Merge tag 'probes-fixes-v6.7-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

torvalds · torvalds · commit 7131c2e9bba7 · 2024-01-05T09:07:59.000-08:00
Pull kprobes/x86 fix from Masami Hiramatsu:

 - Fix to emulate indirect call which size is not 5 byte.

   Current code expects the indirect call instructions are 5 bytes, but
   that is incorrect. Usually indirect call based on register is shorter
   than that, thus the emulation causes a kernel crash by accessing
   wrong instruction boundary. This uses the instruction size to
   calculate the return address correctly.

* tag 'probes-fixes-v6.7-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
@@ -576,7 +576,8 @@ static void kprobe_emulate_call_indirect(struct kprobe *p, struct pt_regs *regs)
 {
 	unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
 
-	int3_emulate_call(regs, regs_get_register(regs, offs));
+	int3_emulate_push(regs, regs->ip - INT3_INSN_SIZE + p->ainsn.size);
+	int3_emulate_jmp(regs, regs_get_register(regs, offs));
 }
 NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);
 

Original file line number	Diff line number	Diff line change
`@@ -576,7 +576,8 @@ static void kprobe_emulate_call_indirect(struct kprobe p, struct pt_regs regs)`
`576`	`576`	`{`
`577`	`577`	`unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];`
`578`	`578`
`579`		`- int3_emulate_call(regs, regs_get_register(regs, offs));`
	`579`	`+ int3_emulate_push(regs, regs->ip - INT3_INSN_SIZE + p->ainsn.size);`
	`580`	`+ int3_emulate_jmp(regs, regs_get_register(regs, offs));`
`580`	`581`	`}`
`581`	`582`	`NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);`
`582`	`583`