Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp164708pxb; Wed, 20 Jan 2021 04:05:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJyeAVz9bEPDPKLXKJfZmOwGwac77j1NCK/S78MbP56dFuhL17sOUSNFlDMGJ4cyorfUSr00 X-Received: by 2002:a17:906:e085:: with SMTP id gh5mr5979642ejb.418.1611144254413; Wed, 20 Jan 2021 04:04:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611144254; cv=none; d=google.com; s=arc-20160816; b=spiYJ4aapdscuVkb3FG2GG93fIKRo79TVjvHnt9y4On95GeGNS/6LZZtaJLv+KzAYS gdf60Xc1PftvtyKOSFhPGFfdH9gkV+ryA6LFLDkEzgA8yp8qju884FbunkIkg5It89r+ C++F+7grC0QSuKYirf/F25hKe/X/eV7LC+jyJ0mE6IP+sOY0nbOR47YAjGRvFcKuHKOq xxiCFMD+H38Jw566v+0BhyVENNNQcRIQU2NYKdzPJlIMzmnh5oCA6K6p01JnpZdewXVV +DJsTVwunenUdiaXOm+QXBOeocn7dJWqL0rp6EBgmuZObuGhwLhfF9JNHq8XjVoDw1ju S3nQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:references:cc :to:subject:from:dkim-signature; bh=CyW5Qbxq9N1t1UZrJNM8DsMRdqMrHyEtG3AdPXB4sss=; b=tys52m78Nza97EUdtr0l7NXGOtSCIrbuVCmHfdmHpi+NMDWVqs1jSkXR9oWMXS1Xhx RavZjwFyC0hoLo0ZFfqVoFg2Nz1ybxstIXLQCDsAZR1G48aBwZy4HX83Y+IgcIeiK7SD vVlA3wm6ci8+kyVqdM6jcI383eHJmHWcR5zGcb8JiFw0QCYCBJ9+T5IjA7slMSVER8Vw 8PwbYBPHMLSYK4S6wzGXFiwp7U+MKPNqB//rKQ6KbgCInWUMZi8aow4XnnAvTmz1PjN0 LcVo9XMzmflVKwrUuRH47eVOZo2cE/ND154rKqe48qIJ2azq73mhcDux2l6dvHU7pEJ2 kq8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=i74W1JXj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n15si762090edy.536.2021.01.20.04.03.41; Wed, 20 Jan 2021 04:04:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=i74W1JXj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388085AbhATLmw (ORCPT + 99 others); Wed, 20 Jan 2021 06:42:52 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:20240 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389317AbhATLUO (ORCPT ); Wed, 20 Jan 2021 06:20:14 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 10KB2uQp158536; Wed, 20 Jan 2021 06:18:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : subject : to : cc : references : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=CyW5Qbxq9N1t1UZrJNM8DsMRdqMrHyEtG3AdPXB4sss=; b=i74W1JXjl1dCDAs3j5BlMMStrybUk7J32cgTEaK6DlgYCYNjcsxO5F8jLLX4Zq5LKAV2 YMegeVwjqDHZazPFBmq1ryqq9OPonveGJ/kH4EvGcEGgNVFexYcMQJNJ0D0Q9z6XS9sD ++BN/IfcyRwIk1LaoJ4v3NW4TAOSEoPWS0M0leVmqYEZMwXLp6HA8S9e1DPjLKY2rqQ4 81fNRV+3wVCoy0XjVpHRQjFVDDMz6UJ0qwADgc3xYag8t36BF7vbnP6YSrZnuyIJUozZ fDthUMKC5WIR5eZYq5ucpkwyB3FXvYwRCEbjfJN4GdkX+ZMiCLOJFdyRo612Pbnhxkd/ pA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 366j4bthpy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Jan 2021 06:18:30 -0500 Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 10KB3TOg163732; Wed, 20 Jan 2021 06:18:30 -0500 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 366j4bthnd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Jan 2021 06:18:30 -0500 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 10KBGhAN031500; Wed, 20 Jan 2021 11:18:28 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma06ams.nl.ibm.com with ESMTP id 3668nwrgr2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Jan 2021 11:18:27 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 10KBIOSj38732134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Jan 2021 11:18:24 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 978E652054; Wed, 20 Jan 2021 11:18:24 +0000 (GMT) Received: from [9.199.40.105] (unknown [9.199.40.105]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 5DCD65204E; Wed, 20 Jan 2021 11:18:22 +0000 (GMT) From: Ravi Bangoria Subject: Re: [PATCH] powerpc/uprobes: Don't allow probe on suffix of prefixed instruction To: Oleg Nesterov Cc: mpe@ellerman.id.au, rostedt@goodmis.org, paulus@samba.org, jniethe5@gmail.com, naveen.n.rao@linux.ibm.com, sandipan@linux.ibm.com, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Ravi Bangoria References: <20210119091234.76317-1-ravi.bangoria@linux.ibm.com> <20210119172603.GA16696@redhat.com> Message-ID: Date: Wed, 20 Jan 2021 16:48:21 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20210119172603.GA16696@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343,18.0.737 definitions=2021-01-20_02:2021-01-18,2021-01-20 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 mlxscore=0 impostorscore=0 malwarescore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 priorityscore=1501 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101200060 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/19/21 10:56 PM, Oleg Nesterov wrote: > On 01/19, Ravi Bangoria wrote: >> >> Probe on 2nd word of a prefixed instruction is invalid scenario and >> should be restricted. > > I don't understand this ppc-specific problem, but... So far (upto Power9), instruction size was fixed - 4 bytes. But Power10 introduced a prefixed instruction which consist of 8 bytes, where first 4 bytes is prefix and remaining is suffix. This patch checks whether the Uprobe is on the 2nd word (suffix) of a prefixed instruction. If so, consider it as invalid Uprobe. > >> +#ifdef CONFIG_PPC64 >> +int arch_uprobe_verify_opcode(struct page *page, unsigned long vaddr, >> + uprobe_opcode_t opcode) >> +{ >> + uprobe_opcode_t prefix; >> + void *kaddr; >> + struct ppc_inst inst; >> + >> + /* Don't check if vaddr is pointing to the beginning of page */ >> + if (!(vaddr & ~PAGE_MASK)) >> + return 0; > > So the fix is incomplete? Or insn at the start of page can't be prefixed? Prefixed instruction can not cross 64 byte boundary. If it does, kernel generates SIGBUS. Considering all powerpc supported page sizes to be multiple of 64 bytes, there will never be a scenario where prefix and suffix will be on different pages. i.e. a beginning of the page should never be a suffix. > >> +int __weak arch_uprobe_verify_opcode(struct page *page, unsigned long vaddr, >> + uprobe_opcode_t opcode) >> +{ >> + return 0; >> +} >> + >> static int verify_opcode(struct page *page, unsigned long vaddr, uprobe_opcode_t *new_opcode) >> { >> uprobe_opcode_t old_opcode; >> @@ -275,6 +281,8 @@ static int verify_opcode(struct page *page, unsigned long vaddr, uprobe_opcode_t >> if (is_swbp_insn(new_opcode)) { >> if (is_swbp) /* register: already installed? */ >> return 0; >> + if (arch_uprobe_verify_opcode(page, vaddr, old_opcode)) >> + return -EINVAL; > > Well, this doesn't look good... > > To me it would be better to change the prepare_uprobe() path to copy > the potential prefix into uprobe->arch and check ppc_inst_prefixed() > in arch_uprobe_analyze_insn(). What do you think? Agreed. The only reason I was checking via verify_opcode() is to make the code more simpler. If I need to check via prepare_uprobe(), I'll need to abuse uprobe->offset by setting it to uprobe->offset - 4 to read previous 4 bytes of current instruction. Which, IMHO, is not that straightforward with current implementation of prepare_uprobe(). But while replying here, I'm thinking... I should be able to grab a page using mm and vaddr, which are already available in arch_uprobe_analyze_insn(). With that, I should be able to do all this inside arch_uprobe_analyze_insn() only. I'll try this and send v2 if that works. Thanks for the review. Ravi