Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check

From: Ingo Molnar
Date: Thu Mar 06 2025 - 06:23:02 EST

Next message: Shiju Jose: "RE: [PATCH v2 2/3] ACPI:RAS2: Add ACPI RAS2 driver"
Previous message: tip-bot2 for Li Huafei: "[tip: perf/core] watchdog/hardlockup/perf: Fix perf_event memory leak"
In reply to: Jiri Olsa: "Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Jiri Olsa <olsajiri@xxxxxxxxx> wrote:

> On Mon, Feb 17, 2025 at 01:09:43PM +0100, Jiri Olsa wrote:
> > On Thu, Feb 13, 2025 at 09:58:29AM -0800, Andy Lutomirski wrote:
> > > On Thu, Feb 13, 2025 at 1:16 AM Jiri Olsa <olsajiri@xxxxxxxxx> wrote:
> > > >
> > > > On Wed, Feb 12, 2025 at 05:37:11PM -0800, Andy Lutomirski wrote:
> > > > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > Jann reported [1] possible issue when trampoline_check_ip returns
> > > > > > address near the bottom of the address space that is allowed to
> > > > > > call into the syscall if uretprobes are not set up.
> > > > > >
> > > > > > Though the mmap minimum address restrictions will typically prevent
> > > > > > creating mappings there, let's make sure uretprobe syscall checks
> > > > > > for that.
> > > > >
> > > > > It would be a layering violation, but we could perhaps do better here:
> > > > >
> > > > > > - if (regs->ip != trampoline_check_ip())
> > > > > > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > > > > > + if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> > > > > > goto sigill;
> > > > >
> > > > > Instead of SIGILL, perhaps this should do the seccomp action? So the
> > > > > logic in seccomp would be (sketchily, with some real mode1 mess):
> > > > >
> > > > > if (is_a_real_uretprobe())
> > > > > skip seccomp;
> > > >
> > > > IIUC you want to move the address check earlier to the seccomp path..
> > > > with the benefit that we would kill not allowed caller sooner?
> > >
> > > The benefit would be that seccomp users that want to do something
> > > other than killing a process (returning an error code, getting
> > > notified, etc) could retain that functionality without the new
> > > automatic hole being poked for uretprobe() in cases where uprobes
> > > aren't in use or where the calling address doesn't match the uprobe
> > > trampoline. IOW it would reduce the scope to which we're making
> > > seccomp behave unexpectedly.
> >
> > Kees, any thoughts about this approach?
>
> ping, any idea?

So in any case I think the seccomp QoL tie-in suggested by Andy should
be done in a separate patch, and I've applied the -v3 patch to
tip:perf/core as-is.

( I've added Alexei's Acked-by too, which as I've read the v2 thread's
discussion was a given as long as his ~0 suggestion was implemented,
which you did. )

Thanks,

Ingo

Next message: Shiju Jose: "RE: [PATCH v2 2/3] ACPI:RAS2: Add ACPI RAS2 driver"
Previous message: tip-bot2 for Li Huafei: "[tip: perf/core] watchdog/hardlockup/perf: Fix perf_event memory leak"
In reply to: Jiri Olsa: "Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]