Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp27157ybt; Thu, 18 Jun 2020 17:14:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz9Nn48eRdxXNEkWK0tALuSJ3QhX/RM3r0xZ0vVBP71sVY9WDunh/dC5icJW7g5TymQz1ng X-Received: by 2002:a05:6402:1714:: with SMTP id y20mr730485edu.81.1592525645412; Thu, 18 Jun 2020 17:14:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592525645; cv=none; d=google.com; s=arc-20160816; b=MwgD4CjY12QkuGcI3vSnzHs1vlxA6FFm1ZNmxb0F2nm7W45Vewu6hMlQd1uChltng8 rCn57mT+d4sIbhMyWSD6mZmPfb+iI0qJLCFN1VX/Q2Jp/Ba6Rk13AzFEuFtxL2gh6Vwt sLelRAlVqU5AxFU0hnITWYmkv5aJjuEq4r7dTLel5B4JW90e71xMgwT4xU4fcWavfWTB 5r8IMNVBRu2hN84N0vxgMfI8+OBhv3jZ1MR+n9/TYYwInjrFVGh6URcEQFSkX+BGy4/i XkIxJukC4jhCbtOCtUneJu56ybC1kHcp+YFqIqcWS7cySIgHWFP++KXDOCDv7BWJWU/+ OF7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=w9MvY9abyuY3nHVl5R9nDlZeGCFhrl/DJJc2bhpX6W4=; b=G/BEovTmAOwNvg7z32q83SM/WHf5Bv71Bi1BPpmuVxKM0wz3fFDLUIkajpmECVPl/J m4kfIwKP1jDNNGE1vHcH1naPVV96QscaFiT4gec7Tn3lNF2jWOS0o2HEaExNZGQEXGsL TVb5B74HJ0M3+vXkV1/GEGlyOqdMwaErCjf5/delNHs+0yxuuIdQgZ65rHp5POtCdkgM hwxkY3+ZMDy53pVyNmy30WBorV3UDLD110KGaCT4uGkiuQSNry9LCAUd3m1OSQbZ+D4A vYKZ4mrYs06Bfk6WZBG/MFXaUa43Me3fzZjU/3vsjXeby0cqt0vWbG9KV26IV0ppO6l+ 2yGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dm17si2832092edb.312.2020.06.18.17.13.17; Thu, 18 Jun 2020 17:14:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730863AbgFRUCu (ORCPT + 99 others); Thu, 18 Jun 2020 16:02:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730805AbgFRUCq (ORCPT ); Thu, 18 Jun 2020 16:02:46 -0400 Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25D39C06174E for ; Thu, 18 Jun 2020 13:02:46 -0700 (PDT) Received: from p5de0bf0b.dip0.t-ipconnect.de ([93.224.191.11] helo=nanos.tec.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1jm0k2-0001uq-Jc; Thu, 18 Jun 2020 22:02:31 +0200 Received: by nanos.tec.linutronix.de (Postfix, from userid 1000) id 10965101482; Thu, 18 Jun 2020 22:02:30 +0200 (CEST) From: Thomas Gleixner To: Cyril Hrubis , Peter Zijlstra Cc: Andy Lutomirski , Alexandre Chartre , kernel test robot , LKML , lkp@lists.01.org, Andy Lutomirski , ltp@lists.linux.it Subject: Re: [LTP] [x86/entry] 2bbc68f837: ltp.ptrace08.fail In-Reply-To: <20200617131742.GD8389@yuki.lan> References: <87y2onbdtb.fsf@nanos.tec.linutronix.de> <8E41B15F-D567-4C52-94E9-367015480345@amacapital.net> <20200616132705.GW2531@hirez.programming.kicks-ass.net> <20200617131742.GD8389@yuki.lan> Date: Thu, 18 Jun 2020 22:02:30 +0200 Message-ID: <87r1ucb0rt.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Cyril Hrubis writes: > What is does is to write: > > (void*)1 to u_debugreg[0] > (void*)1 to u_debugreg[7] > do_debug addr to u_debugreg[0] > > Looking at the kernel code the write to register 7 enables the breakpoints and > what we attempt here is to change an invalid address to a valid one after we > enabled the breakpoint but that's as far I can go. > > So does anyone has an idea how to trigger the bug without the do_debug function > address? Would any valid kernel function address suffice? According to https://www.openwall.com/lists/oss-security/2018/05/01/3 the trigger is to set the breakpoint to do_debug() and then execute INT1, aka. ICEBP which ends up in do_debug() .... In principle each kernel address is ok, but do_debug() is interesting due to the recursion issue because user space can reach it by executing INT1. So you might check for exc_debug() if do_debug() is not available and make the whole thing fail gracefully with a usefu error message. Thanks, tglx