Patch "kprobes: Forbid probing on trampoline and BPF code areas" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Aug 2022 19:12:14 -0400

This is a note to let you know that I've just added the patch titled

    kprobes: Forbid probing on trampoline and BPF code areas

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cdc4f9341442913f18916902ffe78bc578d5de3f
Author: Chen Zhongjin <chenzhongjin@xxxxxxxxxx>
Date:   Mon Aug 1 11:37:19 2022 +0800

    kprobes: Forbid probing on trampoline and BPF code areas
    
    [ Upstream commit 28f6c37a2910f565b4f5960df52b2eccae28c891 ]
    
    kernel_text_address() treats ftrace_trampoline, kprobe_insn_slot
    and bpf_text_address as valid kprobe addresses - which is not ideal.
    
    These text areas are removable and changeable without any notification
    to kprobes, and probing on them can trigger unexpected behavior:
    
      https://lkml.org/lkml/2022/7/26/1148
    
    Considering that jump_label and static_call text are already
    forbiden to probe, kernel_text_address() should be replaced with
    core_kernel_text() and is_module_text_address() to check other text
    areas which are unsafe to kprobe.
    
    [ mingo: Rewrote the changelog. ]
    
    Fixes: 5b485629ba0d ("kprobes, extable: Identify kprobes trampolines as kernel text area")
    Fixes: 74451e66d516 ("bpf: make jited programs visible in traces")
    Signed-off-by: Chen Zhongjin <chenzhongjin@xxxxxxxxxx>
    Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
    Acked-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220801033719.228248-1-chenzhongjin@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 4f918dd28fb7..b8e14aa6d496 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1551,7 +1551,8 @@ static int check_kprobe_address_safe(struct kprobe *p,
 	preempt_disable();
 
 	/* Ensure it is not in reserved area nor out of text */
-	if (!kernel_text_address((unsigned long) p->addr) ||
+	if (!(core_kernel_text((unsigned long) p->addr) ||
+	    is_module_text_address((unsigned long) p->addr)) ||
 	    within_kprobe_blacklist((unsigned long) p->addr) ||
 	    jump_label_text_reserved(p->addr, p->addr) ||
 	    find_bug((unsigned long)p->addr)) {






