[PATCH v2] perf/x86: Check data address for IBS software filter

From: Namhyung Kim
Date: Mon Mar 17 2025 - 12:41:49 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 6.13 15/16] selftests: netfilter: skip br_netfilter queue tests if kernel is tainted"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.13 11/16] nvme-pci: fix stuck reset on concurrent DPC and HP"
Next in thread: tip-bot2 for Namhyung Kim: " [tip: perf/urgent] perf/x86: Check data address for IBS software filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IBS software filter was to filter kernel samples for regular users in
PMI handler. It checks the instruction address in the IBS register to
determine if it was in the kernel more or not.

But it turns out that it's possible to report a kernel data address even
if the instruction address belongs to the user space. Matteo Rizzo
found that when an instruction raises an exception, IBS can report some
kernel data address like IDT while holding the faulting instruction's
RIP. To prevent an information leak, it should double check if the data
address in PERF_SAMPLE_DATA is in the kernel space as well.

Suggested-by: Matteo Rizzo <matteorizzo@xxxxxxxxxx>
Cc: Ravi Bangoria <ravi.bangoria@xxxxxxx>
Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx>
---
v2)
* fix a build error (Boris)
* use kernel_ip() instead (Peter)
* combine sw filter checks (Ravi)

arch/x86/events/amd/ibs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index 7b52b8e3a185157f..fbe10b469e8b03d5 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -1267,8 +1267,13 @@ static int perf_ibs_handle_irq(struct perf_ibs *perf_ibs, struct pt_regs *iregs)
regs.flags |= PERF_EFLAGS_EXACT;
}

+ if (perf_ibs == &perf_ibs_op)
+ perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
+
if ((event->attr.config2 & IBS_SW_FILTER_MASK) &&
- perf_exclude_event(event, &regs)) {
+ (perf_exclude_event(event, &regs) ||
+ ((data.sample_flags & PERF_SAMPLE_ADDR) &&
+ event->attr.exclude_kernel && kernel_ip(data.addr)))) {
throttle = perf_event_account_interrupt(event);
goto out;
}
@@ -1283,9 +1288,6 @@ static int perf_ibs_handle_irq(struct perf_ibs *perf_ibs, struct pt_regs *iregs)
perf_sample_save_raw_data(&data, event, &raw);
}

- if (perf_ibs == &perf_ibs_op)
- perf_ibs_parse_ld_st_data(event->attr.sample_type, &ibs_data, &data);
-
/*
* rip recorded by IbsOpRip will not be consistent with rsp and rbp
* recorded as part of interrupt regs. Thus we need to use rip from
--
2.49.0.rc1.451.g8f38331e32-goog

Next message: Sasha Levin: "[PATCH AUTOSEL 6.13 15/16] selftests: netfilter: skip br_netfilter queue tests if kernel is tainted"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.13 11/16] nvme-pci: fix stuck reset on concurrent DPC and HP"
Next in thread: tip-bot2 for Namhyung Kim: " [tip: perf/urgent] perf/x86: Check data address for IBS software filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]