Re: [PATCH] riscv: kprobe: Fixup kernel panic when probing an illegal position

From: "liaochang (A)" <liaochang1@huawei.com>
To: Guo Ren <guoren@kernel.org>
Cc: <palmer@dabbelt.com>, <paul.walmsley@sifive.com>,
	<mhiramat@kernel.org>, <conor.dooley@microchip.com>,
	<penberg@kernel.org>, <mark.rutland@arm.com>,
	<linux-riscv@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
	Guo Ren <guoren@linux.alibaba.com>
Subject: Re: [PATCH] riscv: kprobe: Fixup kernel panic when probing an illegal position
Date: Sat, 28 Jan 2023 17:53:14 +0800	[thread overview]
Message-ID: <e9e78ef3-bbab-a248-488b-016bda9dcaf3@huawei.com> (raw)
In-Reply-To: <CAJF2gTTCFPsn+8NJaQyHan9h9b7=UzjY-+H4_qi4DaGXJ_kD3w@mail.gmail.com>

在 2023/1/28 11:52, Guo Ren 写道:
> On Sat, Jan 28, 2023 at 11:46 AM Guo Ren <guoren@kernel.org> wrote:
>>
>> On Sat, Jan 28, 2023 at 10:55 AM liaochang (A) <liaochang1@huawei.com> wrote:
>>>
>>>
>>>
>>> 在 2023/1/26 21:05, guoren@kernel.org 写道:
>>>> From: Guo Ren <guoren@linux.alibaba.com>
>>>>
>>>> The kernel would panic when probed for an illegal position. eg:
>>>>
>>>> (CONFIG_RISCV_ISA_C=n)
>>>>
>>>> echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events
>>>> echo 1 > events/kprobes/hello/enable
>>>> cat trace
>>>>
>>>> Kernel panic - not syncing: stack-protector: Kernel stack
>>>> is corrupted in: __do_sys_newfstatat+0xb8/0xb8
>>>> CPU: 0 PID: 111 Comm: sh Not tainted
>>>> 6.2.0-rc1-00027-g2d398fe49a4d #490
>>>> Hardware name: riscv-virtio,qemu (DT)
>>>> Call Trace:
>>>> [<ffffffff80007268>] dump_backtrace+0x38/0x48
>>>> [<ffffffff80c5e83c>] show_stack+0x50/0x68
>>>> [<ffffffff80c6da28>] dump_stack_lvl+0x60/0x84
>>>> [<ffffffff80c6da6c>] dump_stack+0x20/0x30
>>>> [<ffffffff80c5ecf4>] panic+0x160/0x374
>>>> [<ffffffff80c6db94>] generic_handle_arch_irq+0x0/0xa8
>>>> [<ffffffff802deeb0>] sys_newstat+0x0/0x30
>>>> [<ffffffff800158c0>] sys_clone+0x20/0x30
>>>> [<ffffffff800039e8>] ret_from_syscall+0x0/0x4
>>>> ---[ end Kernel panic - not syncing: stack-protector:
>>>> Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---
>>>>
>>>> That is because the kprobe's ebreak instruction broke the kernel's
>>>> original code. The user should guarantee the correction of the probe
>>>> position, but it couldn't make the kernel panic.
>>>>
>>>> This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an
>>>> illegal position (Such as the middle of an instruction).
>>>>
>>>> Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported")
>>>> Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
>>>> Signed-off-by: Guo Ren <guoren@kernel.org>
>>>> ---
>>>>  arch/riscv/kernel/probes/kprobes.c | 18 ++++++++++++++++++
>>>>  1 file changed, 18 insertions(+)
>>>>
>>>> diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c
>>>> index f21592d20306..475989f06d6d 100644
>>>> --- a/arch/riscv/kernel/probes/kprobes.c
>>>> +++ b/arch/riscv/kernel/probes/kprobes.c
>>>> @@ -48,6 +48,21 @@ static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs)
>>>>       post_kprobe_handler(p, kcb, regs);
>>>>  }
>>>>
>>>> +static bool __kprobes arch_check_kprobe(struct kprobe *p)
>>>> +{
>>>> +     unsigned long tmp  = (unsigned long)p->addr - p->offset;
>>>> +     unsigned long addr = (unsigned long)p->addr;
>>>> +
>>>> +     while (tmp <= addr) {
>>>> +             if (tmp == addr)
>>>> +                     return true;
>>>> +
>>>> +             tmp += GET_INSN_LENGTH(*(kprobe_opcode_t *)tmp);
>>>> +     }
>>>> +
>>>> +     return false;
>>>> +}
>>>
>>> LGTM.
>>>
>>> I have submit a patch to fix the same problem, found at:
>> Oh, I missed that patch. Our goal is the same.
>>
>> But it would be best if you reused p->offset, not
>> kallsyms_lookup_size_offset, the p->addr added by _kprobe_addr
>> (kernel/kprobes.c), not just kallsyms_lookup_size_offset. Sure, it
>> works around for the current riscv, but that's not correct.
> Sorry, the above description is a little bit confusing. What I mean is that:
> The p->addr = func_entry + p->offset. Not kallsyms_lookup_size_offset.
> Your patch could get the wrong func_entry.

According to my testing and debuggin on QEMU, I think both your patch and mine is able
to find the correct func_entry, because _kprobe_addr also uses kallsyms_lookup_size_offset
to get the first instruction address of given symbol. Of course, i prefere to your patch because it reuse p->offset.

Thanks.

> 
>>
>>>
>>> https://lore.kernel.org/lkml/20230127130541.1250865-11-chenguokai17@mails.ucas.ac.cn/
>>>
>>> So this boundary check is necessary no matter CONFIG_RISCV_ISA_C is enable or not, right?
>> Yes, my panic example in the commit log is based on the
>> !CONFIG_RISCV_ISA_C, you couldn't miss that.
>>
>>>
>>>
>>>> +
>>>>  int __kprobes arch_prepare_kprobe(struct kprobe *p)
>>>>  {
>>>>       unsigned long probe_addr = (unsigned long)p->addr;
>>>> @@ -55,6 +70,9 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
>>>>       if (probe_addr & 0x1)
>>>>               return -EILSEQ;
>>>>
>>>> +     if (!arch_check_kprobe(p))
>>>> +             return -EILSEQ;
>>>> +
>>>>       /* copy instruction */
>>>>       p->opcode = *p->addr;
>>>>
>>>
>>> --
>>> BR,
>>> Liao, Chang
>>
>>
>>
>> --
>> Best Regards
>>  Guo Ren
> 
> 
> 

-- 
BR,
Liao, Chang

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv