstation-ibk.test (212-186-61-58.cable.dynamic.surfer.at [212.186.61.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.mayr.bz.it (Postfix) with ESMTPSA id 802DB3000BD; Sun, 28 Jul 2019 17:27:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sam.st; s=default; t=1564327626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=71FxAUQjnzv2j4qqgDoMFk3VeNdKFNwKxT1YuGIIY4U=; b=WbITrxD0yrYuIBctsgI0XRdCjme+lw+y2NvxAFKUQ8bc2zPLq1gRWHCV1ndv5M9/UUNKaH I01z2fLCBqYU9PB0z7eH5AWsAIPtaBbqkPryiqL6SuK8xqkTzUP2qpfB4qR8K9ekEqulVK i1XrToC88XlD86Pc2fw8SW6F4imMtmo= From: Sebastian Mayr To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org Cc: Sebastian Mayr Subject: [PATCH] uprobes/x86: fix detection of 32-bit user mode Date: Sun, 28 Jul 2019 17:26:17 +0200 Message-Id: <20190728152617.7308-1-me@sam.st> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 32-bit processes running on a 64-bit kernel are not always detected correctly, causing the process to crash when uretprobes are installed. The reason for the crash is that in_ia32_syscall() is used to determine the process's mode, which only works correctly when called from a syscall. In the case of uretprobes, however, the function is called from a software interrupt and always returns 'false' (on a 64-bit kernel). In consequence this leads to corruption of the process's return address. This can be fixed by using user_64bit_mode(), which should always be correct. Signed-off-by: Sebastian Mayr --- Please note that I just stumbled over this bug and am not really familiar with all the internals. So take the patch and, in particular, the commit message with a grain of salt. Thanks! arch/x86/kernel/uprobes.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c index 918b5092a85f..d6e261202c6b 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -508,9 +508,9 @@ struct uprobe_xol_ops { void (*abort)(struct arch_uprobe *, struct pt_regs *); }; -static inline int sizeof_long(void) +static inline int sizeof_long(struct pt_regs *regs) { - return in_ia32_syscall() ? 4 : 8; + return user_64bit_mode(regs) ? 8 : 4; } static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs) @@ -521,9 +521,9 @@ static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs) static int emulate_push_stack(struct pt_regs *regs, unsigned long val) { - unsigned long new_sp = regs->sp - sizeof_long(); + unsigned long new_sp = regs->sp - sizeof_long(regs); - if (copy_to_user((void __user *)new_sp, &val, sizeof_long())) + if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs))) return -EFAULT; regs->sp = new_sp; @@ -556,7 +556,7 @@ static int default_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs long correction = utask->vaddr - utask->xol_vaddr; regs->ip += correction; } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) { - regs->sp += sizeof_long(); /* Pop incorrect return address */ + regs->sp += sizeof_long(regs); /* Pop incorrect return address */ if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen)) return -ERESTART; } @@ -675,7 +675,7 @@ static int branch_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs) * "call" insn was executed out-of-line. Just restore ->sp and restart. * We could also restore ->ip and try to call branch_emulate_op() again. */ - regs->sp += sizeof_long(); + regs->sp += sizeof_long(regs); return -ERESTART; } @@ -1056,7 +1056,7 @@ bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs) unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs) { - int rasize = sizeof_long(), nleft; + int rasize = sizeof_long(regs), nleft; unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */ if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize)) -- 2.22.0