(sorry for the HTML spam) On Wed, Feb 12, 2025 at 5:37 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote: > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@xxxxxxxxxx> wrote: > > > > Jann reported [1] possible issue when trampoline_check_ip returns > > address near the bottom of the address space that is allowed to > > call into the syscall if uretprobes are not set up. > > > > Though the mmap minimum address restrictions will typically prevent > > creating mappings there, let's make sure uretprobe syscall checks > > for that. > > It would be a layering violation, but we could perhaps do better here: > > > - if (regs->ip != trampoline_check_ip()) > > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */ > > + if (unlikely(regs->ip != trampoline_check_ip(tramp))) > > goto sigill; > > Instead of SIGILL, perhaps this should do the seccomp action? So the > logic in seccomp would be (sketchily, with some real mode1 mess): > > if (is_a_real_uretprobe()) > skip seccomp; > > where is_a_real_uretprobe() is only true if the nr and arch match > uretprobe *and* the address is right. Why would it make sense to rely on CONFIG_SECCOMP for this check? seems this check should be done regardless of seccomp. Or maybe I missed something in the suggestion. Eyal. > > > --Andy
