| Message ID | 1520164518-19097-1-git-send-email-maddy@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] powerpc/perf: Fix kernel address leak to userspace via BHRB buffer | expand |
On Sun, Mar 4, 2018 at 10:55 PM, Madhavan Srinivasan <maddy@linux.vnet.ibm.com> wrote: > The current Branch History Rolling Buffer (BHRB) code does > not check for any privilege levels before updating the data > from BHRB. This leaks kernel addresses to userspace even when > profiling only with userspace privileges. Add proper checks > to prevent it. > > Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> > --- > arch/powerpc/perf/core-book3s.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c > index f89bbd54ecec..337db5831749 100644 > --- a/arch/powerpc/perf/core-book3s.c > +++ b/arch/powerpc/perf/core-book3s.c > @@ -457,6 +457,10 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) > /* invalid entry */ > continue; > > + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && > + is_kernel_addr(addr)) > + continue; > + Looks good to me. The scope of the leaks concern is KASLR related or something else (figuring out what's in the cache?) Acked-by: Balbir Singh <bsingharora@gmail.com> Balbir Singh.
On Monday 05 March 2018 11:46 AM, Balbir Singh wrote: > On Sun, Mar 4, 2018 at 10:55 PM, Madhavan Srinivasan > <maddy@linux.vnet.ibm.com> wrote: >> The current Branch History Rolling Buffer (BHRB) code does >> not check for any privilege levels before updating the data >> from BHRB. This leaks kernel addresses to userspace even when >> profiling only with userspace privileges. Add proper checks >> to prevent it. >> >> Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> >> --- >> arch/powerpc/perf/core-book3s.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c >> index f89bbd54ecec..337db5831749 100644 >> --- a/arch/powerpc/perf/core-book3s.c >> +++ b/arch/powerpc/perf/core-book3s.c >> @@ -457,6 +457,10 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) >> /* invalid entry */ >> continue; >> >> + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && >> + is_kernel_addr(addr)) >> + continue; >> + > > Looks good to me. The scope of the leaks concern is KASLR related or > something else (figuring out what's in the cache?) I did not look at it closely. But will get the information. Thanks for the review Maddy > > Acked-by: Balbir Singh <bsingharora@gmail.com> > > Balbir Singh. >
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c index f89bbd54ecec..337db5831749 100644 --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c @@ -457,6 +457,10 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) /* invalid entry */ continue; + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && + is_kernel_addr(addr)) + continue; + /* Branches are read most recent first (ie. mfbhrb 0 is * the most recent branch). * There are two types of valid entries:
The current Branch History Rolling Buffer (BHRB) code does not check for any privilege levels before updating the data from BHRB. This leaks kernel addresses to userspace even when profiling only with userspace privileges. Add proper checks to prevent it. Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> --- arch/powerpc/perf/core-book3s.c | 4 ++++ 1 file changed, 4 insertions(+)