[RFC PATCH 1/2] kprobes/x86: Use probe_kernel_read instead of memcpy

From: Masami Hiramatsu
Date: Mon Feb 27 2017 - 11:14:33 EST

Next message: Jerome Brunet: "[PATCH 2/2] ASoC: es7134: add dt-bindings for the es7134 dac"
Previous message: Andrey Konovalov: "net/sctp: use-after-free in sctp_hash_transport"
In reply to: Masami Hiramatsu: "[RFC PATCH 0/2] kprobes/x86: Handle probing on ex_table cases"
Next in thread: Masami Hiramatsu: "[RFC PATCH 2/2] kprobes/x86: Exit single-stepping before trying fixup_exception"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use probe_kernel_read() for avoiding unexpected faults while
copying kernel text in both of __recover_probed_insn() and
__recover_optprobed_insn().

Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
---
arch/x86/kernel/kprobes/core.c | 7 +++++--
arch/x86/kernel/kprobes/opt.c | 5 ++++-
2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 6384eb7..34d3a52 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -264,7 +264,10 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
* Fortunately, we know that the original code is the ideal 5-byte
* long NOP.
*/
- memcpy(buf, (void *)addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
+ if (probe_kernel_read(buf, (void *)addr,
+ MAX_INSN_SIZE * sizeof(kprobe_opcode_t)))
+ return 0UL;
+
if (faddr)
memcpy(buf, ideal_nops[NOP_ATOMIC5], 5);
else
@@ -276,7 +279,7 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
* Recover the probed instruction at addr for further analysis.
* Caller must lock kprobes by kprobe_mutex, or disable preemption
* for preventing to release referencing kprobes.
- * Returns zero if the instruction can not get recovered.
+ * Returns zero if the instruction can not get recovered (or access failed).
*/
unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long addr)
{
diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index 3d1bee9..06ddd0b 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -65,7 +65,10 @@ unsigned long __recover_optprobed_insn(kprobe_opcode_t *buf, unsigned long addr)
* overwritten by jump destination address. In this case, original
* bytes must be recovered from op->optinsn.copied_insn buffer.
*/
- memcpy(buf, (void *)addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
+ if (probe_kernel_read(buf, (void *)addr,
+ MAX_INSN_SIZE * sizeof(kprobe_opcode_t)))
+ return 0UL;
+
if (addr == (unsigned long)kp->addr) {
buf[0] = kp->opcode;
memcpy(buf + 1, op->optinsn.copied_insn, RELATIVE_ADDR_SIZE);

Next message: Jerome Brunet: "[PATCH 2/2] ASoC: es7134: add dt-bindings for the es7134 dac"
Previous message: Andrey Konovalov: "net/sctp: use-after-free in sctp_hash_transport"
In reply to: Masami Hiramatsu: "[RFC PATCH 0/2] kprobes/x86: Handle probing on ex_table cases"
Next in thread: Masami Hiramatsu: "[RFC PATCH 2/2] kprobes/x86: Exit single-stepping before trying fixup_exception"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]