Re: [PATCH 07/12] perf_events: add LBR software filter support forIntel X86

[Peter Zijlstra]

On Fri, 2011-10-07 at 12:40 +0200, Stephane Eranian wrote:
> On Fri, Oct 7, 2011 at 12:38 PM, Stephane Eranian <eranian@xxxxxxxxxx> wrote:
> > On Thu, Oct 6, 2011 at 5:32 PM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:
> >>> +     kernel_insn_init(&insn, kaddr);
> >>> +     insn_get_opcode(&insn);
> >>
> >> This makes me uncomfortable. AFAIK that's the first use of the opcode
> >> decoder being used directly for user space. It has a quite large attack
> >> surface. Who says it cannot be exploited?
> >>
> > This is not new, it's already used for the PEBS fixups and that includes
> > user level fixups, if possible.
> >
> > We are not executing the instruction here, just decoding it to filter it out
> > from a buffer if necessary.
> >
> I would add that in this particular usage, the source address is coming
> straight from LBR, it's not made up my SW. That means it corresponds
> to a point where there was a control flow change. But it can certainly
> be any x86 opcode (not just branches). LBR captures control flow changes
> due to traps, faults, interrupts.

You could still fuzz it after the cpu passed through and before the
kernel reads the LBR. Its a narrow window, but quite feasible.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/