Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1583103ybt;
        Thu, 18 Jun 2020 12:06:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyt2ux1PBEDjGTMfM3fVKUCvFyA81JsQ3YT1wtC5b8SnA+W3isqODi9HyS/rprrMYYKwSJn
X-Received: by 2002:a17:907:20cf:: with SMTP id qq15mr151177ejb.238.1592507170404;
        Thu, 18 Jun 2020 12:06:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592507170; cv=none;
        d=google.com; s=arc-20160816;
        b=onTkIacymRqqb5Lct0hrsDXgNkKQQUd5WhWcbbkfj+MOqtwDsoxA6r6Ew4sQ2hNIZ2
         FMHVXjFfS/GmGAqOoaczivnnGOYykQRUrnOPIWXmPxCgWVQkcnRe4fm+gzxLcWRlenTA
         VZTFsrQaHjFcn1Q56d98FY1P479XHPnze2jO1TmZpjuk5fXdZRD9O23U7lZW7s4hPL98
         xZwnc8C0rkvys4QLAIM817bYl1S/awJbGcHteTVOQCjnE5OZM4MjuZFDRUloJe1J1T+g
         nQApG9ofakp0nZ8rUxwlLqVqbR2wRfKSMCSEi+eoBHleQ8XDixae2GdwY94BWwax57YT
         rMhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=s2fpXriN3aecov8EBsKwF+ZtFEA630b69GieVEhmLnY=;
        b=kEK1X/qQpDbp0O9fmdxM8iZIeAd4E0SBIKJ1bufAv2fHBadkSTMcPpmHtbnVf3TKwK
         +Tr3ga3fLiSESgLtEW4sfaJ9gIOfzKLT3JOeZQJEzMU3MOhA5t2cjYUmEQHzkILHmMd2
         GThLoCfrouN9VaEkZJJLC3aV7Z5IbKLwe7i21rKJ/aPLI1KPy+KFRHr8weVwNRV2z/mL
         H9zT+67pLfwy1nScFIqoFbKHnHsPmUFtv+QkfGEjVo/e5PwE2ZijBRnVIsNyibIMz7Dv
         PPOMtbJOR01hHkcjWaYdT4VEVvDv0zd+cc/FSr6hmiuJoCBnGvFvcDTkqttSWE4tz5Od
         jDxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=t729B66i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id jz23si2380120ejb.168.2020.06.18.12.05.47;
        Thu, 18 Jun 2020 12:06:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=t729B66i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730238AbgFRSVN (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Thu, 18 Jun 2020 14:21:13 -0400
Received: from mail.kernel.org ([198.145.29.99]:43580 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725953AbgFRSVN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jun 2020 14:21:13 -0400
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3843F208C7
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2020 18:21:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1592504472;
        bh=n37tItBWAGRC74p29xrPPnmeAZ/VdU4SlehHbZr5cPk=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=t729B66iSN1iCOhLMQzk8aEppNyPTBQZCZOshnvCXfbESRiubSCc6cjGVM/+Ihv2J
         +nNWmkg3f2/Bp6UOhaWzz8p0jt/VjSRKVSp576wUtIvwfnCcFrx6E+xExWUSPOZNc3
         D+l3ndIDJwSj9Uan6dp6LezLyY+/o/fj99LFEuBE=
Received: by mail-wm1-f43.google.com with SMTP id t194so6682948wmt.4
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2020 11:21:12 -0700 (PDT)
X-Gm-Message-State: AOAM530A466tIncZQk6CoICCi16c+XRsLW+o81VX6jEUyG9Ul+zGi9tY
        YDQFoKjW/TXt3tDVUUZr4A7XvbqEv0HQ6G28VqJ9cA==
X-Received: by 2002:a05:600c:22da:: with SMTP id 26mr5304161wmg.176.1592504470731;
 Thu, 18 Jun 2020 11:21:10 -0700 (PDT)
MIME-Version: 1.0
References: <87y2onbdtb.fsf@nanos.tec.linutronix.de> <8E41B15F-D567-4C52-94E9-367015480345@amacapital.net>
 <20200616132705.GW2531@hirez.programming.kicks-ass.net> <20200617131742.GD8389@yuki.lan>
In-Reply-To: <20200617131742.GD8389@yuki.lan>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Thu, 18 Jun 2020 11:20:59 -0700
X-Gmail-Original-Message-ID: <CALCETrVX=wxRrv0qw-Enbyg5CEQsy5TigbNt7sSs=MDO6uAnMw@mail.gmail.com>
Message-ID: <CALCETrVX=wxRrv0qw-Enbyg5CEQsy5TigbNt7sSs=MDO6uAnMw@mail.gmail.com>
Subject: Re: [LTP] [x86/entry] 2bbc68f837: ltp.ptrace08.fail
To:     Cyril Hrubis <chrubis@suse.cz>
Cc:     Peter Zijlstra <peterz@infradead.org>,
        Alexandre Chartre <alexandre.chartre@oracle.com>,
        kernel test robot <rong.a.chen@intel.com>,
        LKML <linux-kernel@vger.kernel.org>, lkp@lists.01.org,
        Andy Lutomirski <luto@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>, ltp@lists.linux.it
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 17, 2020 at 6:17 AM Cyril Hrubis <chrubis@suse.cz> wrote:
>
> Hi!
> > > >> FYI, we noticed the following commit (built with gcc-9):
> > > >>
> > > >> commit: 2bbc68f8373c0631ebf137f376fbea00e8086be7 ("x86/entry: Convert Debug exception to IDTENTRY_DB")
> > > >> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
> > > >
> > > > Is the head of linux.git exposing the same problem or is this an
> > > > intermittent failure, which only affects bisectability?
> > >
> > > It sure looks deterministic:
> > >
> > > ptrace08.c:62: BROK: Cannot find address of kernel symbol "do_debug"
> >
> > ROFL
>
> It's nice to have a good laugh, however I would really appreciate if any
> of you would help me to fix the test.
>
> The test in question is a regression test for:
>
> commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date:   Mon Mar 26 15:39:07 2018 -1000
>
>     perf/hwbp: Simplify the perf-hwbp code, fix documentation
>
>     Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
>     modification of a breakpoint - simplify it and remove the pointless
>     local variables.
>
> And as far as I can tell it uses ptrace() with PTRACE_POKEUSER in order to
> trigger it. But I'm kind of lost on how exactly we trigger the kernel
> crash.
>
> What is does is to write:
>
>         (void*)1 to u_debugreg[0]
>         (void*)1 to u_debugreg[7]
>         do_debug addr to u_debugreg[0]
>
> Looking at the kernel code the write to register 7 enables the breakpoints and
> what we attempt here is to change an invalid address to a valid one after we
> enabled the breakpoint but that's as far I can go.
>
> So does anyone has an idea how to trigger the bug without the do_debug function
> address? Would any valid kernel function address suffice?
>

do_debug is a bit of a red herring here.  ptrace should not be able to
put a breakpoint on a kernel address, period.  I would just pick a
fixed address that's in the kernel text range or even just in the
pre-KASLR text range and make sure it gets rejected.  Maybe try a few
different addresses for good measure.

--Andy