From: Ingo Molnar <mingo@kernel.org>
To: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Ananth N Mavinakayanahalli <ananth@in.ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
"David S . Miller" <davem@davemloft.net>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -tip v2 0/2] kprobes/x86: RO text code bugfix and cleanup
Date: Thu, 17 Aug 2017 11:55:30 +0200 [thread overview]
Message-ID: <20170817095530.zew2tppikufosf2u@gmail.com> (raw)
In-Reply-To: <150249861299.18166.13400123503538960282.stgit@devbox>
* Masami Hiramatsu <mhiramat@kernel.org> wrote:
> Hi,
>
> This series fixes a kprobe-x86 bug related to RO text and
> cleans up addressof operators.
>
> The first one is an obvious bug that misses to set memory
> RO when the function fails. And the second one is just a
> cleanup patch to remove addressof operators ("&") since
> it is meaningless anymore.
>
> V2 has just a following update:
> - [1/2] Use a helper variable instead of using p->ainsn.insn
> directly.
>
> Thanks,
>
> ---
>
> Masami Hiramatsu (2):
> kprobes/x86: Don't forget to set memory back to RO on failure
> kprobes/x86: Remove addressof operators
>
>
> arch/x86/include/asm/kprobes.h | 4 ++--
> arch/x86/kernel/kprobes/core.c | 15 +++++++++------
> arch/x86/kernel/kprobes/opt.c | 9 +++++----
> 3 files changed, 16 insertions(+), 12 deletions(-)
So I'm totally opposed to the whole approach of modifying the permissions of the
kernel text virtual memory area.
Firstly, it's racy against other kernel subsystems: what happens if some other
code patching mechanism does a similar 'mark RWX and then back to RX'? Who
provides the synchronization? set_memory_*() certainly does not.
Secondly, it's racy against attackers: if an attacker can time the attack to the
time when a kprobe is installed, then the kernel is still vulnerable.
So how about avoiding the problem altogether by patching the kernel not in its
virtual text address, but in the direct mappings? Then page permissions won't have
to be modified, and the whole solution will be more robust and secure.
Is there anything I'm missing?
Thanks,
Ingo
next prev parent reply other threads:[~2017-08-17 9:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-12 0:43 Masami Hiramatsu
2017-08-12 0:44 ` [PATCH -tip v2 1/2] kprobes/x86: Don't forget to set memory back to RO on failure Masami Hiramatsu
2017-08-12 0:45 ` [PATCH -tip v2 2/2] kprobes/x86: Remove addressof operators Masami Hiramatsu
2017-08-17 9:55 ` Ingo Molnar [this message]
2017-08-17 15:07 ` [PATCH -tip v2 0/2] kprobes/x86: RO text code bugfix and cleanup Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170817095530.zew2tppikufosf2u@gmail.com \
--to=mingo@kernel.org \
--cc=ananth@in.ibm.com \
--cc=anil.s.keshavamurthy@intel.com \
--cc=davem@davemloft.net \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome