Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp505721rdb; Sat, 27 Jan 2024 17:20:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IFiT9IDs0qn7TmtnTjGgXGaUP9nt+Dg85Htc2cs8s11pWeoD3Aa7cWiTnyu9pxNVF0akjaH X-Received: by 2002:a17:90a:744a:b0:294:1f38:eb04 with SMTP id o10-20020a17090a744a00b002941f38eb04mr878604pjk.98.1706404817328; Sat, 27 Jan 2024 17:20:17 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706404817; cv=pass; d=google.com; s=arc-20160816; b=Y0WdWSUyXqTQ2147cYgiRzJTIjkuWNJWO8v1JKK73hdSzePeoB6En9v0wUJXR0T3Ep X9EzUg8gYDg0VrZqU0ZJXVhbnDL11XhvsRdurtTWxVMFWQCqNDq781NhpHczXSBoMz6H yClfqO1HDpBSdfiHFlHMPkBAxb5IbhM18ObtnH46INOtisyXMAcbpnt4cutZkQo9BO+f OLfn4r7h2yNyVKcCdMhHnYi/U9/UrmFwlFww+8u+Hlq0CLT05Zn1soPa5mJpezLKYjue E48wSr7kxt4BR2ezF/1HHG/5iBBYuKzlOqkGIpRKOEVPe09zkbgaJ4tbi78Uv2d16bmt obEg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=C35BmEDCxGPxKvIBcnjhgkcz//hmOtFqBqfDtfHqbac=; fh=aQ6xdtKm40b9V1iEDYhFPH4GPq1qi4o5cLJf1fitBXQ=; b=QcLlgyuRcITm2rSUbjgAc95DdB+TrBj0R6rpXZjGNWQxUFOZ+7840OGPyKftrB2iPd x+R8lwpal7gk9LPi1eZ4SKbAf8RhpwwYnMb8ULlRP11i3ePprSlaflp3aOONv6KJS1LP fPNhGaM1UupfKt2Ct8vPci9aqAX1kKwzsG3am4ZL01A9q6e0ec/F7n1FSw3oXONK7r8W BeTMbIXCunUszd6E5/B7zED1FPkbPSe1yeZ75hu9o//MxPygoBVEFjOY23Q2L1FV/dO/ TvB0PcxItlSnggmfTcxNZwNqdpn+GxsrjSfYuBDBdgow1D1Qp7TZUESKD2DdnuP/iTh+ 9duw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FeSr2jMd; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41490-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41490-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id s1-20020a17090a2f0100b0029520eecff4si2008846pjd.158.2024.01.27.17.20.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 27 Jan 2024 17:20:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-41490-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FeSr2jMd; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41490-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41490-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9191CB20F3E for ; Sun, 28 Jan 2024 01:19:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 45B77137E; Sun, 28 Jan 2024 01:19:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FeSr2jMd" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6655910F4; Sun, 28 Jan 2024 01:19:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706404757; cv=none; b=lRDOOVxoNt0dkYXxDzGDTbQflKGN+66yxXQJr4FOhhvjoQiec2LEaveW1y5Qp7Hdsvk75dFofI/9c9/sqjd/ZvspJe5QtP8JclRSIjrbE0ji3nmEgMyVqeuhKpVi7rO+g8+83OUIJhTkgmc6DiZmo9MmqDMwKnJAgwk/quUJvR0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706404757; c=relaxed/simple; bh=4vN+Wp5R3Xg7vb/yOU6Y+a5jTOevSrMskJGWjb3v2Y0=; h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References: Mime-Version:Content-Type; b=bwrQnQozfqe8N3pb3wKIV4Jr5pwzjsrEvcWv3iqqmrrrLFcBC/4ja9EN4MUth6kC+/3Oz1oiwBdWn3XTHHUX0xiPQJjZMTebDBYid8C+otzbruuPEyYJf6KOeTho+4NPriMQQlh7fMrezAaIyfXlR64OcNadD/oToQ6r/tzcuyI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FeSr2jMd; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9C0CDC433C7; Sun, 28 Jan 2024 01:19:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706404756; bh=4vN+Wp5R3Xg7vb/yOU6Y+a5jTOevSrMskJGWjb3v2Y0=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=FeSr2jMd/GLT9e1K3PGk6edrX1iMnsKOR2ww2aB0wC+6/U79exBGgoWgHMVYx6IcA wIz3qsSJfba/SpH+UHDrvbIqBpI0UVLpaHJ8iawunE/7+2M7MPGEA6eh5znmIoSm5T 22I3XJQJiKNdKXbECqilLFH7lKnvSBXPkO8DEnpCVRX81FCNxz4Sx/CLzTvvVCPqeD krl8UXCTYKb3KxxhPv0AFk0pVTliGUlqiQNnfHdWFp1XxWbRf0F+SpcoJ1BBfrQvs1 NTQxYEAs70vo1QcWo2tmn5i7Vjg+QjIVKdXV4Ly+BIn1yoGIq4YNIcAU/R3PhACoVD +kbep/BXwHBFQ== Date: Sun, 28 Jan 2024 10:19:12 +0900 From: Masami Hiramatsu (Google) To: Jinghao Jia Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [RFC PATCH 1/2] x86/kprobes: Prohibit kprobing on INT and UD Message-Id: <20240128101912.5ad6717347bd66089ecea03a@kernel.org> In-Reply-To: <20240127044124.57594-2-jinghao7@illinois.edu> References: <20240127044124.57594-1-jinghao7@illinois.edu> <20240127044124.57594-2-jinghao7@illinois.edu> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 26 Jan 2024 22:41:23 -0600 Jinghao Jia wrote: > Both INTs (INT n, INT1, INT3, INTO) and UDs (UD0, UD1, UD2) serve > special purposes in the kernel, e.g., INT3 is used by KGDB and UD2 is > involved in LLVM-KCFI instrumentation. At the same time, attaching > kprobes on these instructions (particularly UDs) will pollute the stack > trace dumped in the kernel ring buffer, since the exception is triggered > in the copy buffer rather than the original location. > > Check for INTs and UDs in can_probe and reject any kprobes trying to > attach to these instructions. > Thanks for implement this check! > Suggested-by: Masami Hiramatsu (Google) > Signed-off-by: Jinghao Jia > --- > arch/x86/kernel/kprobes/core.c | 33 ++++++++++++++++++++++++++------- > 1 file changed, 26 insertions(+), 7 deletions(-) > > diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c > index e8babebad7b8..792b38d22126 100644 > --- a/arch/x86/kernel/kprobes/core.c > +++ b/arch/x86/kernel/kprobes/core.c > @@ -252,6 +252,22 @@ unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long add > return __recover_probed_insn(buf, addr); > } > > +static inline int is_exception_insn(struct insn *insn) > +{ > + if (insn->opcode.bytes[0] == 0x0f) { > + /* UD0 / UD1 / UD2 */ > + return insn->opcode.bytes[1] == 0xff || > + insn->opcode.bytes[1] == 0xb9 || > + insn->opcode.bytes[1] == 0x0b; > + } else { If "else" block just return, you don't need this "else". bool func() { if (cond) return ... return ... } Is preferrable because this puts "return val" always at the end of non-void function. > + /* INT3 / INT n / INTO / INT1 */ > + return insn->opcode.bytes[0] == 0xcc || > + insn->opcode.bytes[0] == 0xcd || > + insn->opcode.bytes[0] == 0xce || > + insn->opcode.bytes[0] == 0xf1; > + } > +} > + > /* Check if paddr is at an instruction boundary */ > static int can_probe(unsigned long paddr) > { > @@ -294,6 +310,16 @@ static int can_probe(unsigned long paddr) > #endif > addr += insn.length; > } > + __addr = recover_probed_instruction(buf, addr); > + if (!__addr) > + return 0; > + > + if (insn_decode_kernel(&insn, (void *)__addr) < 0) > + return 0; > + > + if (is_exception_insn(&insn)) > + return 0; > + Please don't put this outside of decoding loop. You should put these in the loop which decodes the instruction from the beginning of the function. Since the x86 instrcution is variable length, can_probe() needs to check whether that the address is instruction boundary and decodable. Thank you, > if (IS_ENABLED(CONFIG_CFI_CLANG)) { > /* > * The compiler generates the following instruction sequence > @@ -308,13 +334,6 @@ static int can_probe(unsigned long paddr) > * Also, these movl and addl are used for showing expected > * type. So those must not be touched. > */ > - __addr = recover_probed_instruction(buf, addr); > - if (!__addr) > - return 0; > - > - if (insn_decode_kernel(&insn, (void *)__addr) < 0) > - return 0; > - > if (insn.opcode.value == 0xBA) > offset = 12; > else if (insn.opcode.value == 0x3) > -- > 2.43.0 > -- Masami Hiramatsu (Google)