Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check

[Eyal Birger]

(sorry for the HTML spam)

On Wed, Feb 12, 2025 at 5:37 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
>
> On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@xxxxxxxxxx> wrote:
> >
> > Jann reported [1] possible issue when trampoline_check_ip returns
> > address near the bottom of the address space that is allowed to
> > call into the syscall if uretprobes are not set up.
> >
> > Though the mmap minimum address restrictions will typically prevent
> > creating mappings there, let's make sure uretprobe syscall checks
> > for that.
>
> It would be a layering violation, but we could perhaps do better here:
>
> > -       if (regs->ip != trampoline_check_ip())
> > +       /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > +       if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> >                 goto sigill;
>
> Instead of SIGILL, perhaps this should do the seccomp action?  So the
> logic in seccomp would be (sketchily, with some real mode1 mess):
>
> if (is_a_real_uretprobe())
>     skip seccomp;
>
> where is_a_real_uretprobe() is only true if the nr and arch match
> uretprobe *and* the address is right.



Why would it make sense to rely on CONFIG_SECCOMP for this check? seems
this check should be done regardless of seccomp.

Or maybe I missed something in the suggestion.

Eyal.

>
>
> --Andy