Re: [PATCH] kprobes: bad manipulation of 2 byte opcode on x86_64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






Is there any possibility of a inducing a page fault when checking the
second byte?
- -
Richard J Moore
IBM Advanced Linux Response Team - Linux Technology Centre
MOBEX: 264807; Mobile (+44) (0)7739-875237
Office: (+44) (0)1962-817072


                                                                           
             Satoshi Oshima                                                
             <soshima@redhat                                               
             .com>                                                      To 
             Sent by:                  Andi Kleen <[email protected]>, Andrew     
             systemtap-owner           Morton <[email protected]>              
             @sourceware.org                                            cc 
                                       [email protected],       
                                       [email protected],       
             18/05/2006                "Keshavamurthy, Anil S"             
             22:32                     <[email protected]>,   
                                       Ananth N Mavinakayanahalli          
                                       <[email protected]>, Jim Keniston  
                                       <[email protected]>, Prasanna S   
                                       Panchamukhi <[email protected]>,  
                                       "Hideo AOKI@redhat"                 
                                       <[email protected]>, Masami          
                                       Hiramatsu                           
                                       <[email protected]>,       
                                       sugita <[email protected]>   
                                                                       bcc 
                                                                           
                                                                   Subject 
                                       [PATCH] kprobes: bad manupilation   
                                       of 2 byte opcode on x86_64          
                                                                           
                                                                           




Hi Andi and Andrew,

I found a bug of kprobes on x86_64.
I attached the fix of this bug.


Problem:

If we put a probe onto a callq instruction and the probe
is executed, kernel panic of Bad RIP value occurs.

Root cause:

If resume_execution() found 0xff at first byte of
p->ainsn.insn, it must check the _second_ byte.
But current resume_execution check _first_ byte again.


I changed it checks second byte of p->ainsn.insn.

Kprobes on i386 don't have this problem, because
the implementation is a little bit different from
x86_64.


Regards,

Satoshi Oshima
Hitachi Computer Product (America) Inc.

----------------------------------------------

diff -Narup linux-2.6.17-rc3-mm1.orig/arch/x86_64/kernel/kprobes.c
x86_64_bugifx/arch/x86_64/kernel/kprobes.c
--- linux-2.6.17-rc3-mm1.orig/arch/x86_64/kernel/kprobes.c
2006-05-04 12:34:44.000000000 -0400
+++ x86_64_bugifx/arch/x86_64/kernel/kprobes.c         2006-05-12
16:02:35.000000000 -0400
@@ -514,13 +514,13 @@ static void __kprobes resume_execution(s
                         *tos = orig_rip + (*tos - copy_rip);
                         break;
             case 0xff:
-                        if ((*insn & 0x30) == 0x10) {
+                        if ((insn[1] & 0x30) == 0x10) {
                                     /* call absolute, indirect */
                                     /* Fix return addr; rip is correct. */
                                     next_rip = regs->rip;
                                     *tos = orig_rip + (*tos - copy_rip);
-                        } else if (((*insn & 0x31) == 0x20) ||          /*
jmp near, absolute indirect */
-                                       ((*insn & 0x31) == 0x21)) {
 /* jmp far, absolute indirect */
+                        } else if (((insn[1] & 0x31) == 0x20) ||        /*
jmp near, absolute indirect */
+                                       ((insn[1] & 0x31) == 0x21)) {
 /* jmp far, absolute indirect */
                                     /* rip is correct. */
                                     next_rip = regs->rip;
                         }



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux