proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-27 15:44:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f1c97a1b4e
mirror_ubuntu-kernels/arch/x86/kernel
History
Yang Jihong f1c97a1b4e x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range 
When arch_prepare_optimized_kprobe calculating jump destination address,
it copies original instructions from jmp-optimized kprobe (see
__recover_optprobed_insn), and calculated based on length of original
instruction.

arch_check_optimized_kprobe does not check KPROBE_FLAG_OPTIMATED when
checking whether jmp-optimized kprobe exists.
As a result, setup_detour_execution may jump to a range that has been
overwritten by jump destination address, resulting in an inval opcode error.

For example, assume that register two kprobes whose addresses are
<func+9> and <func+11> in "func" function.
The original code of "func" function is as follows:

   0xffffffff816cb5e9 <+9>:     push   %r12
   0xffffffff816cb5eb <+11>:    xor    %r12d,%r12d
   0xffffffff816cb5ee <+14>:    test   %rdi,%rdi
   0xffffffff816cb5f1 <+17>:    setne  %r12b
   0xffffffff816cb5f5 <+21>:    push   %rbp

1.Register the kprobe for <func+11>, assume that is kp1, corresponding optimized_kprobe is op1.
  After the optimization, "func" code changes to:

   0xffffffff816cc079 <+9>:     push   %r12
   0xffffffff816cc07b <+11>:    jmp    0xffffffffa0210000
   0xffffffff816cc080 <+16>:    incl   0xf(%rcx)
   0xffffffff816cc083 <+19>:    xchg   %eax,%ebp
   0xffffffff816cc084 <+20>:    (bad)
   0xffffffff816cc085 <+21>:    push   %rbp

Now op1->flags == KPROBE_FLAG_OPTIMATED;

2. Register the kprobe for <func+9>, assume that is kp2, corresponding optimized_kprobe is op2.

register_kprobe(kp2)
  register_aggr_kprobe
    alloc_aggr_kprobe
      __prepare_optimized_kprobe
        arch_prepare_optimized_kprobe
          __recover_optprobed_insn    // copy original bytes from kp1->optinsn.copied_insn,
                                      // jump address = <func+14>

3. disable kp1:

disable_kprobe(kp1)
  __disable_kprobe
    ...
    if (p == orig_p || aggr_kprobe_disabled(orig_p)) {
      ret = disarm_kprobe(orig_p, true)       // add op1 in unoptimizing_list, not unoptimized
      orig_p->flags |= KPROBE_FLAG_DISABLED;  // op1->flags ==  KPROBE_FLAG_OPTIMATED | KPROBE_FLAG_DISABLED
    ...

4. unregister kp2
__unregister_kprobe_top
  ...
  if (!kprobe_disabled(ap) && !kprobes_all_disarmed) {
    optimize_kprobe(op)
      ...
      if (arch_check_optimized_kprobe(op) < 0) // because op1 has KPROBE_FLAG_DISABLED, here not return
        return;
      p->kp.flags |= KPROBE_FLAG_OPTIMIZED;   //  now op2 has KPROBE_FLAG_OPTIMIZED
  }

"func" code now is:

   0xffffffff816cc079 <+9>:     int3
   0xffffffff816cc07a <+10>:    push   %rsp
   0xffffffff816cc07b <+11>:    jmp    0xffffffffa0210000
   0xffffffff816cc080 <+16>:    incl   0xf(%rcx)
   0xffffffff816cc083 <+19>:    xchg   %eax,%ebp
   0xffffffff816cc084 <+20>:    (bad)
   0xffffffff816cc085 <+21>:    push   %rbp

5. if call "func", int3 handler call setup_detour_execution:

  if (p->flags & KPROBE_FLAG_OPTIMIZED) {
    ...
    regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
    ...
  }

The code for the destination address is

   0xffffffffa021072c:  push   %r12
   0xffffffffa021072e:  xor    %r12d,%r12d
   0xffffffffa0210731:  jmp    0xffffffff816cb5ee <func+14>

However, <func+14> is not a valid start instruction address. As a result, an error occurs.

Link: https://lore.kernel.org/all/20230216034247.32348-3-yangjihong1@huawei.com/

Fixes: f66c0447cc ("kprobes: Set unoptimized flag after unoptimizing code")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
2023-02-21 08:49:16 +09:00
..
acpi x86/acpi/cstate: Optimize ARB_DISABLE on Centaur CPUs 2022-11-11 09:42:05 -08:00
apic A set of changes for the x86 APIC code: 2022-12-12 12:30:31 -08:00
cpu x86/speculation: Identify processors vulnerable to SMT RSB predictions 2023-02-10 06:43:03 -05:00
fpu * Clarify XSAVE consistency warnings 2022-12-12 14:41:57 -08:00
kprobes x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range 2023-02-21 08:49:16 +09:00
.gitignore
alternative.c New Feature: 2022-12-17 14:06:53 -06:00
amd_gart_64.c x86/mm: Remove P*D_PAGE_MASK and P*D_PAGE_SIZE macros 2022-12-15 10:37:27 -08:00
amd_nb.c x86/amd_nb: Add AMD PCI IDs for SMN communication 2022-07-20 17:35:40 +02:00
aperture_64.c x86: Fix various duplicate-word comment typos 2022-08-15 19:17:52 +02:00
apm_32.c x86/ibt: Disable IBT around firmware 2022-03-15 10:32:40 +01:00
asm-offsets_32.c
asm-offsets_64.c x86: Fixup asm-offsets duplicate 2022-10-17 16:41:06 +02:00
asm-offsets.c Linux 6.1-rc6 2022-11-21 23:01:51 +01:00
audit_64.c audit: add support for the openat2 syscall 2021-10-01 16:52:48 -04:00
bootflag.c
callthunks.c x86/calldepth: Fix incorrect init section references 2022-12-27 12:51:58 +01:00
cfi.c x86: Add support for CONFIG_CFI_CLANG 2022-09-26 10:13:16 -07:00
check.c
cpuid.c driver core: make struct class.devnode() take a const * 2022-11-24 17:12:27 +01:00
crash_core_32.c
crash_core_64.c
crash_dump_32.c vmcore: convert copy_oldmem_page() to take an iov_iter 2022-04-29 14:37:59 -07:00
crash_dump_64.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
crash.c x86/kexec: Fix double-free of elf header buffer 2023-01-02 18:56:21 +01:00
devicetree.c x86/of: Add support for boot time interrupt delivery mode configuration 2022-12-02 14:57:14 +01:00
doublefault_32.c exit/doublefault: Remove apparently bogus comment about rewind_stack_do_exit 2021-10-20 13:09:43 -05:00
dumpstack_32.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
dumpstack_64.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
dumpstack.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
e820.c x86/kexec: Carry forward IMA measurement log on kexec 2022-07-01 15:22:16 +02:00
early_printk.c x86/earlyprintk: Clean up pciserial 2022-08-29 12:19:25 +02:00
early-quirks.c drm/i915/rpl-p: Add PCI IDs 2022-04-19 17:14:09 -07:00
ebda.c
eisa.c
espfix_64.c x86/espfix: Use get_random_long() rather than archrandom 2022-10-31 20:12:50 +01:00
ftrace_32.S x86: Prepare asm files for straight-line-speculation 2021-12-08 12:25:37 +01:00
ftrace_64.S Merge branch 'x86/urgent' into x86/core, to resolve conflict 2022-10-22 10:06:18 +02:00
ftrace.c New Feature: 2022-12-17 14:06:53 -06:00
head32.c
head64.c x86/mm: Remove P*D_PAGE_MASK and P*D_PAGE_SIZE macros 2022-12-15 10:37:27 -08:00
head_32.S x86/asm/32: Remove setup_once() 2022-12-02 14:06:34 +01:00
head_64.S x86/callthunks: Add call patching for call depth tracking 2022-10-17 16:41:13 +02:00
hpet.c rtc: Check return value from mc146818_get_time() 2021-12-16 21:50:06 +01:00
hw_breakpoint.c x86/mm: Randomize per-cpu entry area 2022-12-15 10:37:26 -08:00
i8237.c
i8253.c
i8259.c x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL 2023-01-16 17:24:56 +01:00
idt.c x86/traps: Add #VE support for TDX guest 2022-04-07 08:27:51 -07:00
io_delay.c
ioport.c
irq_32.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
irq_64.c x86/percpu: Move irq_stack variables next to current_task 2022-10-17 16:41:05 +02:00
irq_work.c
irq.c x86/irq: Ensure PI wakeup handler is unregistered before module unload 2021-10-22 12:45:35 -04:00
irqflags.S x86: Prepare asm files for straight-line-speculation 2021-12-08 12:25:37 +01:00
irqinit.c x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL 2023-01-16 17:24:56 +01:00
itmt.c x86/sched: Decrease further the priorities of SMT siblings 2021-10-05 15:51:59 +02:00
jailhouse.c
jump_label.c jump_label: make initial NOP patching the special case 2022-06-24 09:48:55 +02:00
kdebugfs.c x86/boot: Fix memremap of setup_indirect structures 2022-03-09 12:49:44 +01:00
kexec-bzimage64.c integrity-v6.0 2022-08-02 15:21:18 -07:00
kgdb.c
ksysfs.c x86/boot: Fix memremap of setup_indirect structures 2022-03-09 12:49:44 +01:00
kvm.c ARM64: 2022-12-15 11:12:21 -08:00
kvmclock.c x86/kvm: Don't waste kvmclock memory if there is nopv parameter 2022-04-13 13:37:19 -04:00
ldt.c memcg: enable accounting for ldt_struct objects 2021-09-03 09:58:13 -07:00
machine_kexec_32.c x86/kexec: Set_[gi]dt() -> native_[gi]dt_invalidate() in machine_kexec_*.c 2021-05-21 12:36:45 +02:00
machine_kexec_64.c x86/kexec: fix memory leak of elf header buffer 2022-06-01 15:57:16 -07:00
Makefile - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
mmconf-fam10h_64.c x86/msr: Rename MSR_K8_SYSCFG to MSR_AMD64_SYSCFG 2021-05-10 07:51:38 +02:00
module.c - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
mpparse.c x86: Avoid magic number with ELCR register accesses 2021-08-10 23:31:43 +02:00
msr.c driver core: make struct class.devnode() take a const * 2022-11-24 17:12:27 +01:00
nmi_selftest.c
nmi.c x86/nmi: Make register_nmi_handler() more robust 2022-05-17 09:25:25 +02:00
paravirt-spinlocks.c
paravirt.c x86/paravirt: Use common macro for creating simple asm paravirt functions 2022-11-24 13:56:44 +01:00
pci-dma.c swiotlb: merge swiotlb-xen initialization into swiotlb 2022-04-18 07:21:13 +02:00
pcspeaker.c
perf_regs.c
platform-quirks.c
pmem.c x86/pmem: Fix platform-device leak in error path 2022-06-20 18:01:16 +02:00
probe_roms.c x86/kernel: Validate ROM memory before accessing when SEV-SNP is active 2022-04-06 13:23:09 +02:00
process_32.c x86/percpu: Move current_top_of_stack next to current_task 2022-10-17 16:41:05 +02:00
process_64.c - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
process.c Random number generator updates for Linux 6.2-rc1. 2022-12-12 16:22:22 -08:00
process.h x86: Snapshot thread flags 2021-12-01 00:06:43 +01:00
ptrace.c x86: Improve formatting of user_regset arrays 2022-11-01 15:36:52 -07:00
pvclock.c
quirks.c
reboot_fixups_32.c
reboot.c x86: Use do_kernel_power_off() 2022-05-19 19:30:31 +02:00
relocate_kernel_32.S x86/kexec: Disable RET on kexec 2022-07-09 13:12:32 +02:00
relocate_kernel_64.S x86/callthunks: Add call patching for call depth tracking 2022-10-17 16:41:13 +02:00
resource.c x86/PCI: Tidy E820 removal messages 2022-12-10 10:33:11 -06:00
rethook.c x86,rethook: Fix arch_rethook_trampoline() to generate a complete pt_regs 2022-03-28 19:38:51 -07:00
rtc.c x86/rtc: Rename mach_set_rtc_mmss() to mach_set_cmos_time() 2022-08-14 11:24:29 +02:00
setup_percpu.c - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
setup.c - Split MTRR and PAT init code to accomodate at least Xen PV and TDX 2022-12-13 14:56:56 -08:00
sev_verify_cbit.S x86: Prepare asm files for straight-line-speculation 2021-12-08 12:25:37 +01:00
sev-shared.c Revert "x86/sev: Expose sev_es_ghcb_hv_call() for use by HyperV" 2022-07-27 18:09:13 +02:00
sev.c x86/insn: Avoid namespace clash by separating instruction decoder MMIO type from MMIO trace type 2023-01-03 18:46:06 +01:00
signal_32.c x86/signal/32: Merge native and compat 32-bit signal code 2022-10-19 09:58:49 +02:00
signal_64.c x86/signal/64: Move 64-bit signal code to its own file 2022-10-19 09:58:49 +02:00
signal_compat.c signal: Deliver SIGTRAP on perf event asynchronously if blocked 2022-04-22 12:14:05 +02:00
signal.c x86/signal/64: Move 64-bit signal code to its own file 2022-10-19 09:58:49 +02:00
smp.c
smpboot.c - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
stacktrace.c x86: remove __range_not_ok() 2022-02-25 09:36:05 +01:00
static_call.c static_call: Add call depth tracking support 2022-10-17 16:41:16 +02:00
step.c ptrace: Reimplement PTRACE_KILL by always sending SIGKILL 2022-05-11 14:34:28 -05:00
sys_ia32.c
sys_x86_64.c x86/mm: Cleanup the control_va_addr_alignment() __setup handler 2022-05-04 18:20:42 +02:00
tboot.c mm: remove rb tree. 2022-09-26 19:46:16 -07:00
time.c
tls.c
tls.h
topology.c x86/cpu: Switch to cpu_feature_enabled() for X86_FEATURE_XENPV 2022-11-22 16:18:19 +01:00
trace_clock.c
trace.c trace/osnoise: Fix an ifdef comment 2021-10-25 23:02:36 -04:00
tracepoint.c x86/traceponit: Fix comment about irq vector tracepoints 2022-05-26 22:03:52 -04:00
traps.c - Add the call depth tracking mitigation for Retbleed which has 2022-12-14 15:03:00 -08:00
tsc_msr.c
tsc_sync.c x86/tsc: Add a timer to make sure TSC_adjust is always checked 2021-12-02 00:40:35 +01:00
tsc.c x86/tsc: Make art_related_clocksource static 2022-10-17 16:20:48 +02:00
umip.c x86/umip: Downgrade warning messages to debug loglevel 2021-09-25 13:23:28 +02:00
unwind_frame.c x86: kmsan: don't instrument stack walking functions 2022-10-03 14:03:25 -07:00
unwind_guess.c x86/unwind: Recover kretprobe trampoline entry 2021-09-30 21:24:07 -04:00
unwind_orc.c Linux 6.1-rc6 2022-11-21 23:01:51 +01:00
uprobes.c uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix 2022-12-05 11:55:18 +01:00
verify_cpu.S x86: Prepare asm files for straight-line-speculation 2021-12-08 12:25:37 +01:00
vm86_32.c x86/32: Remove lazy GS macros 2022-04-14 14:09:43 +02:00
vmlinux.lds.S x86/ibt: Implement FineIBT 2022-11-01 13:44:10 +01:00
vsmp_64.c
x86_init.c x86/boot: Skip realmode init code when running as Xen PV guest 2022-11-25 12:05:22 +01:00