Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
Hi Oleg, On Tue, May 5, 2020 at 12:47 AM Oleg Nesterov wrote: > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > some architectures (csky, s390, and sparc) don't do this. > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > the alignment check in arch_prepare_kprobe() on supported architectures, > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Another problem is __update_ref_ctr() which was wrong from the very > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > aligned to sizeof(short), __uprobe_register() should check this too. > > Cc: sta...@vger.kernel.org > Reported-by: Linus Torvalds > Suggested-by: Linus Torvalds > Signed-off-by: Oleg Nesterov > --- > kernel/events/uprobes.c | 16 > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > index ece7e13f6e4a..cc2095607c74 100644 > --- a/kernel/events/uprobes.c > +++ b/kernel/events/uprobes.c > @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct > file *file, > if (ret) > goto out; > > - /* uprobe_write_opcode() assumes we don't cross page boundary */ > - BUG_ON((uprobe->offset & ~PAGE_MASK) + > - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); > - > smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ > set_bit(UPROBE_COPY_INSN, &uprobe->flags); > > @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, > loff_t offset, > if (offset > i_size_read(inode)) > return -EINVAL; > > + /* > +* This ensures that copy_from_page(), copy_to_page() and > +* __update_ref_ctr() can't cross page boundary. > +*/ > + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) > + return -EINVAL; > + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short))) > + return -EINVAL; > + > retry: > uprobe = alloc_uprobe(inode, offset, ref_ctr_offset); > if (!uprobe) > @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, > unsigned long vaddr) > uprobe_opcode_t opcode; > int result; > > + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) > + return -EINVAL; > + > pagefault_disable(); > result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); > pagefault_enable(); > -- > 2.25.1.362.g51ebf55 > > Looks good to me, thx. Reviewed-by: Guo Ren -- Best Regards Guo Ren ML: https://lore.kernel.org/linux-csky/
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On Tue, May 5, 2020 at 2:41 AM Christian Borntraeger wrote: > > > > On 04.05.20 18:47, Oleg Nesterov wrote: > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > > some architectures (csky, s390, and sparc) don't do this. > > I think the idea was that the uprobe instruction is 2 bytes and instructions > are always aligned to 2 bytes on s390. (we can have 2,4 or 6 bytes). Agree, csky has two length-types of instructions (2,4 bytes). > > > > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > > the alignment check in arch_prepare_kprobe() on supported architectures, > > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Not sure if it would have been possible to try to create a uprobe on an > odd address. If yes, then the new IS_ALIGNED check certainly makes this > better for s390, so the patch looks sane. Adding Vasily and Sven to double > check. Also good to csky. -- Best Regards Guo Ren ML: https://lore.kernel.org/linux-csky/
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On Tue, 9 Jun 2020 09:48:45 -0700 Linus Torvalds wrote: > On Tue, Jun 9, 2020 at 8:30 AM Oleg Nesterov wrote: > > > > Looks like this patch was forgotten... > > > > Should I resend it? > > I guess I'll just take it directly, since it was triggered by me > complaining anyway. > > I had hoped it would go through the usual channels. Perhaps there was confusion about which tree it was suppose to go through :-/ -- Steve
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On Tue, Jun 9, 2020 at 8:30 AM Oleg Nesterov wrote: > > Looks like this patch was forgotten... > > Should I resend it? I guess I'll just take it directly, since it was triggered by me complaining anyway. I had hoped it would go through the usual channels. Linus
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
Looks like this patch was forgotten... Should I resend it? On 05/04, Oleg Nesterov wrote: > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > some architectures (csky, s390, and sparc) don't do this. > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > the alignment check in arch_prepare_kprobe() on supported architectures, > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Another problem is __update_ref_ctr() which was wrong from the very > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > aligned to sizeof(short), __uprobe_register() should check this too. > > Cc: sta...@vger.kernel.org > Reported-by: Linus Torvalds > Suggested-by: Linus Torvalds > Signed-off-by: Oleg Nesterov > --- > kernel/events/uprobes.c | 16 > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > index ece7e13f6e4a..cc2095607c74 100644 > --- a/kernel/events/uprobes.c > +++ b/kernel/events/uprobes.c > @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct > file *file, > if (ret) > goto out; > > - /* uprobe_write_opcode() assumes we don't cross page boundary */ > - BUG_ON((uprobe->offset & ~PAGE_MASK) + > - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); > - > smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ > set_bit(UPROBE_COPY_INSN, &uprobe->flags); > > @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, > loff_t offset, > if (offset > i_size_read(inode)) > return -EINVAL; > > + /* > + * This ensures that copy_from_page(), copy_to_page() and > + * __update_ref_ctr() can't cross page boundary. > + */ > + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) > + return -EINVAL; > + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short))) > + return -EINVAL; > + > retry: > uprobe = alloc_uprobe(inode, offset, ref_ctr_offset); > if (!uprobe) > @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, > unsigned long vaddr) > uprobe_opcode_t opcode; > int result; > > + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) > + return -EINVAL; > + > pagefault_disable(); > result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); > pagefault_enable(); > -- > 2.25.1.362.g51ebf55 >
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On 05/06, Steven Rostedt wrote: > > As this is in the kernel/events/ directory, I'm guessing it should be taken > through the tip tree? this would be great, thanks Steven. Oleg.
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On Wed, 6 May 2020 10:59:55 +0530 Srikar Dronamraju wrote: > * Oleg Nesterov [2020-05-04 18:47:25]: > > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > > some architectures (csky, s390, and sparc) don't do this. > > > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > > the alignment check in arch_prepare_kprobe() on supported architectures, > > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > > > Another problem is __update_ref_ctr() which was wrong from the very > > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > > aligned to sizeof(short), __uprobe_register() should check this too. > > > > Cc: sta...@vger.kernel.org > > Reported-by: Linus Torvalds > > Suggested-by: Linus Torvalds > > Signed-off-by: Oleg Nesterov > > Thanks Oleg. > > Looks good to me. > > Reviewed-by: Srikar Dronamraju > > --- > Thanks Oleg, Srikar and Sven. As this is in the kernel/events/ directory, I'm guessing it should be taken through the tip tree? -- Steve
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
* Oleg Nesterov [2020-05-04 18:47:25]: > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > some architectures (csky, s390, and sparc) don't do this. > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > the alignment check in arch_prepare_kprobe() on supported architectures, > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Another problem is __update_ref_ctr() which was wrong from the very > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > aligned to sizeof(short), __uprobe_register() should check this too. > > Cc: sta...@vger.kernel.org > Reported-by: Linus Torvalds > Suggested-by: Linus Torvalds > Signed-off-by: Oleg Nesterov Thanks Oleg. Looks good to me. Reviewed-by: Srikar Dronamraju > --- -- Thanks and Regards Srikar Dronamraju
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
Hi, On Mon, May 04, 2020 at 08:40:44PM +0200, Christian Borntraeger wrote: > > > On 04.05.20 18:47, Oleg Nesterov wrote: > > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > > some architectures (csky, s390, and sparc) don't do this. > > I think the idea was that the uprobe instruction is 2 bytes and instructions > are always aligned to 2 bytes on s390. (we can have 2,4 or 6 bytes). > > > > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > > the alignment check in arch_prepare_kprobe() on supported architectures, > > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. > > Not sure if it would have been possible to try to create a uprobe on an > odd address. If yes, then the new IS_ALIGNED check certainly makes this > better for s390, so the patch looks sane. Adding Vasily and Sven to double > check. I did a quick test, and without this patch it is possible to place a uprobe at an odd address. With the patch it fails with EINVAL, which is more reasonable. Regards Sven
Re: [PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
On 04.05.20 18:47, Oleg Nesterov wrote: > uprobe_write_opcode() must not cross page boundary; prepare_uprobe() > relies on arch_uprobe_analyze_insn() which should validate "vaddr" but > some architectures (csky, s390, and sparc) don't do this. I think the idea was that the uprobe instruction is 2 bytes and instructions are always aligned to 2 bytes on s390. (we can have 2,4 or 6 bytes). > > We can remove the BUG_ON() check in prepare_uprobe() and validate the > offset early in __uprobe_register(). The new IS_ALIGNED() check matches > the alignment check in arch_prepare_kprobe() on supported architectures, > so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. Not sure if it would have been possible to try to create a uprobe on an odd address. If yes, then the new IS_ALIGNED check certainly makes this better for s390, so the patch looks sane. Adding Vasily and Sven to double check. > > Another problem is __update_ref_ctr() which was wrong from the very > beginning, it can read/write outside of kmap'ed page unless "vaddr" is > aligned to sizeof(short), __uprobe_register() should check this too. > > Cc: sta...@vger.kernel.org > Reported-by: Linus Torvalds > Suggested-by: Linus Torvalds > Signed-off-by: Oleg Nesterov > --- > kernel/events/uprobes.c | 16 > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c > index ece7e13f6e4a..cc2095607c74 100644 > --- a/kernel/events/uprobes.c > +++ b/kernel/events/uprobes.c > @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct > file *file, > if (ret) > goto out; > > - /* uprobe_write_opcode() assumes we don't cross page boundary */ > - BUG_ON((uprobe->offset & ~PAGE_MASK) + > - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); > - > smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ > set_bit(UPROBE_COPY_INSN, &uprobe->flags); > > @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, > loff_t offset, > if (offset > i_size_read(inode)) > return -EINVAL; > > + /* > + * This ensures that copy_from_page(), copy_to_page() and > + * __update_ref_ctr() can't cross page boundary. > + */ > + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) > + return -EINVAL; > + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short))) > + return -EINVAL; > + > retry: > uprobe = alloc_uprobe(inode, offset, ref_ctr_offset); > if (!uprobe) > @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, > unsigned long vaddr) > uprobe_opcode_t opcode; > int result; > > + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) > + return -EINVAL; > + > pagefault_disable(); > result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); > pagefault_enable(); >
[PATCH] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
uprobe_write_opcode() must not cross page boundary; prepare_uprobe() relies on arch_uprobe_analyze_insn() which should validate "vaddr" but some architectures (csky, s390, and sparc) don't do this. We can remove the BUG_ON() check in prepare_uprobe() and validate the offset early in __uprobe_register(). The new IS_ALIGNED() check matches the alignment check in arch_prepare_kprobe() on supported architectures, so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. Another problem is __update_ref_ctr() which was wrong from the very beginning, it can read/write outside of kmap'ed page unless "vaddr" is aligned to sizeof(short), __uprobe_register() should check this too. Cc: sta...@vger.kernel.org Reported-by: Linus Torvalds Suggested-by: Linus Torvalds Signed-off-by: Oleg Nesterov --- kernel/events/uprobes.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index ece7e13f6e4a..cc2095607c74 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -867,10 +867,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, if (ret) goto out; - /* uprobe_write_opcode() assumes we don't cross page boundary */ - BUG_ON((uprobe->offset & ~PAGE_MASK) + - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); - smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ set_bit(UPROBE_COPY_INSN, &uprobe->flags); @@ -1166,6 +1162,15 @@ static int __uprobe_register(struct inode *inode, loff_t offset, if (offset > i_size_read(inode)) return -EINVAL; + /* +* This ensures that copy_from_page(), copy_to_page() and +* __update_ref_ctr() can't cross page boundary. +*/ + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) + return -EINVAL; + if (!IS_ALIGNED(ref_ctr_offset, sizeof(short))) + return -EINVAL; + retry: uprobe = alloc_uprobe(inode, offset, ref_ctr_offset); if (!uprobe) @@ -2014,6 +2019,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr) uprobe_opcode_t opcode; int result; + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) + return -EINVAL; + pagefault_disable(); result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); pagefault_enable(); -- 2.25.1.362.g51ebf55