(sorry for the HTML spam)
On Wed, Feb 12, 2025 at 5:37 PM Andy Lutomirski luto@kernel.org wrote:
On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa jolsa@kernel.org wrote:
Jann reported [1] possible issue when trampoline_check_ip returns address near the bottom of the address space that is allowed to call into the syscall if uretprobes are not set up.
Though the mmap minimum address restrictions will typically prevent creating mappings there, let's make sure uretprobe syscall checks for that.
It would be a layering violation, but we could perhaps do better here:
if (regs->ip != trampoline_check_ip())
/* Make sure the ip matches the only allowed sys_uretprobe caller. */if (unlikely(regs->ip != trampoline_check_ip(tramp))) goto sigill;Instead of SIGILL, perhaps this should do the seccomp action? So the logic in seccomp would be (sketchily, with some real mode1 mess):
if (is_a_real_uretprobe()) skip seccomp;
where is_a_real_uretprobe() is only true if the nr and arch match uretprobe *and* the address is right.
Why would it make sense to rely on CONFIG_SECCOMP for this check? seems this check should be done regardless of seccomp.
Or maybe I missed something in the suggestion.
Eyal.
--Andy