Received: by 2002:ab2:620c:0:b0:1ef:ffd0:ce49 with SMTP id o12csp1362700lqt; Wed, 20 Mar 2024 01:12:17 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWMNvml/IoJwS3OMZbCNowVq+GRKR1xUKPM6eHFrassNA4Ymy9rR1rvsKXFtXBK63KHjQDYzCibpGArWJ/Usaq3NhlbcVvPzhpK31mRwg== X-Google-Smtp-Source: AGHT+IHhJ9qijzlpXNJBz/j8vJjiy80ZBPSYobsToJbeyTUQNoxufQU/wpBwAI7W9/3M850rrK73 X-Received: by 2002:a17:906:6d9:b0:a46:1538:9279 with SMTP id v25-20020a17090606d900b00a4615389279mr859099ejb.16.1710922337532; Wed, 20 Mar 2024 01:12:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710922337; cv=pass; d=google.com; s=arc-20160816; b=hIljjExEP80r+rdhYv/HDNSleLFjmz7dmJudQnhAurN/FGpTGCzWzFHaWH/DkijkzS qywi85vRl/ioq3kf4SHuPc5sqnqm3nyLdl5apC0dNA/1RJjRcteYkS4hK3VTpkFuV2JT 2uQs9T6kz6yPL4zRaQp0NNCdFLGYLzhWNaiF+zGqrasUmOSefLaswDZRxgiZq0IMZCLG 0HgzFTYfP0kWLEx11XM46PvKy9Np8yGMiWDLWI7JwHS+/k327jCtAJ/JlbhT/mhttzNL Ncw/q2AVg3PpO0FNWyplW1/5xe9brPSDiUzKBlKCk9mR64+gJ24q38xi7OroJdakJxw6 og1w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=E3Hb5FXtUpxoQru8Wfq5GR9NWnMkajIZwaGtczYJnHw=; fh=UXjButCLNJyiDciHBvKocQC/o491PHblFgIoBMbkDbA=; b=Y0l2FiXBt7Ts5V2bMsUj3KoDd0rfOu5Ubj0d5b6Ad1U8ZqhSJfJnTa92x6nFOZ2zjP 9EiO4oZpmwEtUCnbTZaPvUGcp1UcyvYyAYYJFz1l7T4hszqcKLZJ6BMGLHqhAMgtgR2r BvKBexPi4EORbqjmzMNttzjrl+ohON7pGahr6chi2iSA/I9KMG0bYgMJljsl0bBTH+YJ ovyLlgEFzsSCsDdtRzaNBwA64NoN4kWKDdS7TR9H/6+iNrE1bmAFPS8e1bcapwSE+srb dbejMQXwTyznnSJx4yXeztfkkdQ4ElpLqj7sbbswhQghtwElLLFLzXBwZFYYbB8XHc/s CDCg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mpHocqaw; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-108598-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108598-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id pv27-20020a170907209b00b00a466bd3224csi6124655ejb.729.2024.03.20.01.12.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 01:12:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-108598-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mpHocqaw; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-108598-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-108598-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 10DEF1F23843 for ; Wed, 20 Mar 2024 08:12:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 94C2C2E407; Wed, 20 Mar 2024 08:12:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mpHocqaw" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC7732C698; Wed, 20 Mar 2024 08:12:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710922329; cv=none; b=itM0y5aExt/+H269tDMwGSiy+grv6wxS9ofy541DPQMqk869wNdLPMmW38GfULHaqjW6HPF54nj3bsrNGcqSLonas/wwKPFoGlT/KePoiVjYFp5+suXBAnFz0h/cVzsdlri7kdbVh9vE4f0S6O8MP4umOEJLsZ3TBF03mHD6s9I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710922329; c=relaxed/simple; bh=awbQ0Ep7VHcHdIe0ZE07B5fkjUV7A9KmfScsQi612S8=; h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References: Mime-Version:Content-Type; b=fsqmwo5m+/p9nUjtj0UjE74BbYYJls8rb4AnPEolUS5zigzVRxfo6Gd3M6YoxNgax0o4jWK3LtNlI2nZAnaUEvxCxMmCxEFq4lnMaIomiqVIzNEjydJUgD+P/DzEUuPc2tW0Sgbs1aqhl9HXLgyax8dyWelL0K162z9n1psDODI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mpHocqaw; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 329F2C433F1; Wed, 20 Mar 2024 08:12:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710922329; bh=awbQ0Ep7VHcHdIe0ZE07B5fkjUV7A9KmfScsQi612S8=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=mpHocqawgkxvcZXo7zXtsqCOQXdAo34GU9lsZF2Vz7dRhtR76b8DS/V9AxuZSfl3A PO1/2mIsFQcfohNvROykb5bJj1GeBCH04G/l+nAox6/ybpSxfAtY2s/LOmANvKvSqf ec0CxXkJ31SXAfdXUtPrwGjArtG5IskfC3SJwkfti+3iNxgXKFdXvo5JoqH1EeN+C9 7Nrb1g+BXs2+OUuCy/bYlDMQa/cPxWH15PqbEfUwR+IdA/nZKz9RYT3JU8OkugU6bi RBbTQgDQRk+GURtX7zjNZwFMU9lgupD6U6ly+a++w8HwYrhF7aH62FnITWJG68Wdyu hFOefrxjfllEA== Date: Wed, 20 Mar 2024 17:12:03 +0900 From: Masami Hiramatsu (Google) To: Jinghao Jia Cc: Linux Trace Kernel , LKML , Steven Rostedt , Qiang Zhang , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Peter Zijlstra , x86@kernel.org Subject: Re: [PATCH v2] kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address Message-Id: <20240320171203.d493d214dea91a18114994cd@kernel.org> In-Reply-To: <12453ce8-0b78-4c1c-9aca-de4cc366e3e1@illinois.edu> References: <20240315000753.a448251fce0291e041f76c13@kernel.org> <171042945004.154897.2221804961882915806.stgit@devnote2> <20240316224630.01bd6b91938720f5083e0d07@kernel.org> <12453ce8-0b78-4c1c-9aca-de4cc366e3e1@illinois.edu> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 17 Mar 2024 10:53:59 -0500 Jinghao Jia wrote: > > > On 3/16/24 08:46, Masami Hiramatsu (Google) wrote: > > On Thu, 14 Mar 2024 18:56:35 -0500 > > Jinghao Jia wrote: > > > >> On 3/14/24 10:17, Masami Hiramatsu (Google) wrote: > >>> From: Masami Hiramatsu (Google) > >>> > >>> Read from an unsafe address with copy_from_kernel_nofault() in > >>> arch_adjust_kprobe_addr() because this function is used before checking > >>> the address is in text or not. Syzcaller bot found a bug and reported > >>> the case if user specifies inaccessible data area, > >>> arch_adjust_kprobe_addr() will cause a kernel panic. > >> > >> IMHO there is a check on the address in kallsyms_lookup_size_offset to see > >> if it is a kernel text address before arch_adjust_kprobe_addr is invoked. > > > > Yeah, kallsyms does not ensure the page (especially data) exists. > > > >> > >> The call chain is: > >> > >> register_kprobe() > >> _kprobe_addr() > >> kallsyms_lookup_size_offset() <- check on addr is here > >> arch_adjust_kprobe_addr() > >> > >> I wonder why this check was not able to capture the problem in this bug > >> report (I cannot reproduce it locally). > > > > I could reproduce it locally, it tried to access 'Y' data. > > (I attached my .config) And I ensured that this fixed the problem. > > > > The reproduce test actually tried to access initdata area > > > > ffffffff82fb5450 d __alt_reloc_selftest_addr > > ffffffff82fb5460 d int3_exception_nb.1 > > ffffffff82fb5478 d tsc_early_khz > > ffffffff82fb547c d io_delay_override > > ffffffff82fb5480 d fxregs.0 > > ffffffff82fb5680 d y <--- access this > > ffffffff82fb5688 d x > > ffffffff82fb56a0 d xsave_cpuid_features > > ffffffff82fb56c8 d l1d_flush_mitigation > > > > `y` is too generic, so check `io_delay_override` which is on the > > same page. > > > > $ git grep io_delay_override > > arch/x86/kernel/io_delay.c:static int __initdata io_delay_override; > > > > As you can see, it is marked as `__initdata`, and the initdata has been > > freed before starting /init. > > > > ---- > > [ 2.679161] Freeing unused kernel image (initmem) memory: 2888K > > [ 2.688731] Write protecting the kernel read-only data: 24576k > > [ 2.691802] Freeing unused kernel image (rodata/data gap) memory: 1436K > > [ 2.746994] x86/mm: Checked W+X mappings: passed, no W+X pages found. > > [ 2.748022] x86/mm: Checking user space page tables > > [ 2.789520] x86/mm: Checked W+X mappings: passed, no W+X pages found. > > [ 2.790527] Run /init as init process > > ---- > > > > So this has been caused because accessing freed initdata. > > Thanks a lot for the explanation! I have confirmed the bug and tested the > patch with CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y (which explicitly marks > the init pages as not-present after boot). > > Tested-by: Jinghao Jia > Thank you for testing! Regards, -- Masami Hiramatsu (Google)