Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

* Jiri Olsa <olsajiri@xxxxxxxxx> wrote:

> On Mon, Feb 17, 2025 at 01:09:43PM +0100, Jiri Olsa wrote:
> > On Thu, Feb 13, 2025 at 09:58:29AM -0800, Andy Lutomirski wrote:
> > > On Thu, Feb 13, 2025 at 1:16 AM Jiri Olsa <olsajiri@xxxxxxxxx> wrote:
> > > >
> > > > On Wed, Feb 12, 2025 at 05:37:11PM -0800, Andy Lutomirski wrote:
> > > > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > Jann reported [1] possible issue when trampoline_check_ip returns
> > > > > > address near the bottom of the address space that is allowed to
> > > > > > call into the syscall if uretprobes are not set up.
> > > > > >
> > > > > > Though the mmap minimum address restrictions will typically prevent
> > > > > > creating mappings there, let's make sure uretprobe syscall checks
> > > > > > for that.
> > > > >
> > > > > It would be a layering violation, but we could perhaps do better here:
> > > > >
> > > > > > -       if (regs->ip != trampoline_check_ip())
> > > > > > +       /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > > > > > +       if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> > > > > >                 goto sigill;
> > > > >
> > > > > Instead of SIGILL, perhaps this should do the seccomp action?  So the
> > > > > logic in seccomp would be (sketchily, with some real mode1 mess):
> > > > >
> > > > > if (is_a_real_uretprobe())
> > > > >     skip seccomp;
> > > >
> > > > IIUC you want to move the address check earlier to the seccomp path..
> > > > with the benefit that we would kill not allowed caller sooner?
> > > 
> > > The benefit would be that seccomp users that want to do something
> > > other than killing a process (returning an error code, getting
> > > notified, etc) could retain that functionality without the new
> > > automatic hole being poked for uretprobe() in cases where uprobes
> > > aren't in use or where the calling address doesn't match the uprobe
> > > trampoline.  IOW it would reduce the scope to which we're making
> > > seccomp behave unexpectedly.
> > 
> > Kees, any thoughts about this approach?
> 
> ping, any idea?

So in any case I think the seccomp QoL tie-in suggested by Andy should 
be done in a separate patch, and I've applied the -v3 patch to 
tip:perf/core as-is.

( I've added Alexei's Acked-by too, which as I've read the v2 thread's 
  discussion was a given as long as his ~0 suggestion was implemented,
  which you did. )

Thanks,

	Ingo
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux