Re: [PATCH 0/1] x86/kprobes: Prohibit probing of .entry_trampoline code
From: Masami Hiramatsu
Date: Fri Mar 09 2018 - 10:15:35 EST
On Thu, 8 Mar 2018 22:18:11 -0500
Francis Deslauriers <francis.deslauriers@xxxxxxxxxxxx> wrote:
> Hi all,
>
> While fuzzing the Perf kprobe interface, I found that adding a probe on
> the 'entry_SYSCALL_64_trampoline' symbol will crash my 4.16-rc4
> kernel(661e50bc853209e41a5c14a290ca4decc43cbfd1) on a x86_64 Qemu VM.
>
> How to reproduce:
> echo 'p:event1 entry_SYSCALL_64_trampoline' > ./kprobe_events
> echo 1 > events/kprobes/enable
> Crash log:[1]
>
> My understanding is that the userspace CR3 register has not yet been
> replaced by the kernel's CR3, when the kprobe is triggered. This means
> that the kernel addresses can not be translated, thus making the
> handling of the kprobe impossible.
Thanks for reporting!
And yes, all entry code must be nokprobe.
>
> This can be fixed by blacklisting the .entry_trampoline section. See
> patch[1/1].
>
> Here is the config I am using[2].
>
> Thanks,
>
> Francis Deslauriers
> EfficiOS inc.
>
> 1:http://paste.ubuntu.com/p/djnpZCzQKv/
> 2:http://paste.ubuntu.com/p/3jrFYt6XQB/
>
> Francis Deslauriers (1):
> x86/kprobes: Prohibit probing of .entry_trampoline code
>
> arch/x86/include/asm/sections.h | 1 +
> arch/x86/kernel/kprobes/core.c | 10 +++++++++-
> arch/x86/kernel/vmlinux.lds.S | 2 ++
> 3 files changed, 12 insertions(+), 1 deletion(-)
>
> --
> 2.7.4
>
--
Masami Hiramatsu <mhiramat@xxxxxxxxxx>