On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@xxxxxxxxxx> wrote:
>
> Jann reported [1] possible issue when trampoline_check_ip returns
> address near the bottom of the address space that is allowed to
> call into the syscall if uretprobes are not set up.
>
> Though the mmap minimum address restrictions will typically prevent
> creating mappings there, let's make sure uretprobe syscall checks
> for that.
It would be a layering violation, but we could perhaps do better here:
> - if (regs->ip != trampoline_check_ip())
> + /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> + if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> goto sigill;
Instead of SIGILL, perhaps this should do the seccomp action? So the
logic in seccomp would be (sketchily, with some real mode1 mess):
if (is_a_real_uretprobe())
skip seccomp;
where is_a_real_uretprobe() is only true if the nr and arch match
uretprobe *and* the address is right.
--Andy
