[PATCH 3.2 070/104] kprobes/x86: Blacklist indirect thunk functions for kprobes

Ben Hutchings <ben@xxxxxxxxxxxxxxx> · Mon, 12 Mar 2018 03:03:34 +0000

3.2.101-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@xxxxxxxxxx>

commit c1804a236894ecc942da7dc6c5abe209e56cba93 upstream.

Mark __x86_indirect_thunk_* functions as blacklist for kprobes
because those functions can be called from anywhere in the kernel
including blacklist functions of kprobes.

Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Acked-by: David Woodhouse <dwmw@xxxxxxxxxxxx>
Cc: Andi Kleen <ak@xxxxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Ananth N Mavinakayanahalli <ananth@xxxxxxxxxxxxxxxxxx>
Cc: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxxx>
Link: https://lkml.kernel.org/r/151629209111.10241.5444852823378068683.stgit@devbox
[bwh: Backported to 3.2: We don't have _ASM_NOKPROBE etc., so add indirect
 thunks to the built-in blacklist]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---

--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -53,6 +53,9 @@
 #include <asm/cacheflush.h>
 #include <asm/errno.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_RETPOLINE
+#include <asm/nospec-branch.h>
+#endif
 
 #define KPROBE_HASH_BITS 6
 #define KPROBE_TABLE_SIZE (1 << KPROBE_HASH_BITS)
@@ -99,6 +102,11 @@ static struct kprobe_blackpoint kprobe_b
 	{"irq_entries_start",},
 	{"common_interrupt",},
 	{"mcount",},	/* mcount can be called from everywhere */
+#ifdef CONFIG_RETPOLINE
+	{"__indirect_thunk_start",
+	 /* Linker scripts can't set symbol sizes */
+	 .range = (size_t)__indirect_thunk_size},
+#endif
 	{NULL}    /* Terminator */
 };
 
@@ -1986,7 +1994,7 @@ static int __init init_kprobes(void)
 				&size, &offset, &modname, namebuf);
 		if (!symbol_name)
 			kb->range = 0;
-		else
+		else if (size)
 			kb->range = size;
 	}
 
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -173,6 +173,7 @@ enum spectre_v2_mitigation {
 
 extern char __indirect_thunk_start[];
 extern char __indirect_thunk_end[];
+extern char __indirect_thunk_size[];
 
 /*
  * On VMEXIT we must ensure that no RSB predictions learned in the guest
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -112,6 +112,7 @@ SECTIONS
 		__indirect_thunk_start = .;
 		*(.text.__x86.indirect_thunk)
 		__indirect_thunk_end = .;
+		__indirect_thunk_size = __indirect_thunk_end - __indirect_thunk_start;
 #endif
 
 		/* End of text section */







