Re: [PATCH] x86/unwind/orc: Handle kretprobes_trampoline

From: Marios Pomonis <pomonis@google.com>
To: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	Alexander Lobakin <alexandr.lobakin@intel.com>,
	Kristen C Accardi <kristen.c.accardi@intel.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Ivan Babrou <ivan@cloudflare.com>,
	Jiri Slaby <jirislaby@kernel.org>,
	Julien Thierry <jthierry@redhat.com>,
	linux-kernel@vger.kernel.org, x86@kernel.org,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] x86/unwind/orc: Handle kretprobes_trampoline
Date: Fri, 24 Sep 2021 10:17:58 -0700	[thread overview]
Message-ID: <CAKXAmdgS3SL_qyjzjY32_DXe3WVTN+O=wYwJ9vkUXKhjmt87fA@mail.gmail.com> (raw)
In-Reply-To: <20210905165738.7e40d6e2cba3dd0724f85f3a@kernel.org>

On Sun, Sep 5, 2021 at 12:57 AM Masami Hiramatsu <mhiramat@kernel.org> wrote:
>
> On Sat, 4 Sep 2021 10:55:11 -0700
> Josh Poimboeuf <jpoimboe@redhat.com> wrote:
>
> > On Thu, Sep 02, 2021 at 07:13:26PM -0700, Kees Cook wrote:
> > > From: Marios Pomonis <pomonis@google.com>
> > >
> > > Fix a bug in the ORC unwinder when kretprobes has replaced a return
> > > address with the address of `kretprobes_trampoline'. ORC mistakenly
> > > assumes that the address in the stack is a return address and decrements
> > > it by 1 in order to find the proper depth of the next frame.
> > >
> > > This issue was discovered while testing the FG-KASLR series[0][1] and
> > > running the live patching test[2] that was originally failing[3].
> > >
> > > [0] https://lore.kernel.org/kernel-hardening/20200923173905.11219-1-kristen@linux.intel.com/
> > > [1] https://github.com/KSPP/linux/issues/132
> > > [2] https://github.com/lpechacek/qa_test_klp
> > > [3] https://lore.kernel.org/lkml/alpine.LSU.2.21.2009251450260.13615@pobox.suse.cz/
> > >
> > > Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
> > > Signed-off-by: Marios Pomonis <pomonis@google.com>
> > > Cc: Josh Poimboeuf <jpoimboe@redhat.com>
> > > Cc: Alexander Lobakin <alexandr.lobakin@intel.com>
> > > Cc: Kristen C Accardi <kristen.c.accardi@intel.com>
> > > Cc: Sami Tolvanen <samitolvanen@google.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> >
> > I suspect this is fixed by:
> >
> >   https://lkml.kernel.org/r/162756755600.301564.4957591913842010341.stgit@devnote2
>
> I think this can be a bit different issue. As far as I ran my test code
> (same one in the above cover mail) with this fix, the stacktrace wasn't
> fixed.
>
> ffffffff812b7c80  r  vfs_read+0x0    [FTRACE]
> ffffffff813b4cc0  r  full_proxy_read+0x0    [FTRACE]
> # tracer: nop
> #
> # entries-in-buffer/entries-written: 3/3   #P:8
> #
> #                                _-----=> irqs-off
> #                               / _----=> need-resched
> #                              | / _---=> hardirq/softirq
> #                              || / _--=> preempt-depth
> #                              ||| /     delay
> #           TASK-PID     CPU#  ||||   TIMESTAMP  FUNCTION
> #              | |         |   ||||      |         |
>              cat-138     [002] ...1     9.488727: r_full_proxy_read_0: (vfs_read+0x99/0x190 <- full_proxy_read)
>              cat-138     [002] ...1     9.488732: <stack trace>
>  => kretprobe_trace_func+0x209/0x300
>  => kretprobe_dispatcher+0x9d/0xb0
>  => __kretprobe_trampoline_handler+0xc5/0x160
>  => trampoline_handler+0x44/0x60
>  => kretprobe_trampoline+0x25/0x50
>              cat-138     [002] ...1     9.488733: r_vfs_read_0: (ksys_read+0x68/0xe0 <- vfs_read)
>
> Kees, can you also try to test with my series?
> It should be able to be checked out with;
>
> git clone git://git.kernel.org/pub/scm/linux/kernel/git/mhiramat/linux.git -b kprobes/kretprobe-stackfix-v10
>
> Thank you,

I tested this series in conjunction with FG-KASLR and klp_tc_12 fails.
Therefore the patch of the cover mail fixes a different issue than the
one of this series.

Thanks,
Marios
> >
> >
> > > ---
> > >  arch/x86/kernel/unwind_orc.c | 12 +++++++++++-
> > >  1 file changed, 11 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
> > > index a1202536fc57..8c5038b3b707 100644
> > > --- a/arch/x86/kernel/unwind_orc.c
> > > +++ b/arch/x86/kernel/unwind_orc.c
> > > @@ -7,6 +7,7 @@
> > >  #include <asm/unwind.h>
> > >  #include <asm/orc_types.h>
> > >  #include <asm/orc_lookup.h>
> > > +#include <asm/kprobes.h>
> > >
> > >  #define orc_warn(fmt, ...) \
> > >     printk_deferred_once(KERN_WARNING "WARNING: " fmt, ##__VA_ARGS__)
> > > @@ -414,6 +415,15 @@ static bool get_reg(struct unwind_state *state, unsigned int reg_off,
> > >     return false;
> > >  }
> > >
> > > +static bool is_kretprobe_trampoline(unsigned long ip)
> > > +{
> > > +#ifdef     CONFIG_KRETPROBES
> > > +   if (ip == (unsigned long)&kretprobe_trampoline)
> > > +           return true;
> > > +#endif
> > > +   return false;
> > > +}
> > > +
> > >  bool unwind_next_frame(struct unwind_state *state)
> > >  {
> > >     unsigned long ip_p, sp, tmp, orig_ip = state->ip, prev_sp = state->sp;
> > > @@ -540,7 +550,7 @@ bool unwind_next_frame(struct unwind_state *state)
> > >             state->sp = sp;
> > >             state->regs = NULL;
> > >             state->prev_regs = NULL;
> > > -           state->signal = false;
> > > +           state->signal = is_kretprobe_trampoline(state->ip);
> > >             break;
> > >
> > >     case UNWIND_HINT_TYPE_REGS:
> > > --
> > > 2.30.2
> > >
> >
> > --
> > Josh
> >
>
>
> --
> Masami Hiramatsu <mhiramat@kernel.org>