Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1018979ybe; Wed, 4 Sep 2019 11:13:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqyh3zrCwgAbzT0QptaxbbHWk6TwzS6JG2mBW4AxNMhGj9qjzO6cxcaP1OaquUWIqtAUTHm0 X-Received: by 2002:aa7:8085:: with SMTP id v5mr48086310pff.165.1567620824129; Wed, 04 Sep 2019 11:13:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567620824; cv=none; d=google.com; s=arc-20160816; b=icajcFktLCqNqtI7xyCpVkGhmBDo94wUIi53rIXAp+eapX2PpHXDOrh11z9+FUMyrB R6N8l25uOggrgrpIaRrlJFvGZv2qS26eY0CT98gKejF++r5jyduU9s1kWwW1NHR71ynz HTgWqeRS55m8AVPLxabImRGlfosSA1znlri2La41Ez5rwU14Oo1PK3m06oRxOmMywMeq 1RaSEIO5tPVPkzBF05DEDoYm2RNCt2QqrJAHXbRnwjq9FoUOQo9Z5NLgH6dj7UUSSMZw 6Q+LdKVk+xUbJ513bO64L+NVe8p+Ii5O1yYSKXjVC9Ww/VW9dB2UadOhGIzDfZk6sELj qfDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5Tx7aeeb00kXT2fwgI8Ns9ULLCKCsYWxrzUgpa8C/Vk=; b=t0A538w2laDUfStszAsbB1Qr9G/03RnWfDN9MF//YD1XvMI33F+9an3ztrguYMRXjF EW6Z2S/oyQQ2EEb6iYabqiQJ+jOdfNH1DYwTr53qZs1QP/PSjR2hu3ItltwQgbCu9Ge1 IeFdoD6TJ+/BCuJSAALz5iQqfUNve5GKKhufA0mSHi+V4eWTgbeif76r+tH0zeyfcwKM 5tdkhLcqYYexqB0dbGpGq8SKDqMSONKx/Oe4OLEe8JZqxyugNr8IrusAT1y9FJ4g0qfV LSiqjg75sgqE0W3UUH1+Pj07Lm4K6BWhcHaVTt/v978fXhpPHbXFDlHhHurIZTGPZ7ZM cGng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=P0G+0cv5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p15si2886211pjo.33.2019.09.04.11.13.28; Wed, 04 Sep 2019 11:13:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=P0G+0cv5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390432AbfIDSMA (ORCPT + 99 others); Wed, 4 Sep 2019 14:12:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:56194 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390424AbfIDSL7 (ORCPT ); Wed, 4 Sep 2019 14:11:59 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D16932087E; Wed, 4 Sep 2019 18:11:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567620718; bh=nouHerGrXPnoXMMI4fIT3V+rFH4wKkog429RpcVoetI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P0G+0cv5Ov5s+MjWjiyT/qD4h1Cfo2nqewQg3unTHcsjXpXCBDzr/msgt/MQeMnLH IXPNX55EBFFFQT5khdhTiXEKSqdktBHgW0qQGaKD3DT1QvJXy6Ze+1d35nJXftZeBN tGjKCVe7NOXLVa6fVneu3vlJV7EG3sKOgCi+onzg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sebastian Mayr , Thomas Gleixner , Masami Hiramatsu , Dmitry Safonov , Oleg Nesterov , Srikar Dronamraju Subject: [PATCH 5.2 070/143] uprobes/x86: Fix detection of 32-bit user mode Date: Wed, 4 Sep 2019 19:53:33 +0200 Message-Id: <20190904175316.799339893@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190904175314.206239922@linuxfoundation.org> References: <20190904175314.206239922@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sebastian Mayr commit 9212ec7d8357ea630031e89d0d399c761421c83b upstream. 32-bit processes running on a 64-bit kernel are not always detected correctly, causing the process to crash when uretprobes are installed. The reason for the crash is that in_ia32_syscall() is used to determine the process's mode, which only works correctly when called from a syscall. In the case of uretprobes, however, the function is called from a exception and always returns 'false' on a 64-bit kernel. In consequence this leads to corruption of the process's return address. Fix this by using user_64bit_mode() instead of in_ia32_syscall(), which is correct in any situation. [ tglx: Add a comment and the following historical info ] This should have been detected by the rename which happened in commit abfb9498ee13 ("x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()") which states in the changelog: The is_ia32_task()/is_x32_task() function names are a big misnomer: they suggests that the compat-ness of a system call is a task property, which is not true, the compatness of a system call purely depends on how it was invoked through the system call layer. ..... and then it went and blindly renamed every call site. Sadly enough this was already mentioned here: 8faaed1b9f50 ("uprobes/x86: Introduce sizeof_long(), cleanup adjust_ret_addr() and arch_uretprobe_hijack_return_addr()") where the changelog says: TODO: is_ia32_task() is not what we actually want, TS_COMPAT does not necessarily mean 32bit. Fortunately syscall-like insns can't be probed so it actually works, but it would be better to rename and use is_ia32_frame(). and goes all the way back to: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") Oh well. 7+ years until someone actually tried a uretprobe on a 32bit process on a 64bit kernel.... Fixes: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") Signed-off-by: Sebastian Mayr Signed-off-by: Thomas Gleixner Cc: Masami Hiramatsu Cc: Dmitry Safonov Cc: Oleg Nesterov Cc: Srikar Dronamraju Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190728152617.7308-1-me@sam.st Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/uprobes.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -508,9 +508,12 @@ struct uprobe_xol_ops { void (*abort)(struct arch_uprobe *, struct pt_regs *); }; -static inline int sizeof_long(void) +static inline int sizeof_long(struct pt_regs *regs) { - return in_ia32_syscall() ? 4 : 8; + /* + * Check registers for mode as in_xxx_syscall() does not apply here. + */ + return user_64bit_mode(regs) ? 8 : 4; } static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs) @@ -521,9 +524,9 @@ static int default_pre_xol_op(struct arc static int emulate_push_stack(struct pt_regs *regs, unsigned long val) { - unsigned long new_sp = regs->sp - sizeof_long(); + unsigned long new_sp = regs->sp - sizeof_long(regs); - if (copy_to_user((void __user *)new_sp, &val, sizeof_long())) + if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs))) return -EFAULT; regs->sp = new_sp; @@ -556,7 +559,7 @@ static int default_post_xol_op(struct ar long correction = utask->vaddr - utask->xol_vaddr; regs->ip += correction; } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) { - regs->sp += sizeof_long(); /* Pop incorrect return address */ + regs->sp += sizeof_long(regs); /* Pop incorrect return address */ if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen)) return -ERESTART; } @@ -675,7 +678,7 @@ static int branch_post_xol_op(struct arc * "call" insn was executed out-of-line. Just restore ->sp and restart. * We could also restore ->ip and try to call branch_emulate_op() again. */ - regs->sp += sizeof_long(); + regs->sp += sizeof_long(regs); return -ERESTART; } @@ -1056,7 +1059,7 @@ bool arch_uprobe_skip_sstep(struct arch_ unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs) { - int rasize = sizeof_long(), nleft; + int rasize = sizeof_long(regs), nleft; unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */ if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))