From patchwork Mon Sep 14 13:01:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Thompson X-Patchwork-Id: 249760 Delivered-To: patches@linaro.org Received: by 2002:a92:5ad1:0:0:0:0:0 with SMTP id b78csp1614477ilg; Mon, 14 Sep 2020 06:02:03 -0700 (PDT) X-Received: by 2002:a05:6000:124d:: with SMTP id j13mr16887725wrx.182.1600088523370; Mon, 14 Sep 2020 06:02:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600088523; cv=none; d=google.com; s=arc-20160816; b=jgbZcTdZkuJ2MDFKWr0bGA9H/nyMn5dCswijULwYQxn+hQEpqB3BApBInxCzwDP2Rc +i/f3iI1cHry3C1pVeSp1LsrBwniGUVPu8EyzPU++sgxAz/QkS53YYCCf/6eDskbileF slfkNA15rBjmkNCPbMGgKGVu0i7mf3nL7titeZqTOkySBnV+AkLNPdOXIBgVHJkUCTmV XgFU4qc0c1eLsCURUgDG+M8p58jWAB9VkIWsRDSMQtBfPLYW7xzmB+toXXQdwu7xTZVo iOwZmnTA8OKOKQ0kk2afXFQs1tK1pHJmjG4YdKbnySgs/YMWdhA/Tp7Pl9vY8L8YvBH3 Dpng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=o2bHvryZQLWnkv+dYNHBTXO/DsrmPeloLYjVsFFfptI=; b=C7wQaBvSPMXABWpkJZAoUQIrx/Cp/OncYxp1wJkSTvr6Y8jqDTpu5JP64ZVqLzXDG8 Cbmp9dwvgnXREh4FF6UpmfFbvKsja4fr9krqHOfYYpJpcDfefHC0i34hIbfZUVLnI2Aq 2hiTxpzAaWhQPjs2ckosR4wXefCP8CnIJ6jW1ecwPj5cCjeDoGRdrv6UwVhToyYgz4mN Ohu2guwHlmdYyUsmznPbNSlreGm12QRXTZMnfIm1moQTLSoaQHCTE6qFvPkkROnmORPm 8uBhPlBu8VRke5M6VVEYThKNgg3stdvQe9UQFV95mKHUcjgxN0TVth7tK61sqTn0Sbta LEVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pE2cCoB4; spf=pass (google.com: domain of daniel.thompson@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=daniel.thompson@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id y12sor4868150wrw.45.2020.09.14.06.02.03 for (Google Transport Security); Mon, 14 Sep 2020 06:02:03 -0700 (PDT) Received-SPF: pass (google.com: domain of daniel.thompson@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pE2cCoB4; spf=pass (google.com: domain of daniel.thompson@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=daniel.thompson@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=o2bHvryZQLWnkv+dYNHBTXO/DsrmPeloLYjVsFFfptI=; b=pE2cCoB4QzQ08cjcZxpQf2kst5TzIrF2i5trDOAzUpy2s9zeuwAQ/Nx3IFBR9z/hXZ 2kKNmcYp5d1ZihOljX+hxl3qNDCb0lc8Y8Mvobr9D5EKagkgH1aB9uVQ4CVdYdrRXoY9 zP42ixjTX6ZAvclvIg6i9jBtf+RZtIOUlXhRiQGMhIh6IQswvzUWCBLGVz5emnKjak20 xWGDPxKFgvhvznguBIIQHlgs/TWGbKxGF3WaYWx6vOR+btYNXEM835N65nlXsV2u7cKK 6jmc2/2qvjDCEsfykogJZ0sLkaEOgM775yi8SXaX/hwGEy+nY/bxXpLvhpQMUaWpAXrk KYug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=o2bHvryZQLWnkv+dYNHBTXO/DsrmPeloLYjVsFFfptI=; b=ueiCd61DbstxCjFqA5awJSt0e2u8DT2UVspaexk/ANytvrFlsGVqLzxXW2cleg6pcU 2duUvqADRrInWEZCfaBj+KRrwF8OUSRTOXmtgfgSP6b/SR2iJ4mEXgs7eo+6agDt+8iI oGkVu6Ok3QN7ajiPM0AQ6U52JEHozYdQOhqTsRUnhmWreP30VxVICIC5lRTVWfz3KvjY oxFCuhTsShIWw000jHW79ezI/TmCUK86InZqCu4L5h+ZcZY9zi+N22fY2JTM6gkGusaJ W8lCSVtrWOIU/ob6Y1L8xrUMt35OsddKxj/8zJ1xmtgkK/lt3WoqMp3HePDK7/pIodT3 GcwQ== X-Gm-Message-State: AOAM5337oa0favZSpggThnvg20fJOMlZ9oojrYQ9jl92mkfUDJ4x8sPO DXXAYk9K6w5k+OeBxDbF+Crrb2xy X-Google-Smtp-Source: ABdhPJxZK4XsK2KPeAGMEzC3inVIZOP5soww3+m9A+K0lTdvS3ROedJ839p6WuCHWNrJ0H7MDRhGdw== X-Received: by 2002:a05:6000:1c8:: with SMTP id t8mr15767631wrx.3.1600088522936; Mon, 14 Sep 2020 06:02:02 -0700 (PDT) Return-Path: Received: from wychelm.lan (cpc141216-aztw34-2-0-cust174.18-1.cable.virginm.net. [80.7.220.175]) by smtp.gmail.com with ESMTPSA id t6sm23420983wre.30.2020.09.14.06.02.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Sep 2020 06:02:02 -0700 (PDT) From: Daniel Thompson To: Jason Wessel , Douglas Anderson Cc: Daniel Thompson , Peter Zijlstra , sumit.garg@linaro.org, pmladek@suse.com, sergey.senozhatsky@gmail.com, will@kernel.org, Masami Hiramatsu , kgdb-bugreport@lists.sourceforge.net, linux-kernel@vger.kernel.org, patches@linaro.org Subject: [PATCH v3 1/3] kgdb: Honour the kprobe blocklist when setting breakpoints Date: Mon, 14 Sep 2020 14:01:41 +0100 Message-Id: <20200914130143.1322802-2-daniel.thompson@linaro.org> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200914130143.1322802-1-daniel.thompson@linaro.org> References: <20200914130143.1322802-1-daniel.thompson@linaro.org> MIME-Version: 1.0 Currently kgdb has absolutely no safety rails in place to discourage or prevent a user from placing a breakpoint in dangerous places such as the debugger's own trap entry/exit and other places where it is not safe to take synchronous traps. Introduce a new config symbol KGDB_HONOUR_BLOCKLIST and modify the default implementation of kgdb_validate_break_address() so that we use the kprobe blocklist to prohibit instrumentation of critical functions if the config symbol is set. The config symbol dependencies are set to ensure that the blocklist will be enabled by default if we enable KGDB and are compiling for an architecture where we HAVE_KPROBES. Suggested-by: Peter Zijlstra Reviewed-by: Douglas Anderson Signed-off-by: Daniel Thompson --- include/linux/kgdb.h | 18 ++++++++++++++++++ kernel/debug/debug_core.c | 4 ++++ kernel/debug/kdb/kdb_bp.c | 9 +++++++++ lib/Kconfig.kgdb | 14 ++++++++++++++ 4 files changed, 45 insertions(+) -- 2.25.4 Reviewed-by: Masami Hiramatsu diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h index 477b8b7c908f..0d6cf64c8bb1 100644 --- a/include/linux/kgdb.h +++ b/include/linux/kgdb.h @@ -16,6 +16,7 @@ #include #include #include +#include #ifdef CONFIG_HAVE_ARCH_KGDB #include #endif @@ -335,6 +336,23 @@ extern int kgdb_nmicallin(int cpu, int trapnr, void *regs, int err_code, atomic_t *snd_rdy); extern void gdbstub_exit(int status); +/* + * kgdb and kprobes both use the same (kprobe) blocklist (which makes sense + * given they are both typically hooked up to the same trap meaning on most + * architectures one cannot be used to debug the other) + * + * However on architectures where kprobes is not (yet) implemented we permit + * breakpoints everywhere rather than blocking everything by default. + */ +static inline bool kgdb_within_blocklist(unsigned long addr) +{ +#ifdef CONFIG_KGDB_HONOUR_BLOCKLIST + return within_kprobe_blacklist(addr); +#else + return false; +#endif +} + extern int kgdb_single_step; extern atomic_t kgdb_active; #define in_dbg_master() \ diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c index b16dbc1bf056..b1277728a835 100644 --- a/kernel/debug/debug_core.c +++ b/kernel/debug/debug_core.c @@ -188,6 +188,10 @@ int __weak kgdb_validate_break_address(unsigned long addr) { struct kgdb_bkpt tmp; int err; + + if (kgdb_within_blocklist(addr)) + return -EINVAL; + /* Validate setting the breakpoint and then removing it. If the * remove fails, the kernel needs to emit a bad message because we * are deep trouble not being able to put things back the way we diff --git a/kernel/debug/kdb/kdb_bp.c b/kernel/debug/kdb/kdb_bp.c index d7ebb2c79cb8..ec4940146612 100644 --- a/kernel/debug/kdb/kdb_bp.c +++ b/kernel/debug/kdb/kdb_bp.c @@ -306,6 +306,15 @@ static int kdb_bp(int argc, const char **argv) if (!template.bp_addr) return KDB_BADINT; + /* + * This check is redundant (since the breakpoint machinery should + * be doing the same check during kdb_bp_install) but gives the + * user immediate feedback. + */ + diag = kgdb_validate_break_address(template.bp_addr); + if (diag) + return diag; + /* * Find an empty bp structure to allocate */ diff --git a/lib/Kconfig.kgdb b/lib/Kconfig.kgdb index 256f2486f9bd..713c17fe789c 100644 --- a/lib/Kconfig.kgdb +++ b/lib/Kconfig.kgdb @@ -24,6 +24,20 @@ menuconfig KGDB if KGDB +config KGDB_HONOUR_BLOCKLIST + bool "KGDB: use kprobe blocklist to prohibit unsafe breakpoints" + depends on HAVE_KPROBES + select KPROBES + default y + help + If set to Y the debug core will use the kprobe blocklist to + identify symbols where it is unsafe to set breakpoints. + In particular this disallows instrumentation of functions + called during debug trap handling and thus makes it very + difficult to inadvertently provoke recursive trap handling. + + If unsure, say Y. + config KGDB_SERIAL_CONSOLE tristate "KGDB: use kgdb over the serial console" select CONSOLE_POLL