[RFC,1/2] kprobes: Prohibit probing on CFI preamble symbol

Message ID	168899126450.80889.16200438320430187434.stgit@devnote2 (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-trace-kernel-owner@vger.kernel.org> From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> To: Peter Zijlstra <peterz@infradead.org> Cc: Petr Pavlu <petr.pavlu@suse.com>, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, samitolvanen@google.com, x86@kernel.org, linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org, Masami Hiramatsu <mhiramat@kernel.org> Subject: [RFC PATCH 1/2] kprobes: Prohibit probing on CFI preamble symbol Date: Mon, 10 Jul 2023 21:14:24 +0900 Message-Id: <168899126450.80889.16200438320430187434.stgit@devnote2> In-Reply-To: <168899125356.80889.17967397360941194229.stgit@devnote2> References: <168899125356.80889.17967397360941194229.stgit@devnote2> User-Agent: StGit/0.19 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86: kprobes: Fix CFI_CLANG related issues \| expand [RFC,0/2] x86: kprobes: Fix CFI_CLANG related issues [RFC,1/2] kprobes: Prohibit probing on CFI preamble symbol [RFC,2/2] x86/kprobes: Prohibit probing on compiler generated CFI checking code

Message ID

168899126450.80889.16200438320430187434.stgit@devnote2 (mailing list archive)

State

Superseded

Headers

From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Pavlu <petr.pavlu@suse.com>, tglx@linutronix.de,
        mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com,
        hpa@zytor.com, samitolvanen@google.com, x86@kernel.org,
        linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Masami Hiramatsu <mhiramat@kernel.org>
Subject: [RFC PATCH 1/2] kprobes: Prohibit probing on CFI preamble symbol
Date: Mon, 10 Jul 2023 21:14:24 +0900
Message-Id: <168899126450.80889.16200438320430187434.stgit@devnote2>
In-Reply-To: <168899125356.80889.17967397360941194229.stgit@devnote2>
References: <168899125356.80889.17967397360941194229.stgit@devnote2>
User-Agent: StGit/0.19
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

x86: kprobes: Fix CFI_CLANG related issues | expand

Commit Message

Masami Hiramatsu (Google) July 10, 2023, 12:14 p.m. UTC

From: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Do not allow to probe on "__cfi_" started symbol, because it includes
a typeid value in the code for CFI. Probing it will break the typeid
checking.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
---
 kernel/kprobes.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

Comments

Peter Zijlstra July 10, 2023, 3:37 p.m. UTC | #1

On Mon, Jul 10, 2023 at 09:14:24PM +0900, Masami Hiramatsu (Google) wrote:

> +#ifdef CONFIG_CFI_CLANG
> +static bool is_cfi_preamble_symbol(unsigned long addr)
> +{
> +	char symbuf[KSYM_NAME_LEN];
> +
> +	if (lookup_symbol_name(addr, symbuf))
> +		return false;
> +
> +	return str_has_prefix("__cfi_", symbuf)
		|| str_has_prefix("__pfx_", symbol);

The __pfx_ symbols can happen when !CFI_CLANG but still having
FUNCTION_PADDING_BYTES.

> +}
> +#else
> +#define is_cfi_preamble_symbol(addr)	(0)
> +#endif

As such I think we can do the above unconditionally, without either
there should not be any matching symbols.

Masami Hiramatsu (Google) July 10, 2023, 11:50 p.m. UTC | #2

On Mon, 10 Jul 2023 17:37:24 +0200
Peter Zijlstra <peterz@infradead.org> wrote:

> On Mon, Jul 10, 2023 at 09:14:24PM +0900, Masami Hiramatsu (Google) wrote:
> 
> 
> > +#ifdef CONFIG_CFI_CLANG
> > +static bool is_cfi_preamble_symbol(unsigned long addr)
> > +{
> > +	char symbuf[KSYM_NAME_LEN];
> > +
> > +	if (lookup_symbol_name(addr, symbuf))
> > +		return false;
> > +
> > +	return str_has_prefix("__cfi_", symbuf)
> 		|| str_has_prefix("__pfx_", symbol);
> 
> The __pfx_ symbols can happen when !CFI_CLANG but still having
> FUNCTION_PADDING_BYTES.

Indeed. Currently __pfx is not probed via tracefs interface because it is
notrace function but kprobe itself should also prohibit that.

> 
> > +}
> > +#else
> > +#define is_cfi_preamble_symbol(addr)	(0)
> > +#endif
> 
> As such I think we can do the above unconditionally, without either
> there should not be any matching symbols.

OK.

Thank you!

>

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 00e177de91cc..ce2e460c1f79 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1545,6 +1545,20 @@  static int check_ftrace_location(struct kprobe *p)
 	return 0;
 }
 
+#ifdef CONFIG_CFI_CLANG
+static bool is_cfi_preamble_symbol(unsigned long addr)
+{
+	char symbuf[KSYM_NAME_LEN];
+
+	if (lookup_symbol_name(addr, symbuf))
+		return false;
+
+	return str_has_prefix("__cfi_", symbuf);
+}
+#else
+#define is_cfi_preamble_symbol(addr)	(0)
+#endif
+
 static int check_kprobe_address_safe(struct kprobe *p,
 				     struct module **probed_mod)
 {
@@ -1563,7 +1577,8 @@  static int check_kprobe_address_safe(struct kprobe *p,
 	    within_kprobe_blacklist((unsigned long) p->addr) ||
 	    jump_label_text_reserved(p->addr, p->addr) ||
 	    static_call_text_reserved(p->addr, p->addr) ||
-	    find_bug((unsigned long)p->addr)) {
+	    find_bug((unsigned long)p->addr) ||
+	    is_cfi_preamble_symbol((unsigned long)p->addr)) {
 		ret = -EINVAL;
 		goto out;
 	}

[RFC,1/2] kprobes: Prohibit probing on CFI preamble symbol

Commit Message

Comments

Patch