From: Alexey Dobriyan <adobriyan@gmail.com>
To: akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org,
torvalds@linux-foundation.org, xemul@parallels.com,
orenl@cs.columbia.edu, serue@us.ibm.com, dave@linux.vnet.ibm.com,
mingo@elte.hu, Alexey Dobriyan <adobriyan@gmail.com>
Subject: [PATCH 16/38] x86: ptrace debugreg checks rewrite
Date: Fri, 22 May 2009 08:55:10 +0400 [thread overview]
Message-ID: <1242968132-1044-16-git-send-email-adobriyan@gmail.com> (raw)
In-Reply-To: <1242968132-1044-1-git-send-email-adobriyan@gmail.com>
This is a mess.
Pre unified-x86 code did check for breakpoint addr
to be "< TASK_SIZE - 3 (or 7)". This was fine from security POV,
but banned valid breakpoint usage when address is close to TASK_SIZE.
E. g. 1-byte breakpoint at TASK_SIZE - 1 should be allowed, but it wasn't.
Then came commit 84929801e14d968caeb84795bfbb88f04283fbd9
("[PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes")
which for some reason touched ptrace as well and made effective
TASK_SIZE of 32-bit process depending on IA32_PAGE_OFFSET
which is not a constant!:
#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
^^^^^^^
Maximum addr for breakpoint became dependent on personality of ptracer.
Commit also relaxed danger zone for 32-bit processes from 8 bytes to 4
not taking into account that 8-byte wide breakpoints are possible even
for 32-bit processes. This was fine, however, because 64-bit kernel
addresses are too far from 32-bit ones.
Then came utrace with commit 2047b08be67b70875d8765fc81d34ce28041bec3
("x86: x86 ptrace getreg/putreg merge") which copy-pasted and ifdeffed 32-bit
part of TASK_SIZE_OF() leaving 8-byte issue as-is.
So, what patch fixes?
1) Too strict logic near TASK_SIZE boundary -- as long as we don't cross
TASK_SIZE_MAX, we're fine.
2) Too smart logic of using breakpoints over non-existent kernel
boundary -- we should only protect against setting up after
TASK_SIZE_MAX, the rest is none of kernel business. This fixes
IA32_PAGE_OFFSET beartrap as well.
As a bonus, remove uberhack and big comment determining DR7 validness,
rewrite with clear algorithm when it's obvious what's going on.
Make DR validness checker suitable for C/R. On restart DR registers
must be checked the same way they are checked on PTRACE_POKEUSR.
Question 1: TIF_DEBUG can set even if none of breakpoints is turned on,
should this be optimized?
Question 2: Breakpoints are allowed to be globally enabled, is this a
security risk?
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
arch/x86/kernel/ptrace.c | 175 +++++++++++++++++++++++++++-------------------
1 files changed, 103 insertions(+), 72 deletions(-)
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 23b7c8f..afd2b7d 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -135,11 +135,6 @@ static int set_segment_reg(struct task_struct *task,
return 0;
}
-static unsigned long debugreg_addr_limit(struct task_struct *task)
-{
- return TASK_SIZE - 3;
-}
-
#else /* CONFIG_X86_64 */
#define FLAG_MASK (FLAG_MASK_32 | X86_EFLAGS_NT)
@@ -263,16 +258,6 @@ static int set_segment_reg(struct task_struct *task,
return 0;
}
-
-static unsigned long debugreg_addr_limit(struct task_struct *task)
-{
-#ifdef CONFIG_IA32_EMULATION
- if (test_tsk_thread_flag(task, TIF_IA32))
- return IA32_PAGE_OFFSET - 3;
-#endif
- return TASK_SIZE_MAX - 7;
-}
-
#endif /* CONFIG_X86_32 */
static unsigned long get_flags(struct task_struct *task)
@@ -480,77 +465,123 @@ static unsigned long ptrace_get_debugreg(struct task_struct *child, int n)
return 0;
}
+static int ptrace_check_debugreg(int _32bit,
+ unsigned long dr0, unsigned long dr1,
+ unsigned long dr2, unsigned long dr3,
+ unsigned long dr6, unsigned long dr7)
+{
+ /* Breakpoint type: 00: --x, 01: -w-, 10: undefined, 11: rw- */
+ unsigned int rw[4];
+ /* Breakpoint length: 00: 1 byte, 01: 2 bytes, 10: 8 bytes, 11: 4 bytes */
+ unsigned int len[4];
+ int n;
+
+ if (dr0 >= TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr1 >= TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr2 >= TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr3 >= TASK_SIZE_MAX)
+ return -EINVAL;
+
+ for (n = 0; n < 4; n++) {
+ rw[n] = (dr7 >> (16 + n * 4)) & 0x3;
+ len[n] = (dr7 >> (16 + n * 4 + 2)) & 0x3;
+
+ if (rw[n] == 0x2)
+ return -EINVAL;
+ if (rw[n] == 0x0 && len[n] != 0x0)
+ return -EINVAL;
+ if (_32bit && len[n] == 0x2)
+ return -EINVAL;
+
+ if (len[n] == 0x0)
+ len[n] = 1;
+ else if (len[n] == 0x1)
+ len[n] = 2;
+ else if (len[n] == 0x2)
+ len[n] = 8;
+ else if (len[n] == 0x3)
+ len[n] = 4;
+ /* From now breakpoint length is in bytes. */
+ }
+
+ if (dr6 & ~0xFFFFFFFFUL)
+ return -EINVAL;
+ if (dr7 & ~0xFFFFFFFFUL)
+ return -EINVAL;
+
+ if (dr7 == 0)
+ return 0;
+
+ if (dr0 + len[0] > TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr1 + len[1] > TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr2 + len[2] > TASK_SIZE_MAX)
+ return -EINVAL;
+ if (dr3 + len[3] > TASK_SIZE_MAX)
+ return -EINVAL;
+
+ return 0;
+}
+
static int ptrace_set_debugreg(struct task_struct *child,
int n, unsigned long data)
{
- int i;
+ unsigned long dr0, dr1, dr2, dr3, dr6, dr7;
+ int _32bit;
if (unlikely(n == 4 || n == 5))
return -EIO;
- if (n < 4 && unlikely(data >= debugreg_addr_limit(child)))
- return -EIO;
-
+ dr0 = child->thread.debugreg0;
+ dr1 = child->thread.debugreg1;
+ dr2 = child->thread.debugreg2;
+ dr3 = child->thread.debugreg3;
+ dr6 = child->thread.debugreg6;
+ dr7 = child->thread.debugreg7;
switch (n) {
- case 0: child->thread.debugreg0 = data; break;
- case 1: child->thread.debugreg1 = data; break;
- case 2: child->thread.debugreg2 = data; break;
- case 3: child->thread.debugreg3 = data; break;
-
+ case 0:
+ dr0 = data;
+ break;
+ case 1:
+ dr1 = data;
+ break;
+ case 2:
+ dr2 = data;
+ break;
+ case 3:
+ dr3 = data;
+ break;
case 6:
- if ((data & ~0xffffffffUL) != 0)
- return -EIO;
- child->thread.debugreg6 = data;
+ dr6 = data;
break;
-
case 7:
- /*
- * Sanity-check data. Take one half-byte at once with
- * check = (val >> (16 + 4*i)) & 0xf. It contains the
- * R/Wi and LENi bits; bits 0 and 1 are R/Wi, and bits
- * 2 and 3 are LENi. Given a list of invalid values,
- * we do mask |= 1 << invalid_value, so that
- * (mask >> check) & 1 is a correct test for invalid
- * values.
- *
- * R/Wi contains the type of the breakpoint /
- * watchpoint, LENi contains the length of the watched
- * data in the watchpoint case.
- *
- * The invalid values are:
- * - LENi == 0x10 (undefined), so mask |= 0x0f00. [32-bit]
- * - R/Wi == 0x10 (break on I/O reads or writes), so
- * mask |= 0x4444.
- * - R/Wi == 0x00 && LENi != 0x00, so we have mask |=
- * 0x1110.
- *
- * Finally, mask = 0x0f00 | 0x4444 | 0x1110 == 0x5f54.
- *
- * See the Intel Manual "System Programming Guide",
- * 15.2.4
- *
- * Note that LENi == 0x10 is defined on x86_64 in long
- * mode (i.e. even for 32-bit userspace software, but
- * 64-bit kernel), so the x86_64 mask value is 0x5454.
- * See the AMD manual no. 24593 (AMD64 System Programming)
- */
-#ifdef CONFIG_X86_32
-#define DR7_MASK 0x5f54
-#else
-#define DR7_MASK 0x5554
-#endif
- data &= ~DR_CONTROL_RESERVED;
- for (i = 0; i < 4; i++)
- if ((DR7_MASK >> ((data >> (16 + 4*i)) & 0xf)) & 1)
- return -EIO;
- child->thread.debugreg7 = data;
- if (data)
- set_tsk_thread_flag(child, TIF_DEBUG);
- else
- clear_tsk_thread_flag(child, TIF_DEBUG);
+ dr7 = data & ~DR_CONTROL_RESERVED;
break;
}
+ _32bit = (sizeof(unsigned long) == 4);
+#ifdef CONFIG_COMPAT
+ if (test_tsk_thread_flag(child, TIF_IA32))
+ _32bit = 1;
+#endif
+ if (ptrace_check_debugreg(_32bit, dr0, dr1, dr2, dr3, dr6, dr7))
+ return -EIO;
+
+ child->thread.debugreg0 = dr0;
+ child->thread.debugreg1 = dr1;
+ child->thread.debugreg2 = dr2;
+ child->thread.debugreg3 = dr3;
+ child->thread.debugreg6 = dr6;
+ child->thread.debugreg7 = dr7;
+ if (dr7)
+ set_tsk_thread_flag(child, TIF_DEBUG);
+ else
+ clear_tsk_thread_flag(child, TIF_DEBUG);
+
return 0;
}
--
1.5.6.5
next prev parent reply other threads:[~2009-05-22 4:59 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-22 4:54 [PATCH 01/38] cred: #include init.h in cred.h Alexey Dobriyan
2009-05-22 4:54 ` [PATCH 02/38] utsns: extract create_uts_ns() Alexey Dobriyan
2009-05-24 22:37 ` Serge E. Hallyn
2009-05-22 4:54 ` [PATCH 03/38] ipcns 1/4: remove useless get/put while CLONE_NEWIPC Alexey Dobriyan
2009-05-22 9:00 ` Amerigo Wang
2009-05-22 4:54 ` [PATCH 04/38] ipcns 2/4: extract create_ipc_ns() Alexey Dobriyan
2009-05-22 8:59 ` Amerigo Wang
2009-05-22 4:54 ` [PATCH 05/38] ipcns 3/4: make free_ipc_ns() static Alexey Dobriyan
2009-05-24 22:40 ` Serge E. Hallyn
2009-05-22 4:55 ` [PATCH 06/38] ipcns 4/2: move free_ipcs() proto Alexey Dobriyan
2009-05-24 22:49 ` Serge E. Hallyn
2009-05-22 4:55 ` [PATCH 07/38] pidns 1/2: make create_pid_namespace() accept parent pidns Alexey Dobriyan
2009-05-22 9:20 ` Amerigo Wang
2009-05-24 22:44 ` Serge E. Hallyn
2009-06-04 0:20 ` Sukadev Bhattiprolu
2009-05-22 4:55 ` [PATCH 08/38] pidns 2/2: rewrite copy_pid_ns() Alexey Dobriyan
2009-05-22 9:14 ` Amerigo Wang
2009-05-24 22:45 ` Serge E. Hallyn
2009-06-04 0:17 ` Sukadev Bhattiprolu
2009-05-22 4:55 ` [PATCH 09/38] netns 1/2: don't get/put old netns on CLONE_NEWNET Alexey Dobriyan
2009-05-22 6:30 ` David Miller
2009-05-22 4:55 ` [PATCH 10/38] netns 2/2: extract net_create() Alexey Dobriyan
2009-05-22 6:30 ` David Miller
2009-05-22 4:55 ` [PATCH 11/38] nsproxy: extract create_nsproxy() Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 12/38] i386: ifdef out struct thread_struct::fs Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 13/38] x86_64: ifdef out struct thread_struct::ip Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 14/38] Remove struct mm_struct::exe_file et al Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 15/38] dcache: extract and use d_unlinked() Alexey Dobriyan
2009-05-22 4:55 ` Alexey Dobriyan [this message]
2009-05-26 23:25 ` [PATCH 16/38] x86: ptrace debugreg checks rewrite Andrew Morton
2009-05-22 4:55 ` [PATCH 17/38] groups: move code to kernel/groups.c Alexey Dobriyan
2009-05-25 0:53 ` Serge E. Hallyn
2009-05-26 14:48 ` Serge E. Hallyn
2009-05-26 18:34 ` Alexey Dobriyan
2009-05-26 23:25 ` Serge E. Hallyn
2009-05-22 4:55 ` [PATCH 18/38] C/R: core stuff Alexey Dobriyan
2009-05-26 13:16 ` Serge E. Hallyn
2009-05-26 19:35 ` Alexey Dobriyan
2009-05-26 23:14 ` Serge E. Hallyn
2009-05-26 23:44 ` Serge E. Hallyn
2009-05-28 15:38 ` Alexey Dobriyan
2009-05-28 18:17 ` Serge E. Hallyn
2009-05-28 22:42 ` Oren Laadan
2009-05-27 18:52 ` Dave Hansen
2009-05-27 20:56 ` Oren Laadan
2009-05-27 22:17 ` Alexey Dobriyan
2009-05-27 22:40 ` Andrew Morton
2009-05-27 22:45 ` Oren Laadan
2009-05-28 15:33 ` Alexey Dobriyan
2009-05-28 22:20 ` Oren Laadan
2009-05-28 22:33 ` Matt Helsley
2009-05-29 6:01 ` Alexey Dobriyan
2009-05-29 17:26 ` Dave Hansen
2009-05-27 22:25 ` Alexey Dobriyan
2009-05-27 16:28 ` Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 19/38] C/R: multiple tasks Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 20/38] C/R: i386 support Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 21/38] C/R: i386 debug registers Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 22/38] C/R: i386 xstate Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 23/38] C/R: x86_64 support Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 24/38] C/R: x86_64 debug registers Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 25/38] C/R: x86_64 xstate Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 26/38] C/R: nsproxy Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 27/38] C/R: checkpoint/restore struct uts_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 28/38] C/R: formally checkpoint/restore struct ipc_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 29/38] C/R: formally checkpoint/restore struct mnt_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 30/38] C/R: checkpoint/restore struct pid_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 31/38] C/R: formally checkpoint/restore struct net_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 32/38] C/R: checkpoint/restore struct cred Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 33/38] C/R: checkpoint/restore aux groups (structy group_info) Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 34/38] C/R: checkpoint/restore struct user Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 35/38] C/R: checkpoint/restore struct user_namespace Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 36/38] C/R: checkpoint/restore struct pid Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 37/38] C/R: checkpoint/restore opened files Alexey Dobriyan
2009-05-22 4:55 ` [PATCH 38/38] C/R: checkpoint/restart struct sighand_struct Alexey Dobriyan
2009-05-22 5:02 ` [PATCH 01/38] cred: #include init.h in cred.h Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1242968132-1044-16-git-send-email-adobriyan@gmail.com \
--to=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.linux-foundation.org \
--cc=dave@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=orenl@cs.columbia.edu \
--cc=serue@us.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).