On Thu, 8 Mar 2018 22:18:11 -0500 Francis Deslauriers <francis.deslauri...@efficios.com> wrote:
> Hi all, > > While fuzzing the Perf kprobe interface, I found that adding a probe on > the 'entry_SYSCALL_64_trampoline' symbol will crash my 4.16-rc4 > kernel(661e50bc853209e41a5c14a290ca4decc43cbfd1) on a x86_64 Qemu VM. > > How to reproduce: > echo 'p:event1 entry_SYSCALL_64_trampoline' > ./kprobe_events > echo 1 > events/kprobes/enable > Crash log:[1] > > My understanding is that the userspace CR3 register has not yet been > replaced by the kernel's CR3, when the kprobe is triggered. This means > that the kernel addresses can not be translated, thus making the > handling of the kprobe impossible. Thanks for reporting! And yes, all entry code must be nokprobe. > > This can be fixed by blacklisting the .entry_trampoline section. See > patch[1/1]. > > Here is the config I am using[2]. > > Thanks, > > Francis Deslauriers > EfficiOS inc. > > 1:http://paste.ubuntu.com/p/djnpZCzQKv/ > 2:http://paste.ubuntu.com/p/3jrFYt6XQB/ > > Francis Deslauriers (1): > x86/kprobes: Prohibit probing of .entry_trampoline code > > arch/x86/include/asm/sections.h | 1 + > arch/x86/kernel/kprobes/core.c | 10 +++++++++- > arch/x86/kernel/vmlinux.lds.S | 2 ++ > 3 files changed, 12 insertions(+), 1 deletion(-) > > -- > 2.7.4 > -- Masami Hiramatsu <mhira...@kernel.org>
