Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1583103ybt; Thu, 18 Jun 2020 12:06:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyt2ux1PBEDjGTMfM3fVKUCvFyA81JsQ3YT1wtC5b8SnA+W3isqODi9HyS/rprrMYYKwSJn X-Received: by 2002:a17:907:20cf:: with SMTP id qq15mr151177ejb.238.1592507170404; Thu, 18 Jun 2020 12:06:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592507170; cv=none; d=google.com; s=arc-20160816; b=onTkIacymRqqb5Lct0hrsDXgNkKQQUd5WhWcbbkfj+MOqtwDsoxA6r6Ew4sQ2hNIZ2 FMHVXjFfS/GmGAqOoaczivnnGOYykQRUrnOPIWXmPxCgWVQkcnRe4fm+gzxLcWRlenTA VZTFsrQaHjFcn1Q56d98FY1P479XHPnze2jO1TmZpjuk5fXdZRD9O23U7lZW7s4hPL98 xZwnc8C0rkvys4QLAIM817bYl1S/awJbGcHteTVOQCjnE5OZM4MjuZFDRUloJe1J1T+g nQApG9ofakp0nZ8rUxwlLqVqbR2wRfKSMCSEi+eoBHleQ8XDixae2GdwY94BWwax57YT rMhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=s2fpXriN3aecov8EBsKwF+ZtFEA630b69GieVEhmLnY=; b=kEK1X/qQpDbp0O9fmdxM8iZIeAd4E0SBIKJ1bufAv2fHBadkSTMcPpmHtbnVf3TKwK +Tr3ga3fLiSESgLtEW4sfaJ9gIOfzKLT3JOeZQJEzMU3MOhA5t2cjYUmEQHzkILHmMd2 GThLoCfrouN9VaEkZJJLC3aV7Z5IbKLwe7i21rKJ/aPLI1KPy+KFRHr8weVwNRV2z/mL H9zT+67pLfwy1nScFIqoFbKHnHsPmUFtv+QkfGEjVo/e5PwE2ZijBRnVIsNyibIMz7Dv PPOMtbJOR01hHkcjWaYdT4VEVvDv0zd+cc/FSr6hmiuJoCBnGvFvcDTkqttSWE4tz5Od jDxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t729B66i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jz23si2380120ejb.168.2020.06.18.12.05.47; Thu, 18 Jun 2020 12:06:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t729B66i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730238AbgFRSVN (ORCPT + 99 others); Thu, 18 Jun 2020 14:21:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:43580 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725953AbgFRSVN (ORCPT ); Thu, 18 Jun 2020 14:21:13 -0400 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3843F208C7 for ; Thu, 18 Jun 2020 18:21:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592504472; bh=n37tItBWAGRC74p29xrPPnmeAZ/VdU4SlehHbZr5cPk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=t729B66iSN1iCOhLMQzk8aEppNyPTBQZCZOshnvCXfbESRiubSCc6cjGVM/+Ihv2J +nNWmkg3f2/Bp6UOhaWzz8p0jt/VjSRKVSp576wUtIvwfnCcFrx6E+xExWUSPOZNc3 D+l3ndIDJwSj9Uan6dp6LezLyY+/o/fj99LFEuBE= Received: by mail-wm1-f43.google.com with SMTP id t194so6682948wmt.4 for ; Thu, 18 Jun 2020 11:21:12 -0700 (PDT) X-Gm-Message-State: AOAM530A466tIncZQk6CoICCi16c+XRsLW+o81VX6jEUyG9Ul+zGi9tY YDQFoKjW/TXt3tDVUUZr4A7XvbqEv0HQ6G28VqJ9cA== X-Received: by 2002:a05:600c:22da:: with SMTP id 26mr5304161wmg.176.1592504470731; Thu, 18 Jun 2020 11:21:10 -0700 (PDT) MIME-Version: 1.0 References: <87y2onbdtb.fsf@nanos.tec.linutronix.de> <8E41B15F-D567-4C52-94E9-367015480345@amacapital.net> <20200616132705.GW2531@hirez.programming.kicks-ass.net> <20200617131742.GD8389@yuki.lan> In-Reply-To: <20200617131742.GD8389@yuki.lan> From: Andy Lutomirski Date: Thu, 18 Jun 2020 11:20:59 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [LTP] [x86/entry] 2bbc68f837: ltp.ptrace08.fail To: Cyril Hrubis Cc: Peter Zijlstra , Alexandre Chartre , kernel test robot , LKML , lkp@lists.01.org, Andy Lutomirski , Thomas Gleixner , ltp@lists.linux.it Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 17, 2020 at 6:17 AM Cyril Hrubis wrote: > > Hi! > > > >> FYI, we noticed the following commit (built with gcc-9): > > > >> > > > >> commit: 2bbc68f8373c0631ebf137f376fbea00e8086be7 ("x86/entry: Convert Debug exception to IDTENTRY_DB") > > > >> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master > > > > > > > > Is the head of linux.git exposing the same problem or is this an > > > > intermittent failure, which only affects bisectability? > > > > > > It sure looks deterministic: > > > > > > ptrace08.c:62: BROK: Cannot find address of kernel symbol "do_debug" > > > > ROFL > > It's nice to have a good laugh, however I would really appreciate if any > of you would help me to fix the test. > > The test in question is a regression test for: > > commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f > Author: Linus Torvalds > Date: Mon Mar 26 15:39:07 2018 -1000 > > perf/hwbp: Simplify the perf-hwbp code, fix documentation > > Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the > modification of a breakpoint - simplify it and remove the pointless > local variables. > > And as far as I can tell it uses ptrace() with PTRACE_POKEUSER in order to > trigger it. But I'm kind of lost on how exactly we trigger the kernel > crash. > > What is does is to write: > > (void*)1 to u_debugreg[0] > (void*)1 to u_debugreg[7] > do_debug addr to u_debugreg[0] > > Looking at the kernel code the write to register 7 enables the breakpoints and > what we attempt here is to change an invalid address to a valid one after we > enabled the breakpoint but that's as far I can go. > > So does anyone has an idea how to trigger the bug without the do_debug function > address? Would any valid kernel function address suffice? > do_debug is a bit of a red herring here. ptrace should not be able to put a breakpoint on a kernel address, period. I would just pick a fixed address that's in the kernel text range or even just in the pre-KASLR text range and make sure it gets rejected. Maybe try a few different addresses for good measure. --Andy