Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1049563pxb; Thu, 23 Sep 2021 17:01:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxCADUpZef/QwajIsYi4lHPZw8wE8EEt28CE7ElqDC9RcqBEEmsKzzT8h55pNjRpC/pf+fx X-Received: by 2002:a6b:f610:: with SMTP id n16mr6382215ioh.139.1632441690474; Thu, 23 Sep 2021 17:01:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632441690; cv=none; d=google.com; s=arc-20160816; b=u4DXAU0FeOyk9WQWtvA844auvth7Jb2BaaXf5DI++bm28NFK3V3QVHUJKHSzuLXnS1 tbg/2Lok03fHOCsRfxn0g4pAEeMbz54wdRvp/U1OTbmKTqxX6MBjry2R9jUvXONCskPR jKgX2O95wFRFgIRFnUpBqYXWS+ydr99FQL2D9Bgrd7IIDw7G3uRMN4x0tLPSDkQljre8 ts795HdC0XaTK2QENzQwRnrYjod0lZQkMFFx+aJjZGr4ZnsuZmEDZTw6KrQkNGm7/hs0 jL+OmrjLkIESTvW+I0L71AdrPyUCqNWwrRrhFiFkqEslig6dkulahWh8Q+L9TD6O6rWi Pd0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Qi8HgtyrCEdGuJ+L8YfwlMZt/zmOidfROSszD9FUYeg=; b=G2UHOoUwtjlUozrjXPBj4opObesAHdMLanhfyc3AJ/MNmltgwCmB8EBeNs+FjP4tUq pktccair0mvWbW6ckcqu6RpH59ObJjpVs2yiRQlwcrusk2PUtQs8/S09E9qRLE0X3SIq vh9RYjQAUYhC4iIqfqQ5rpILAwPEYPjqhOUgeYNMOtCcnUFiiR/FW5GZkOcV+DE6T9Wk 9N3mdj+K5cTrQk6zCTQKq0qXBy3GljgXm73rMw9xKAfC44RfnSejwgzI1KjCGDxXNhp2 ctRkxpC0qV0UmGBtdQeeXNmCpUTNaP4tRKzrDfSPVSZP5cCqQO8WXcPPv1Yyj99/CZx/ x9Bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oCI5rINr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a9si8336592ilt.69.2021.09.23.17.01.13; Thu, 23 Sep 2021 17:01:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=oCI5rINr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243606AbhIXAB4 (ORCPT + 99 others); Thu, 23 Sep 2021 20:01:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240701AbhIXABz (ORCPT ); Thu, 23 Sep 2021 20:01:55 -0400 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF210C061574 for ; Thu, 23 Sep 2021 17:00:22 -0700 (PDT) Received: by mail-lf1-x130.google.com with SMTP id b15so32068386lfe.7 for ; Thu, 23 Sep 2021 17:00:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qi8HgtyrCEdGuJ+L8YfwlMZt/zmOidfROSszD9FUYeg=; b=oCI5rINrSal/Lq36k/v4ZEsMxbuOGSZK/avzUJJraL+tIzZ0qW1vzioaxmbZGMXLU0 n2dMVHl0ADtcT7EdhRZO4O9EjCpeXtmT7B9E3SmOCUE85jsv8c6G6dXEwa/INU+jkHHc kmNcIC5AzLIU/JYsO7EJ/7IeUI1wkuyLGrjsHDxPGsLj1+VvWzjkSJglMJkKtdRN0ENU QMeAFqJ2BdhQfWDsEGenNHJXYtzWCxC8cnJJ6D2VI6aG1GmUo8QEkh73KV9rvomVUgZd j9k0MxVRP1Sxxla8jB8s5oaEtMsKWjvsI95mhA7Le/NPxKIoSGuFv72rjzpIu1C4XWyo TekA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qi8HgtyrCEdGuJ+L8YfwlMZt/zmOidfROSszD9FUYeg=; b=ebB60wK5WXlG44bB6yHyLKiqrzCY7Wr2f0+YGcvzH/7CzGtYgxoU7wmmRTdV1wS8PG WLyDAJCYHiNkcXectqSAxxzo8TXHXxBI6xDvF2MEER+3ScxRsZr8/gZx8Ct+Nd67kRmO dmmIWNE6eK8yvdN5P3ue+/aFB6bMLXz8N5D3dpqPeY+qJBs5FBAnEOUe76NocIapCOLr ++quaSNrHuFG9Qn1/R+BIaBIrORYOzDvEEF9JRYzPOubPWmzsFy+Fxmf1NQR0HxTX8B7 zKtOMGGmPn30QJtqkqL3xyPl39gFHE6zuSyq1BYYKa9dWFyy0NLJeQJvA+izBJ3TkhBD 3HcA== X-Gm-Message-State: AOAM5328RnBFkLF24lphOV2pJA0JDk4JKE7qwKH5QJAVo+mJNIar04Dq pg3WcWj1vKmWZjM3u3BXoYiGzlzYEoZimtTcX49xeQ== X-Received: by 2002:a2e:5853:: with SMTP id x19mr7943180ljd.93.1632441620815; Thu, 23 Sep 2021 17:00:20 -0700 (PDT) MIME-Version: 1.0 References: <20210921193249.el476vlhg5k6lfcq@shells.gnugeneration.com> <20210922001537.4ktg3r2ky3b3r6yp@treble> <202109211931.E6E33500E8@keescook> In-Reply-To: <202109211931.E6E33500E8@keescook> From: Jann Horn Date: Fri, 24 Sep 2021 01:59:54 +0200 Message-ID: Subject: Re: CONFIG_ORC_UNWINDER=y breaks get_wchan()? To: Kees Cook Cc: Josh Poimboeuf , Vito Caputo , linux-kernel , x86@kernel.org, Qi Zheng , peterz@infradead.org, luto@kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 22, 2021 at 5:05 AM Kees Cook wrote: > On Tue, Sep 21, 2021 at 05:15:37PM -0700, Josh Poimboeuf wrote: > > On Tue, Sep 21, 2021 at 12:32:49PM -0700, Vito Caputo wrote: > > > Is this an oversight of the ORC_UNWINDER implementation? It's > > > arguably a regression to completely break wchans for tools like `ps -o > > > wchan` and `top`, or my window manager and its separate monitoring > > > utility. Presumably there are other tools out there sampling wchans > > > for monitoring as well, there's also an internal use of get_chan() in > > > kernel/sched/fair.c for sleep profiling. > > > > > > I've occasionally seen when monitoring at a high sample rate (60hz) on > > > something churny like a parallel kernel or systemd build, there's a > > > spurious non-zero sample coming out of /proc/[pid]/wchan containing a > > > hexadecimal address like 0xffffa9ebc181bcf8. This all smells broken, > > > is get_wchan() occasionally spitting out random junk here kallsyms > > > can't resolve, because get_chan() is completely ignorant of > > > ORC_UNWINDER's effects? > > > > Hi Vito, > > > > Thanks for reporting this. Does this patch fix your issue? > > > > https://lkml.kernel.org/r/20210831083625.59554-1-zhengqi.arch@bytedance.com > > > > Though, considering wchan has been silently broken for four years, I do > > wonder what the impact would be if we were to just continue to show "0" > > (and change frame pointers to do the same). > > > > The kernel is much more cautious than it used to be about exposing this > > type of thing. Can you elaborate on your use case? > > > > If we do keep it, we might want to require CAP_SYS_ADMIN anyway, for > > similar reasons as > > > > f8a00cef1720 ("proc: restrict kernel stack dumps to root") > > Normally wchan is protected by: > > ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS) > > I might argue that this check isn't right -- it needs to be using > f_cred, but I'll let Jann answer more there. > > > ... since presumably proc_pid_wchan()'s use of '%ps' can result in an > > actual address getting printed if the unwind gets confused, thanks to > > __sprint_symbol()'s backup option if kallsyms_lookup_buildid() doesn't > > find a name. > > Ew, yeah, __sprint_symbol() falls back to exposing addresses. :( > > name = kallsyms_lookup_buildid(address, &size, &offset, &modname, &buildid, > buffer); > if (!name) > return sprintf(buffer, "0x%lx", address - symbol_offset); Whaaaat? That's not how wchan worked when I looked at this the last time a few years ago... ... ah, commit 152c432b128cb ("proc/wchan: use printk format instead of lookup_symbol_name()") is to blame for that. > Thought I can't immediately think of what wouldn't be symbolized by > kallsyms_lookup_buildid(), but given it fails open, I can totally > believe there is. :) One thing that makes /proc/$pid/wchan and /proc/$pid/stack so awful is that they unwind a task's stack without ensuring that that stack isn't actually running. That's why /proc/$pid/stack got restricted to root years ago, see - I wrote an exploit back then that manages to read a pointer from an arbitrary stack location via /proc/$pid/stack. > is_ksym_addr() > module_address_lookup() > bpf_address_lookup() > ftrace_mod_address_lookup() > > > Though, instead of requiring CAP_SYS_ADMIN, maybe we can just fix > > __sprint_symbol() to not expose addresses? > > > > Or is there some other reason for needing CAP_SYS_ADMIN? Jann? > > While it's not very high fidelity, I don't like having the kernel > symbols exposed like this because userspace can basically sample the > execution path of syscalls, etc. It's not a raw value, but it still > creeps me out given that it can be probed. > > So, if it's been broken for 4 years under ORC, how about we just disable > wchan permanently? (Untested...) If that's possible, I would like it very much. I don't know whether there are people on arm64 or so that rely on it though...