* [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent
@ 2016-09-15 15:13 Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Ingo Molnar, linux-kernel, vince, eranian,
Arnaldo Carvalho de Melo, Alexander Shishkin
Hi again,
Apologies for the botched recipient list in the previous one. So I
moved the virt_addr_valid() inside pt.c as well to save cycles in the
LBR code.
These are 3 bugs that Adrian found; all 3 seem like good -stable
candidates.
Alexander Shishkin (3):
perf/x86/intel/pt: Fix an off-by-one in address filter configuration
perf/x86/intel/pt: Fix kernel address filter's offset validation
perf/x86/intel/pt: Do validate the size of a kernel address filter
arch/x86/events/intel/pt.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--
2.9.3
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration
2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin
@ 2016-09-15 15:13 ` Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
2 siblings, 1 reply; 7+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Ingo Molnar, linux-kernel, vince, eranian,
Arnaldo Carvalho de Melo, Alexander Shishkin, stable
PT address filter configuration requires that a range is specified by
its first and last address, but at the moment we're obtaining the end
of the range by adding user specified size to its start, which is off
by one from what it actually needs to be.
Fix this and make sure that zero-sized filters don't pass the filter
validation.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
arch/x86/events/intel/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 04bb5fb5a8..5ec0100e3f 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
list_for_each_entry(filter, filters, entry) {
/* PT doesn't support single address triggers */
- if (!filter->range)
+ if (!filter->range || !filter->size)
return -EOPNOTSUPP;
if (!filter->inode && !kernel_ip(filter->offset))
@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(struct perf_event *event)
} else {
/* apply the offset */
msr_a = filter->offset + offs[range];
- msr_b = filter->size + msr_a;
+ msr_b = filter->size + msr_a - 1;
}
filters->filter[range].msr_a = msr_a;
--
2.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation
2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
@ 2016-09-15 15:13 ` Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
2 siblings, 1 reply; 7+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Ingo Molnar, linux-kernel, vince, eranian,
Arnaldo Carvalho de Melo, Alexander Shishkin, stable
The kernel_ip() filter is used mostly by the DS/LBR code to look at the
branch addresses, but Intel PT also uses it to validate the address
filter offsets for kernel addresses, for which it is not sufficient:
supplying something in bits 64:48 that's not a sign extension of the lower
address bits (like 0xf00d000000000000) throws a #GP.
This patch adds address validation for the user supplied kernel filters.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
arch/x86/events/intel/pt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 5ec0100e3f..1f94963a28 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct perf_event *event)
event->hw.addr_filters = NULL;
}
+static inline bool valid_kernel_ip(unsigned long ip)
+{
+ return virt_addr_valid(ip) && kernel_ip(ip);
+}
+
static int pt_event_addr_filters_validate(struct list_head *filters)
{
struct perf_addr_filter *filter;
@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !kernel_ip(filter->offset))
+ if (!filter->inode && !valid_kernel_ip(filter->offset))
return -EINVAL;
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
--
2.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter
2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
@ 2016-09-15 15:13 ` Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
2 siblings, 1 reply; 7+ messages in thread
From: Alexander Shishkin @ 2016-09-15 15:13 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Ingo Molnar, linux-kernel, vince, eranian,
Arnaldo Carvalho de Melo, Alexander Shishkin, stable
Right now, the kernel address filters in PT are prone to integer overflow
that may happen in adding filter's size to its offset to obtain the end
of the range. Such an overflow would also throw a #GP in the PT event
configuration path.
Fix this by explicitly validating the result of this calculation.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
---
arch/x86/events/intel/pt.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 1f94963a28..861a7d9cb6 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !valid_kernel_ip(filter->offset))
- return -EINVAL;
+ if (!filter->inode) {
+ if (!valid_kernel_ip(filter->offset))
+ return -EINVAL;
+
+ if (!valid_kernel_ip(filter->offset + filter->size))
+ return -EINVAL;
+ }
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
return -EOPNOTSUPP;
--
2.9.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Fix an off-by-one in address filter configuration
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
@ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin
0 siblings, 0 replies; 7+ messages in thread
From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw)
To: linux-tip-commits
Cc: eranian, mingo, acme, a.p.zijlstra, tglx, adrian.hunter, hpa,
vincent.weaver, alexander.shishkin, torvalds, peterz, acme,
linux-kernel, jolsa
Commit-ID: 95f60084acbcee6c466256cf26eb52191fad9edc
Gitweb: http://git.kernel.org/tip/95f60084acbcee6c466256cf26eb52191fad9edc
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
AuthorDate: Thu, 15 Sep 2016 18:13:50 +0300
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Fri, 16 Sep 2016 11:14:16 +0200
perf/x86/intel/pt: Fix an off-by-one in address filter configuration
PT address filter configuration requires that a range is specified by
its first and last address, but at the moment we're obtaining the end
of the range by adding user specified size to its start, which is off
by one from what it actually needs to be.
Fix this and make sure that zero-sized filters don't pass the filter
validation.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: stable@vger.kernel.org # v4.7
Cc: stable@vger.kernel.org#v4.7
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/events/intel/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 04bb5fb..5ec0100 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
list_for_each_entry(filter, filters, entry) {
/* PT doesn't support single address triggers */
- if (!filter->range)
+ if (!filter->range || !filter->size)
return -EOPNOTSUPP;
if (!filter->inode && !kernel_ip(filter->offset))
@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(struct perf_event *event)
} else {
/* apply the offset */
msr_a = filter->offset + offs[range];
- msr_b = filter->size + msr_a;
+ msr_b = filter->size + msr_a - 1;
}
filters->filter[range].msr_a = msr_a;
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Fix kernel address filter's offset validation
2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
@ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin
0 siblings, 0 replies; 7+ messages in thread
From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, acme, tglx, jolsa, hpa, a.p.zijlstra, peterz,
eranian, acme, vincent.weaver, alexander.shishkin, torvalds,
adrian.hunter, mingo
Commit-ID: ddfdad991e55b65c1cc4ee29502f6dceee04455a
Gitweb: http://git.kernel.org/tip/ddfdad991e55b65c1cc4ee29502f6dceee04455a
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
AuthorDate: Thu, 15 Sep 2016 18:13:51 +0300
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Fri, 16 Sep 2016 11:14:16 +0200
perf/x86/intel/pt: Fix kernel address filter's offset validation
The kernel_ip() filter is used mostly by the DS/LBR code to look at the
branch addresses, but Intel PT also uses it to validate the address
filter offsets for kernel addresses, for which it is not sufficient:
supplying something in bits 64:48 that's not a sign extension of the lower
address bits (like 0xf00d000000000000) throws a #GP.
This patch adds address validation for the user supplied kernel filters.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: stable@vger.kernel.org # v4.7
Cc: stable@vger.kernel.org#v4.7
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/events/intel/pt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 5ec0100..1f94963 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct perf_event *event)
event->hw.addr_filters = NULL;
}
+static inline bool valid_kernel_ip(unsigned long ip)
+{
+ return virt_addr_valid(ip) && kernel_ip(ip);
+}
+
static int pt_event_addr_filters_validate(struct list_head *filters)
{
struct perf_addr_filter *filter;
@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !kernel_ip(filter->offset))
+ if (!filter->inode && !valid_kernel_ip(filter->offset))
return -EINVAL;
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:perf/urgent] perf/x86/intel/pt: Do validate the size of a kernel address filter
2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
@ 2016-09-16 11:58 ` tip-bot for Alexander Shishkin
0 siblings, 0 replies; 7+ messages in thread
From: tip-bot for Alexander Shishkin @ 2016-09-16 11:58 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, jolsa, eranian, hpa, mingo, acme, a.p.zijlstra,
alexander.shishkin, peterz, vincent.weaver, adrian.hunter,
torvalds, tglx, acme
Commit-ID: 1155bafcb79208abc6ae234c6e135ac70607755c
Gitweb: http://git.kernel.org/tip/1155bafcb79208abc6ae234c6e135ac70607755c
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
AuthorDate: Thu, 15 Sep 2016 18:13:52 +0300
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Fri, 16 Sep 2016 11:14:16 +0200
perf/x86/intel/pt: Do validate the size of a kernel address filter
Right now, the kernel address filters in PT are prone to integer overflow
that may happen in adding filter's size to its offset to obtain the end
of the range. Such an overflow would also throw a #GP in the PT event
configuration path.
Fix this by explicitly validating the result of this calculation.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: stable@vger.kernel.org # v4.7
Cc: stable@vger.kernel.org#v4.7
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/events/intel/pt.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c
index 1f94963..861a7d9 100644
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validate(struct list_head *filters)
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !valid_kernel_ip(filter->offset))
- return -EINVAL;
+ if (!filter->inode) {
+ if (!valid_kernel_ip(filter->offset))
+ return -EINVAL;
+
+ if (!valid_kernel_ip(filter->offset + filter->size))
+ return -EINVAL;
+ }
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
return -EOPNOTSUPP;
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-16 11:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-15 15:13 [PATCH v1 0/3] perf/x86/intel/pt: Address filtering fixes for perf/urgent Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 1/3] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 2/3] perf/x86/intel/pt: Fix kernel address filter's offset validation Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
2016-09-15 15:13 ` [PATCH v1 3/3] perf/x86/intel/pt: Do validate the size of a kernel address filter Alexander Shishkin
2016-09-16 11:58 ` [tip:perf/urgent] " tip-bot for Alexander Shishkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).