From: Marcin Nowakowski <marcin.nowakowski@imgtec.com> To: Ralf Baechle <ralf@linux-mips.org> Cc: James Hogan <james.hogan@imgtec.com>, <linux-mips@linux-mips.org> Subject: [PATCH v2 1/2] MIPS: ptrace: disallow setting watchpoints in kernel address space Date: Mon, 23 Jan 2017 10:18:32 +0100 [thread overview] Message-ID: <1485163113-21780-1-git-send-email-marcin.nowakowski@imgtec.com> (raw) With certain EVA configurations it is possible for the kernel address space to overlap user address space, which allows the user to set watchpoints on kernel addresses via ptrace. If a watchpoint is set in the watch exception handling code (after exception level has been cleared) then the system will hang in an infinite loop when hitting a watchpoint while trying to process it. To prevent that simply disallow placing any watchpoints at addresses above start of kernel that overlap userspace. Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com> --- This supersedes "protect watchpoint handling code from setting watchpoints" which originally would only protect part of the kernel code most vulnerable. However, that change was incomplete and it is really difficult to ensure all required sections are properly guarded. Having selective guards on parts of the kernel address space could also be used as a method to circumvent KASLR. --- arch/mips/kernel/ptrace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c8ba260..7b87493 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -253,6 +253,11 @@ int ptrace_set_watch_regs(struct task_struct *child, #ifdef CONFIG_32BIT if (lt[i] & __UA_LIMIT) return -EINVAL; + +#ifdef CONFIG_EVA + if (lt[i] >= PAGE_OFFSET) + return -EINVAL; +#endif /* CONFIG_EVA */ #else if (test_tsk_thread_flag(child, TIF_32BIT_ADDR)) { if (lt[i] & 0xffffffff80000000UL) -- 2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Marcin Nowakowski <marcin.nowakowski@imgtec.com> To: Ralf Baechle <ralf@linux-mips.org> Cc: James Hogan <james.hogan@imgtec.com>, linux-mips@linux-mips.org Subject: [PATCH v2 1/2] MIPS: ptrace: disallow setting watchpoints in kernel address space Date: Mon, 23 Jan 2017 10:18:32 +0100 [thread overview] Message-ID: <1485163113-21780-1-git-send-email-marcin.nowakowski@imgtec.com> (raw) Message-ID: <20170123091832.EXrNJhEjrxubLC7K_HUHPG5MG19CWMaG-ODUtcS7csM@z> (raw) With certain EVA configurations it is possible for the kernel address space to overlap user address space, which allows the user to set watchpoints on kernel addresses via ptrace. If a watchpoint is set in the watch exception handling code (after exception level has been cleared) then the system will hang in an infinite loop when hitting a watchpoint while trying to process it. To prevent that simply disallow placing any watchpoints at addresses above start of kernel that overlap userspace. Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com> --- This supersedes "protect watchpoint handling code from setting watchpoints" which originally would only protect part of the kernel code most vulnerable. However, that change was incomplete and it is really difficult to ensure all required sections are properly guarded. Having selective guards on parts of the kernel address space could also be used as a method to circumvent KASLR. --- arch/mips/kernel/ptrace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c8ba260..7b87493 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -253,6 +253,11 @@ int ptrace_set_watch_regs(struct task_struct *child, #ifdef CONFIG_32BIT if (lt[i] & __UA_LIMIT) return -EINVAL; + +#ifdef CONFIG_EVA + if (lt[i] >= PAGE_OFFSET) + return -EINVAL; +#endif /* CONFIG_EVA */ #else if (test_tsk_thread_flag(child, TIF_32BIT_ADDR)) { if (lt[i] & 0xffffffff80000000UL) -- 2.7.4
next reply other threads:[~2017-01-23 9:18 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-01-23 9:18 Marcin Nowakowski [this message] 2017-01-23 9:18 ` [PATCH v2 1/2] MIPS: ptrace: disallow setting watchpoints in kernel address space Marcin Nowakowski 2017-01-23 9:18 ` [PATCH v2 2/2] MIPS: ptrace: disable watchpoints if hit in kernel mode Marcin Nowakowski 2017-01-23 9:18 ` Marcin Nowakowski 2017-01-24 17:09 ` [PATCH v2 1/2] MIPS: ptrace: disallow setting watchpoints in kernel address space Maciej W. Rozycki 2017-01-24 17:09 ` Maciej W. Rozycki 2017-01-24 18:54 ` James Hogan 2017-01-24 18:54 ` James Hogan 2017-01-24 20:52 ` Maciej W. Rozycki 2017-01-24 20:52 ` Maciej W. Rozycki 2017-01-24 22:05 ` James Hogan 2017-01-24 22:05 ` James Hogan 2017-01-24 23:07 ` Maciej W. Rozycki 2017-01-24 23:07 ` Maciej W. Rozycki 2017-01-25 14:39 ` Maciej W. Rozycki 2017-01-25 14:39 ` Maciej W. Rozycki
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1485163113-21780-1-git-send-email-marcin.nowakowski@imgtec.com \ --to=marcin.nowakowski@imgtec.com \ --cc=james.hogan@imgtec.com \ --cc=linux-mips@linux-mips.org \ --cc=ralf@linux-mips.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).