From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96466C282DD for ; Wed, 8 Jan 2020 16:51:24 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0983D205F4 for ; Wed, 8 Jan 2020 16:51:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=c-s.fr header.i=@c-s.fr header.b="egBuE1zI" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0983D205F4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=c-s.fr Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47tFd53YkKzDqTx for ; Thu, 9 Jan 2020 03:51:21 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=c-s.fr (client-ip=93.17.236.30; helo=pegase1.c-s.fr; envelope-from=christophe.leroy@c-s.fr; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=c-s.fr Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=c-s.fr header.i=@c-s.fr header.b="egBuE1zI"; dkim-atps=neutral Received: from pegase1.c-s.fr (pegase1.c-s.fr [93.17.236.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47tFZX49lyzDqSn for ; Thu, 9 Jan 2020 03:49:07 +1100 (AEDT) Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 47tFZP3B1tz9v449; Wed, 8 Jan 2020 17:49:01 +0100 (CET) Authentication-Results: localhost; dkim=pass reason="1024-bit key; insecure key" header.d=c-s.fr header.i=@c-s.fr header.b=egBuE1zI; dkim-adsp=pass; dkim-atps=neutral X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id aYFtmaBbl-yR; Wed, 8 Jan 2020 17:49:01 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 47tFZP26Nsz9v448; Wed, 8 Jan 2020 17:49:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c-s.fr; s=mail; t=1578502141; bh=fDLf2Lbvma1ro6euRU/zp5f/MAKJXOINHS68Q4Ro8U4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=egBuE1zIY1PsLgbe954KQXy9/itY9Eqwe36YBGMFHa1PUpNnUC7uhP4kXsVFIJjgr oYEA6UiZrikmE8WfXbsE9sImVVXBYeMyQhgDnjx4tFEfuAu+9SQogBqSDrwDPcHtVF hiE6nieL29hN/VIjsHDYCrrp+8JGUSZWD7pXWPnc= Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id D44778B80D; Wed, 8 Jan 2020 17:49:02 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id yuK7jyfVRGSV; Wed, 8 Jan 2020 17:49:02 +0100 (CET) Received: from [192.168.4.90] (unknown [192.168.4.90]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 510148B7EA; Wed, 8 Jan 2020 17:49:00 +0100 (CET) Subject: Re: [PATCH v6 2/5] powerpc/kprobes: Mark newly allocated probes as RO To: Russell Currey , linuxppc-dev@lists.ozlabs.org References: <20191224055545.178462-1-ruscur@russell.cc> <20191224055545.178462-3-ruscur@russell.cc> From: Christophe Leroy Message-ID: <51b9b43b-9f25-bb68-93f2-cd5ba7d67f38@c-s.fr> Date: Wed, 8 Jan 2020 17:48:59 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191224055545.178462-3-ruscur@russell.cc> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: fr Content-Transfer-Encoding: 8bit X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ajd@linux.ibm.com, kernel-hardening@lists.openwall.com, npiggin@gmail.com, joel@jms.id.au, dja@axtens.net Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Le 24/12/2019 à 06:55, Russell Currey a écrit : > With CONFIG_STRICT_KERNEL_RWX=y and CONFIG_KPROBES=y, there will be one > W+X page at boot by default. This can be tested with > CONFIG_PPC_PTDUMP=y and CONFIG_PPC_DEBUG_WX=y set, and checking the > kernel log during boot. > > powerpc doesn't implement its own alloc() for kprobes like other > architectures do, but we couldn't immediately mark RO anyway since we do > a memcpy to the page we allocate later. After that, nothing should be > allowed to modify the page, and write permissions are removed well > before the kprobe is armed. > > The memcpy() would fail if >1 probes were allocated, so use > patch_instruction() instead which is safe for RO. > > Reviewed-by: Daniel Axtens > Signed-off-by: Russell Currey > --- > arch/powerpc/kernel/kprobes.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c > index 2d27ec4feee4..b72761f0c9e3 100644 > --- a/arch/powerpc/kernel/kprobes.c > +++ b/arch/powerpc/kernel/kprobes.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > > DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; > DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); > @@ -124,13 +125,14 @@ int arch_prepare_kprobe(struct kprobe *p) > } > > if (!ret) { > - memcpy(p->ainsn.insn, p->addr, > - MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); > + patch_instruction(p->ainsn.insn, *p->addr); > p->opcode = *p->addr; > flush_icache_range((unsigned long)p->ainsn.insn, > (unsigned long)p->ainsn.insn + sizeof(kprobe_opcode_t)); patch_instruction() already does the flush, no need to flush again with flush_icache_range() > } > > + set_memory_ro((unsigned long)p->ainsn.insn, 1); > + I don't really understand, why do you need to set this ro ? Or why do you need to change the memcpy() to patch_instruction() if the area is not already ro ? If I understand correctly, p->ainsn.insn is within a special executable page allocated via module_alloc(). Wouldn't it be more correct to modify kprobe get_insn_slot() logic so that allocated page is ROX instead of RWX ? > p->ainsn.boostable = 0; > return ret; > } > Christophe From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F390DC282DD for ; Wed, 8 Jan 2020 16:49:21 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 517A520692 for ; Wed, 8 Jan 2020 16:49:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=c-s.fr header.i=@c-s.fr header.b="egBuE1zI" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 517A520692 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=c-s.fr Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17552-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 19530 invoked by uid 550); 8 Jan 2020 16:49:15 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 19496 invoked from network); 8 Jan 2020 16:49:14 -0000 Authentication-Results: localhost; dkim=pass reason="1024-bit key; insecure key" header.d=c-s.fr header.i=@c-s.fr header.b=egBuE1zI; dkim-adsp=pass; dkim-atps=neutral X-Virus-Scanned: Debian amavisd-new at c-s.fr DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c-s.fr; s=mail; t=1578502141; bh=fDLf2Lbvma1ro6euRU/zp5f/MAKJXOINHS68Q4Ro8U4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=egBuE1zIY1PsLgbe954KQXy9/itY9Eqwe36YBGMFHa1PUpNnUC7uhP4kXsVFIJjgr oYEA6UiZrikmE8WfXbsE9sImVVXBYeMyQhgDnjx4tFEfuAu+9SQogBqSDrwDPcHtVF hiE6nieL29hN/VIjsHDYCrrp+8JGUSZWD7pXWPnc= X-Virus-Scanned: amavisd-new at c-s.fr Subject: Re: [PATCH v6 2/5] powerpc/kprobes: Mark newly allocated probes as RO To: Russell Currey , linuxppc-dev@lists.ozlabs.org Cc: joel@jms.id.au, mpe@ellerman.id.au, ajd@linux.ibm.com, dja@axtens.net, npiggin@gmail.com, kernel-hardening@lists.openwall.com References: <20191224055545.178462-1-ruscur@russell.cc> <20191224055545.178462-3-ruscur@russell.cc> From: Christophe Leroy Message-ID: <51b9b43b-9f25-bb68-93f2-cd5ba7d67f38@c-s.fr> Date: Wed, 8 Jan 2020 17:48:59 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191224055545.178462-3-ruscur@russell.cc> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: fr Content-Transfer-Encoding: 8bit Le 24/12/2019 à 06:55, Russell Currey a écrit : > With CONFIG_STRICT_KERNEL_RWX=y and CONFIG_KPROBES=y, there will be one > W+X page at boot by default. This can be tested with > CONFIG_PPC_PTDUMP=y and CONFIG_PPC_DEBUG_WX=y set, and checking the > kernel log during boot. > > powerpc doesn't implement its own alloc() for kprobes like other > architectures do, but we couldn't immediately mark RO anyway since we do > a memcpy to the page we allocate later. After that, nothing should be > allowed to modify the page, and write permissions are removed well > before the kprobe is armed. > > The memcpy() would fail if >1 probes were allocated, so use > patch_instruction() instead which is safe for RO. > > Reviewed-by: Daniel Axtens > Signed-off-by: Russell Currey > --- > arch/powerpc/kernel/kprobes.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c > index 2d27ec4feee4..b72761f0c9e3 100644 > --- a/arch/powerpc/kernel/kprobes.c > +++ b/arch/powerpc/kernel/kprobes.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > > DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL; > DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); > @@ -124,13 +125,14 @@ int arch_prepare_kprobe(struct kprobe *p) > } > > if (!ret) { > - memcpy(p->ainsn.insn, p->addr, > - MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); > + patch_instruction(p->ainsn.insn, *p->addr); > p->opcode = *p->addr; > flush_icache_range((unsigned long)p->ainsn.insn, > (unsigned long)p->ainsn.insn + sizeof(kprobe_opcode_t)); patch_instruction() already does the flush, no need to flush again with flush_icache_range() > } > > + set_memory_ro((unsigned long)p->ainsn.insn, 1); > + I don't really understand, why do you need to set this ro ? Or why do you need to change the memcpy() to patch_instruction() if the area is not already ro ? If I understand correctly, p->ainsn.insn is within a special executable page allocated via module_alloc(). Wouldn't it be more correct to modify kprobe get_insn_slot() logic so that allocated page is ROX instead of RWX ? > p->ainsn.boostable = 0; > return ret; > } > Christophe