subject:"\[PATCH\] ARM\: Don't oops when userspace executes kgdb break instructions."

Re: [PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

2014-07-19 Thread Omar Sandoval

On Fri, Jul 18, 2014 at 03:51:31PM -0700, Omar Sandoval wrote:
> Don't break into kgdb when userspace executes the kernel break instructions
> (KGDB_BREAKINST and KGDB_COMPILED_BREAK). The kernel will oops in
> kgdb_handle_exception.
> 
> Signed-off-by: Omar Sandoval 
> ---
> The following program will immediately cause a kernel oops:
> .globl _start
> _start:
>   udf #65006  @ KGDB_BREAKINST
> 
>  arch/arm/kernel/kgdb.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c
> index 778c2f7..a74b53c 100644
> --- a/arch/arm/kernel/kgdb.c
> +++ b/arch/arm/kernel/kgdb.c
> @@ -160,12 +160,16 @@ static int kgdb_compiled_brk_fn(struct pt_regs *regs, 
> unsigned int instr)
>  static struct undef_hook kgdb_brkpt_hook = {
>   .instr_mask = 0x,
>   .instr_val  = KGDB_BREAKINST,
> + .cpsr_mask  = MODE_MASK,
> + .cpsr_val   = SVC_MODE,
>   .fn = kgdb_brk_fn
>  };
>  
>  static struct undef_hook kgdb_compiled_brkpt_hook = {
>   .instr_mask = 0x,
>   .instr_val  = KGDB_COMPILED_BREAK,
> + .cpsr_mask  = MODE_MASK,
> + .cpsr_val   = SVC_MODE,
>   .fn = kgdb_compiled_brk_fn
>  };
>  
> -- 
> 2.0.1

-- 

Following up/clarifying this. This only happens when the kernel is compiled
with CONFIG_KGDB. When a userspace program executes KGDB_BREAKINST or
KGDB_COMPILED_BREAK, the undef_hook for kgdb catches it. The reason in kdb_stub
defaults to KDB_REASON_OOPS, so the bug manifests itself as an oops caused by
userspace (a better description for the patch would be "Don't enter KGDB when
userspace executes kgdb break instructions"). This means that a buggy/malicious
program can take down the system just by executing an instruction.

ARM64 might have the same issue, but I don't have a board to test that on.

I verified that breaking normally (e.g., with kgdbwait or through
/proc/sysrq-trigger) still works.
—
Omar
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

2014-07-19 Thread Omar Sandoval

On Fri, Jul 18, 2014 at 03:51:31PM -0700, Omar Sandoval wrote:
 Don't break into kgdb when userspace executes the kernel break instructions
 (KGDB_BREAKINST and KGDB_COMPILED_BREAK). The kernel will oops in
 kgdb_handle_exception.
 
 Signed-off-by: Omar Sandoval osan...@osandov.com
 ---
 The following program will immediately cause a kernel oops:
 .globl _start
 _start:
   udf #65006  @ KGDB_BREAKINST
 
  arch/arm/kernel/kgdb.c | 4 
  1 file changed, 4 insertions(+)
 
 diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c
 index 778c2f7..a74b53c 100644
 --- a/arch/arm/kernel/kgdb.c
 +++ b/arch/arm/kernel/kgdb.c
 @@ -160,12 +160,16 @@ static int kgdb_compiled_brk_fn(struct pt_regs *regs, 
 unsigned int instr)
  static struct undef_hook kgdb_brkpt_hook = {
   .instr_mask = 0x,
   .instr_val  = KGDB_BREAKINST,
 + .cpsr_mask  = MODE_MASK,
 + .cpsr_val   = SVC_MODE,
   .fn = kgdb_brk_fn
  };
  
  static struct undef_hook kgdb_compiled_brkpt_hook = {
   .instr_mask = 0x,
   .instr_val  = KGDB_COMPILED_BREAK,
 + .cpsr_mask  = MODE_MASK,
 + .cpsr_val   = SVC_MODE,
   .fn = kgdb_compiled_brk_fn
  };
  
 -- 
 2.0.1

-- 

Following up/clarifying this. This only happens when the kernel is compiled
with CONFIG_KGDB. When a userspace program executes KGDB_BREAKINST or
KGDB_COMPILED_BREAK, the undef_hook for kgdb catches it. The reason in kdb_stub
defaults to KDB_REASON_OOPS, so the bug manifests itself as an oops caused by
userspace (a better description for the patch would be Don't enter KGDB when
userspace executes kgdb break instructions). This means that a buggy/malicious
program can take down the system just by executing an instruction.

ARM64 might have the same issue, but I don't have a board to test that on.

I verified that breaking normally (e.g., with kgdbwait or through
/proc/sysrq-trigger) still works.
—
Omar
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

2014-07-18 Thread Omar Sandoval

Don't break into kgdb when userspace executes the kernel break instructions
(KGDB_BREAKINST and KGDB_COMPILED_BREAK). The kernel will oops in
kgdb_handle_exception.

Signed-off-by: Omar Sandoval 
---
The following program will immediately cause a kernel oops:
.globl _start
_start:
udf #65006  @ KGDB_BREAKINST

 arch/arm/kernel/kgdb.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c
index 778c2f7..a74b53c 100644
--- a/arch/arm/kernel/kgdb.c
+++ b/arch/arm/kernel/kgdb.c
@@ -160,12 +160,16 @@ static int kgdb_compiled_brk_fn(struct pt_regs *regs, 
unsigned int instr)
 static struct undef_hook kgdb_brkpt_hook = {
.instr_mask = 0x,
.instr_val  = KGDB_BREAKINST,
+   .cpsr_mask  = MODE_MASK,
+   .cpsr_val   = SVC_MODE,
.fn = kgdb_brk_fn
 };
 
 static struct undef_hook kgdb_compiled_brkpt_hook = {
.instr_mask = 0x,
.instr_val  = KGDB_COMPILED_BREAK,
+   .cpsr_mask  = MODE_MASK,
+   .cpsr_val   = SVC_MODE,
.fn = kgdb_compiled_brk_fn
 };
 
-- 
2.0.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

2014-07-18 Thread Omar Sandoval

Don't break into kgdb when userspace executes the kernel break instructions
(KGDB_BREAKINST and KGDB_COMPILED_BREAK). The kernel will oops in
kgdb_handle_exception.

Signed-off-by: Omar Sandoval osan...@osandov.com
---
The following program will immediately cause a kernel oops:
.globl _start
_start:
udf #65006  @ KGDB_BREAKINST

 arch/arm/kernel/kgdb.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c
index 778c2f7..a74b53c 100644
--- a/arch/arm/kernel/kgdb.c
+++ b/arch/arm/kernel/kgdb.c
@@ -160,12 +160,16 @@ static int kgdb_compiled_brk_fn(struct pt_regs *regs, 
unsigned int instr)
 static struct undef_hook kgdb_brkpt_hook = {
.instr_mask = 0x,
.instr_val  = KGDB_BREAKINST,
+   .cpsr_mask  = MODE_MASK,
+   .cpsr_val   = SVC_MODE,
.fn = kgdb_brk_fn
 };
 
 static struct undef_hook kgdb_compiled_brkpt_hook = {
.instr_mask = 0x,
.instr_val  = KGDB_COMPILED_BREAK,
+   .cpsr_mask  = MODE_MASK,
+   .cpsr_val   = SVC_MODE,
.fn = kgdb_compiled_brk_fn
 };
 
-- 
2.0.1
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

Re: [PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

[PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

[PATCH] ARM: Don't oops when userspace executes kgdb break instructions.

4 matches

Site Navigation

Mail list logo

Footer information