Re: [uml-devel] [discuss] [RFC] [PATCH] Double syscall exit traces on x86_64

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Friday 02 June 2006 17:13, Jeff Dike wrote:
> On Thu, Jun 01, 2006 at 09:07:33PM +0200, Blaisorblade wrote:
> > Sorry for the question, but has this been sent to -stable (since it's a
> > -stable regression, it should be)? To 2.6.17 -git?
>
> It's in current git.
The patch is likely ok for -stable, but below I express some doubts for 
inclusion in kernel tree - it probably isn't sufficient and maybe it's not 
the better fix.
> I'm having a hard time telling when the bug was introduced.  The git web
> interface seems to be telling me that the double notification was around
> since last year,

Likely you'll looking into the wrong place - int_ret_from_syscall (if this is 
the name) wasn't used till recently, ret_from_syscall was used. And it never 
does syscall exit tracing - it expects the caller to have switched away to 
the slow path.

There's a path in which it calls int_with_check, but it does "movl 
$_TIF_NEED_RESCHED,%edi", so that int_with_check only tests _TIF_NEED_RESCHED 
and no other flag.

However, there's another potential problem in current code, it seems. 
ret_from_fork. It can jump to rff_trace and then again go to 
int_ret_from_sys_call, if _TIF_IA32 is set. The check for tracing/auditing 
should be moved to when we decide to jump to ret_from_sys_call.

I've tried doing that with the attached untested patch, but it's likely I've 
got something wrong - in particular the following pass of the patch wasn't 
easy to get right (this change is buried in the middle of other things).

+       testl $3,CS(%rsp)     # from kernel_thread?
        RESTORE_REST
-       testl $3,CS-ARGOFFSET(%rsp)     # from kernel_thread?

However, I have a bigger doubt and a proposal for a simpler change. Do we need 
at all to test for syscall tracing in int_ret_from_sys_call? And why is there 
a difference with ret_from_sys_call?

Instead of removing the test from tracesys, could we remove it from 
int_ret_from_sys_call (and no, calling int_with_check with a custom %edi 
doesn't work)?

Can syscall tracing be needed on exit and not on entry?

I've the suspect that either:
a) if some other process kicks in, we'll make him trace from next syscall 
start onwards (and int_ret_from_sys_call is buggy) - this makes much more 
sense and works almost always.
b) or if we want tracer to see syscall exit, it only works in 
int_ret_from_sys_call (rare cases).

I've thought to how a process can kick in and answers were:

*) schedule() to a process which does a ptrace attach
*) the syscall is ptrace(PTRACE_TRACEME)

in both cases the ptracer must do PTRACE_SYSCALL, and in both cases we need 
behaviour a).

For singlestep on syscall exit I'm totally unsure. But I've not the time to 
look more this code - I didn't know it and it's very intricate.

> which I don't believe, since I've run much more 
> recent x86_64 kernels.  If the bug existed before 2.6.16, then it's
> fine -stable fodder.
Can you handle sending it to st...@ke...?

First introduced in 2.6.16.5 as first diagnosed by Chuck Ebbert:

commit 6b12095a4a0e1f21bbf83f95f13299ca99d758fe
tree 5d2a3d96f7b99a3a225c0f7a110c6631848524b0
parent 59b2832a31ae2f3279bb5b16ae9b1c4e38e40dea
author Andi Kleen <ak...@su...> Wed, 12 Apr 2006 08:19:29 +0200
committer Greg Kroah-Hartman <gr...@su...> Wed, 12 Apr 2006 13:06:54 -0700

    [PATCH] x86_64: When user could have changed RIP always force IRET 
(CVE-2006-0744)

    Intel EM64T CPUs handle uncanonical return addresses differently from
    AMD CPUs.

    The exception is reported in the SYSRET, not the next instruction.
    Thgis leads to the kernel exception handler running on the user stack
    with the wrong GS because the kernel didn't expect exceptions on this
    instruction.

    This version of the patch has the teething problems that plagued an
    earlier version fixed.

    This is CVE-2006-0744

    Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
    patches.

    Signed-off-by: Andi Kleen <ak...@su...>
    Signed-off-by: Greg Kroah-Hartman <gr...@su...>

-- 
Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!".
Paolo Giarrusso, aka Blaisorblade (Skype ID "PaoloGiarrusso", ICQ 215621894)
http://www.user-mode-linux.org/~blaisorblade