Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp167959ybg; Tue, 9 Jun 2020 19:57:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxvmijvYgJd48K8nXZzBEVhtbcfWNONel/0IOS9Caw5ueTfBEf5sngH8zg+Ies223Fb97zb X-Received: by 2002:a50:d556:: with SMTP id f22mr680697edj.307.1591757869554; Tue, 09 Jun 2020 19:57:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591757869; cv=none; d=google.com; s=arc-20160816; b=i+ap32HFArffCn/TeF9Q0qOMkePuCR+8tGFN7udFWUxKtAA1HTY2W8kCku62RpO6Fk qVYHQFI8G9NbEhmmMB931eX9v8qkfyLRMIFuhZXI3Fu9r7z3CEXWKLrJfx61CyLR7vEa x7eYVuAjUJPd+eQrenyREdrMDSYuB1q3MVe5KcpA6FAaNjfwMClDNHrQ4GQrUcW6Mv0p youCqprJSsMc1SmNgXiCl5+9YXk+PsX4K5mertoP00oLmO7gHTYGsIVRkMf6WObM5guU ZBzh3sdL/BZ3WubqKRq5lFHwnlJOTfFvVQFnAvLY/kmVE4Z94BgkDgZyL3urJbpuajdZ 6icw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=UwvG5yj1NgmCMc9puZo/k1Q0ztcHDsfhggmBtHFsRo0=; b=VrqNpS433HAJXpFPFtQYNw6gqVQrYVpOTkB3nBFPqpe1hua01wGfR/8wiQK97UZAFM kNW3aUfyqtwuIUy5IONLdj5+esZawAm38DVz2tKndAkOg+KPVk97lYC/4Jt2qnBHxTC7 lJEqKGd7XZIb/Rl7efBpF/nNkW9Doy8dq5v+Z0x9dH2OYeRNmuWImJluP5D0EgIs1Hv5 OVQtmplPZB3AsVVN1g0DEW/zS7cOtx0NrcRpXbUln8PhqEF5lrzlDNKCKyGBqKgFRnxW pNkGRBA2HaLtULENVXp0RvjZbDYIdkZfxJbiXBaaRKoRYv8wMtGD2zgktHNzZUiD2Z7S jfcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Byi1G3a2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f24si12202755edr.137.2020.06.09.19.57.26; Tue, 09 Jun 2020 19:57:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Byi1G3a2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726097AbgFJCya (ORCPT + 99 others); Tue, 9 Jun 2020 22:54:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:42016 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725798AbgFJCy1 (ORCPT ); Tue, 9 Jun 2020 22:54:27 -0400 Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 165D620691 for ; Wed, 10 Jun 2020 02:54:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591757666; bh=HGerrB3rsN14/Bmxk8aDszzY8+afaPZgg24C/g+8cKA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Byi1G3a2VJnZ0ke0XUMn5YDbiMuqHX2fkcH/qOteFehGlrXiHSMYe2ChWnmP9kRTb RDhdH4Yb05V/sQuTzke4YQdloW8x3+9L8rIZk8oM4+p/ullxbOnw+fbV2aueS61/Ng fmMf8+mwQx62lUoylu+x+ZM5tsTCU8rrPmGgZTP4= Received: by mail-lj1-f181.google.com with SMTP id 9so579696ljv.5 for ; Tue, 09 Jun 2020 19:54:26 -0700 (PDT) X-Gm-Message-State: AOAM531tbUa/ywbcOqSnblqvvpw6Pd2QTErOfInYGm2iGhJXY02iFsQf tpvoRIyEitAJLXYQb8dufuJLbvucyKbIPsj+FW0= X-Received: by 2002:a2e:5cc9:: with SMTP id q192mr571864ljb.66.1591757664456; Tue, 09 Jun 2020 19:54:24 -0700 (PDT) MIME-Version: 1.0 References: <20200428091149.GB19958@linux.vnet.ibm.com> <20200428123914.GA27920@redhat.com> <20200504164724.GA28697@redhat.com> In-Reply-To: <20200504164724.GA28697@redhat.com> From: Guo Ren Date: Wed, 10 Jun 2020 10:54:13 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned To: Oleg Nesterov Cc: Srikar Dronamraju , Christian Borntraeger , "David S. Miller" , Linus Torvalds , Steven Rostedt , "Eric W. Biederman" , Peter Zijlstra , Ingo Molnar , Jann Horn , Al Viro , Jens Axboe , Security Officers , Andrea Arcangeli , Ananth N Mavinakayanahalli , Naveen Rao , Andrew Morton , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Oleg, On Tue, May 5, 2020 at 12:47 AM Oleg Nesterov wrote: > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > some architectures (csky, s390, and sparc) don't do this. > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > the alignment check in arch_prepare_kprobe() on supported architectures, > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Another problem is __update_ref_ctr() which was wrong from the very > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > aligned to sizeof(short), __uprobe_register() should check this too. > > Cc: stable@vger.kernel.org > Reported-by: Linus Torvalds > Suggested-by: Linus Torvalds > Signed-off-by: Oleg Nesterov > --- > kernel/events/uprobes.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > index ece7e13f6e4a..cc2095607c74 100644 > --- a/kernel/events/uprobes.c > +++ b/kernel/events/uprobes.c > @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, > if (ret) > goto out; > > - /* uprobe_write_opcode() assumes we don't cross page boundary */ > - BUG_ON((uprobe->offset & ~PAGE_MASK) + > - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); > - > smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ > set_bit(UPROBE_COPY_INSN, &uprobe->flags); > > @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, loff_t offset, > if (offset > i_size_read(inode)) > return -EINVAL; > > + /* > + * This ensures that copy_from_page(), copy_to_page() and > + * __update_ref_ctr() can't cross page boundary. > + */ > + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) > + return -EINVAL; > + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short))) > + return -EINVAL; > + > retry: > uprobe = alloc_uprobe(inode, offset, ref_ctr_offset); > if (!uprobe) > @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr) > uprobe_opcode_t opcode; > int result; > > + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) > + return -EINVAL; > + > pagefault_disable(); > result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); > pagefault_enable(); > -- > 2.25.1.362.g51ebf55 > > Looks good to me, thx. Reviewed-by: Guo Ren -- Best Regards Guo Ren ML: https://lore.kernel.org/linux-csky/