Re: [PATCH v2] perf/x86: Check data address for IBS software filter

[Ravi Bangoria]

Hi Namhyung,

>>> IBS software filter was to filter kernel samples for regular users in
>>> PMI handler.  It checks the instruction address in the IBS register to
>>> determine if it was in the kernel more or not.
>>>
>>> But it turns out that it's possible to report a kernel data address even
>>> if the instruction address belongs to the user space.  Matteo Rizzo
>>> found that when an instruction raises an exception, IBS can report some
>>> kernel data address like IDT while holding the faulting instruction's
>>> RIP.  To prevent an information leak, it should double check if the data
>>> address in PERF_SAMPLE_DATA is in the kernel space as well.
>>
>> PERF_SAMPLE_RAW can also leak kernel data address. How about:
> 
> Thanks for your review.
> 
> I think RAW is different as it requires perf_event_paranoid == -1.

IBS allows PERF_SAMPLE_RAW irrespective of perf_event_paranoid. e.g.:

  $ cat /proc/sys/kernel/perf_event_paranoid
  2

  $ ./perf record -e ibs_op/swfilt=1/u --raw-samples -- make
  [ perf record: Woken up 1 times to write data ]
  [ perf record: Captured and wrote 1.371 MB perf.data (3957 samples) ]

  $ ./perf script -D | egrep -A2 "LdOp 1.*DcLinAddrValid 1" | egrep "IbsDCLinAd:\s*f"
  IbsDCLinAd:     fffffe00000000e8

We have two options:
1) Restrict IBS + PERF_SAMPLE_RAW to privilege users.
2) Remove all sensitive information from raw register dump before
   passing it to userspace. (Kernel data addresses and all physical
   addresses are the only sensitive info I suppose?).

2 is better IMO since it will allow unprivileged user to use IBS
with full potential. wdyt?

Thanks,
Ravi