patches/kernel/0049-kprobes-x86-Set-up-frame-pointer-in-kprobe-trampolin.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Josh Poimboeuf <jpoimboe@redhat.com>
   3 Date: Tue, 3 Oct 2017 08:51:43 -0500
   4 Subject: [PATCH] kprobes/x86: Set up frame pointer in kprobe trampoline
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 CVE-2017-5754
  10
  11 Richard Weinberger saw an unwinder warning when running bcc's opensnoop:
  12
  13   WARNING: kernel stack frame pointer at ffff99ef4076bea0 in opensnoop:2008 has bad value 0000000000000008
  14   unwind stack type:0 next_sp:          (null) mask:0x2 graph_idx:0
  15   ...
  16   ffff99ef4076be88: ffff99ef4076bea0 (0xffff99ef4076bea0)
  17   ffff99ef4076be90: ffffffffac442721 (optimized_callback +0x81/0x90)
  18   ...
  19
  20 A lockdep stack trace was initiated from inside a kprobe handler, when
  21 the unwinder noticed a bad frame pointer on the stack.  The bad frame
  22 pointer is related to the fact that the kprobe optprobe trampoline
  23 doesn't save the frame pointer before calling into optimized_callback().
  24
  25 Reported-and-tested-by: Richard Weinberger <richard@sigma-star.at>
  26 Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
  27 Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
  28 Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
  29 Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
  30 Cc: David S . Miller <davem@davemloft.net>
  31 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  32 Cc: Peter Zijlstra <peterz@infradead.org>
  33 Cc: Thomas Gleixner <tglx@linutronix.de>
  34 Link: http://lkml.kernel.org/r/7aef2f8ecd75c2f505ef9b80490412262cf4a44c.1507038547.git.jpoimboe@redhat.com
  35 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  36 (cherry picked from commit ee213fc72fd67d0988525af501534f4cb924d1e9)
  37 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  38 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  39 (cherry picked from commit 0f7d5518c91335584b16c7bed1c54c10b78ea76a)
  40 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  41 ---
  42  arch/x86/kernel/kprobes/common.h | 13 +++++++++++--
  43  1 file changed, 11 insertions(+), 2 deletions(-)
  44
  45 diff --git a/arch/x86/kernel/kprobes/common.h b/arch/x86/kernel/kprobes/common.h
  46 index db2182d63ed0..3fc0f9a794cb 100644
  47 --- a/arch/x86/kernel/kprobes/common.h
  48 +++ b/arch/x86/kernel/kprobes/common.h
  49 @@ -3,6 +3,15 @@
  50
  51  /* Kprobes and Optprobes common header */
  52
  53 +#include <asm/asm.h>
  54 +
  55 +#ifdef CONFIG_FRAME_POINTER
  56 +# define SAVE_RBP_STRING "     push %" _ASM_BP "\n" \
  57 +                        "      mov  %" _ASM_SP ", %" _ASM_BP "\n"
  58 +#else
  59 +# define SAVE_RBP_STRING "     push %" _ASM_BP "\n"
  60 +#endif
  61 +
  62  #ifdef CONFIG_X86_64
  63  #define SAVE_REGS_STRING                       \
  64         /* Skip cs, ip, orig_ax. */             \
  65 @@ -17,7 +26,7 @@
  66         "       pushq %r10\n"                   \
  67         "       pushq %r11\n"                   \
  68         "       pushq %rbx\n"                   \
  69 -       "       pushq %rbp\n"                   \
  70 +       SAVE_RBP_STRING                         \
  71         "       pushq %r12\n"                   \
  72         "       pushq %r13\n"                   \
  73         "       pushq %r14\n"                   \
  74 @@ -48,7 +57,7 @@
  75         "       pushl %es\n"                    \
  76         "       pushl %ds\n"                    \
  77         "       pushl %eax\n"                   \
  78 -       "       pushl %ebp\n"                   \
  79 +       SAVE_RBP_STRING                         \
  80         "       pushl %edi\n"                   \
  81         "       pushl %esi\n"                   \
  82         "       pushl %edx\n"                   \
  83 --
  84 2.14.2
  85