GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-07-22 23:04:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Star64_linux/kernel/trace
History
Changbin Du 2c4f1fcbef kprobe: Do not use uaccess functions to access kernel memory that can fault 
The userspace can ask kprobe to intercept strings at any memory address,
including invalid kernel address. In this case, fetch_store_strlen()
would crash since it uses general usercopy function, and user access
functions are no longer allowed to access kernel memory.

For example, we can crash the kernel by doing something as below:

$ sudo kprobe 'p:do_sys_open +0(+0(%si)):string'

[  103.620391] BUG: GPF in non-whitelisted uaccess (non-canonical address?)
[  103.622104] general protection fault: 0000 [#1] SMP PTI
[  103.623424] CPU: 10 PID: 1046 Comm: cat Not tainted 5.0.0-rc3-00130-gd73aba1-dirty #96
[  103.625321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-2-g628b2e6-dirty-20190104_103505-linux 04/01/2014
[  103.628284] RIP: 0010:process_fetch_insn+0x1ab/0x4b0
[  103.629518] Code: 10 83 80 28 2e 00 00 01 31 d2 31 ff 48 8b 74 24 28 eb 0c 81 fa ff 0f 00 00 7f 1c 85 c0 75 18 66 66 90 0f ae e8 48 63
 ca 89 f8 <8a> 0c 31 66 66 90 83 c2 01 84 c9 75 dc 89 54 24 34 89 44 24 28 48
[  103.634032] RSP: 0018:ffff88845eb37ce0 EFLAGS: 00010246
[  103.635312] RAX: 0000000000000000 RBX: ffff888456c4e5a8 RCX: 0000000000000000
[  103.637057] RDX: 0000000000000000 RSI: 2e646c2f6374652f RDI: 0000000000000000
[  103.638795] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  103.640556] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[  103.642297] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  103.644040] FS:  0000000000000000(0000) GS:ffff88846f000000(0000) knlGS:0000000000000000
[  103.646019] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  103.647436] CR2: 00007ffc79758038 CR3: 0000000463360006 CR4: 0000000000020ee0
[  103.649147] Call Trace:
[  103.649781]  ? sched_clock_cpu+0xc/0xa0
[  103.650747]  ? do_sys_open+0x5/0x220
[  103.651635]  kprobe_trace_func+0x303/0x380
[  103.652645]  ? do_sys_open+0x5/0x220
[  103.653528]  kprobe_dispatcher+0x45/0x50
[  103.654682]  ? do_sys_open+0x1/0x220
[  103.655875]  kprobe_ftrace_handler+0x90/0xf0
[  103.657282]  ftrace_ops_assist_func+0x54/0xf0
[  103.658564]  ? __call_rcu+0x1dc/0x280
[  103.659482]  0xffffffffc00000bf
[  103.660384]  ? __ia32_sys_open+0x20/0x20
[  103.661682]  ? do_sys_open+0x1/0x220
[  103.662863]  do_sys_open+0x5/0x220
[  103.663988]  do_syscall_64+0x60/0x210
[  103.665201]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  103.666862] RIP: 0033:0x7fc22fadccdd
[  103.668034] Code: 48 89 54 24 e0 41 83 e2 40 75 32 89 f0 25 00 00 41 00 3d 00 00 41 00 74 24 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff
 ff 0f 05 <48> 3d 00 f0 ff ff 77 33 f3 c3 66 0f 1f 84 00 00 00 00 00 48 8d 44
[  103.674029] RSP: 002b:00007ffc7972c3a8 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
[  103.676512] RAX: ffffffffffffffda RBX: 0000562f86147a21 RCX: 00007fc22fadccdd
[  103.678853] RDX: 0000000000080000 RSI: 00007fc22fae1428 RDI: 00000000ffffff9c
[  103.681151] RBP: ffffffffffffffff R08: 0000000000000000 R09: 0000000000000000
[  103.683489] R10: 0000000000000000 R11: 0000000000000287 R12: 00007fc22fce90a8
[  103.685774] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
[  103.688056] Modules linked in:
[  103.689131] ---[ end trace 43792035c28984a1 ]---

This can be fixed by using probe_mem_read() instead, as it can handle faulting
kernel memory addresses, which kprobes can legitimately do.

Link: http://lkml.kernel.org/r/20190125151051.7381-1-changbin.du@gmail.com

Cc: stable@vger.kernel.org
Fixes: 9da3f2b740 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses")
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2019-02-15 12:41:23 -05:00
..
blktrace.c blkcg: remove bio->bi_css and instead use bio->bi_blkg 2018-12-07 22:26:37 -07:00
bpf_trace.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
fgraph.c tracing: Fix ftrace_graph_get_ret_stack() to use task and not current 2018-12-22 08:21:03 -05:00
ftrace.c Tracing changes for v4.21: 2018-12-31 11:46:59 -08:00
ftrace_internal.h ftrace: Create new ftrace_internal.h header 2018-12-08 20:54:06 -05:00
Kconfig tracing: Use dyn_event framework for synthetic events 2018-12-08 20:54:10 -05:00
Makefile tracing: Add unified dynamic event framework 2018-12-08 20:54:09 -05:00
power-traces.c
preemptirq_delay_test.c
ring_buffer.c Tracing changes for v4.21: 2018-12-31 11:46:59 -08:00
ring_buffer_benchmark.c
rpm-traces.c
trace.c Tracing changes for v4.21: 2018-12-31 11:46:59 -08:00
trace.h tracing: Add tracefs file buffer_percentage 2018-12-08 20:54:08 -05:00
trace_benchmark.c
trace_benchmark.h
trace_branch.c
trace_clock.c
trace_dynevent.c tracing: Add generic event-name based remove event method 2018-12-10 12:22:44 -05:00
trace_dynevent.h tracing: Add unified dynamic event framework 2018-12-08 20:54:09 -05:00
trace_entries.h
trace_event_perf.c
trace_events.c tracing: Use str_has_prefix() instead of using fixed sizes 2018-12-22 22:51:54 -05:00
trace_events_filter.c Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-12-26 13:07:19 -08:00
trace_events_filter_test.h
trace_events_hist.c tracing: Have the historgram use the result of str_has_prefix() for len of prefix 2018-12-22 22:52:09 -05:00
trace_events_trigger.c tracing: Fix memory leak in set_trigger_filter() 2018-12-11 13:50:19 -05:00
trace_export.c
trace_functions.c
trace_functions_graph.c function_graph: Move ftrace_graph_ret_addr() to fgraph.c 2018-12-08 20:54:07 -05:00
trace_hwlat.c
trace_irqsoff.c fgraph: Add new fgraph_ops structure to enable function graph hooks 2018-12-08 20:54:07 -05:00
trace_kdb.c
trace_kprobe.c kprobe: Do not use uaccess functions to access kernel memory that can fault 2019-02-15 12:41:23 -05:00
trace_kprobe_selftest.c
trace_kprobe_selftest.h
trace_mmiotrace.c
trace_nop.c
trace_output.c tracing: Simplify printf'ing in seq_print_sym 2018-12-22 08:21:06 -05:00
trace_output.h
trace_preemptirq.c
trace_printk.c
trace_probe.c tracing: Use the return of str_has_prefix() to remove open coded numbers 2018-12-22 22:52:30 -05:00
trace_probe.h tracing/kprobes: Use dyn_event framework for kprobe events 2018-12-08 20:54:09 -05:00
trace_probe_tmpl.h tracing: probeevent: Correctly update remaining space in dynamic area 2019-02-11 15:58:30 -05:00
trace_sched_switch.c
trace_sched_wakeup.c fgraph: Add new fgraph_ops structure to enable function graph hooks 2018-12-08 20:54:07 -05:00
trace_selftest.c fgraph: Add new fgraph_ops structure to enable function graph hooks 2018-12-08 20:54:07 -05:00
trace_selftest_dynamic.c
trace_seq.c
trace_stack.c tracing: Use the return of str_has_prefix() to remove open coded numbers 2018-12-22 22:52:30 -05:00
trace_stat.c
trace_stat.h
trace_syscalls.c
trace_uprobe.c tracing/uprobes: Fix output for multiple string arguments 2019-01-17 10:54:08 -05:00
tracing_map.c
tracing_map.h