[LTS 9.2] perf: Disallow mis-matched inherited group reads #452
Conversation
shreeya-patel98
requested review from
kerneltoast,
jainanmol84,
PlaidCat,
bmastbergen and
thefossguy-ciq
shreeya-patel98
force-pushed
the
{spatel}_ciqlts9_2
branch
from
5a61cf0 to
6237664
Compare
|
Do we want to have the kABI fix patch as a separate commit or should just fix it in the commit we cherry-picked? |
I don't know if we have an official consensus about this but so far, I've seen it done in a single commit and specify the changes using |
include/linux/perf_event.h
Outdated
| @@ -691,6 +692,7 @@ struct perf_event { | |||
| /* The cumulative AND of all event_caps for events in this group. */ | |||
| int group_caps; | |||
|
|
|||
| RH_KABI_EXTEND(unsigned int group_generation) | |||
There was a problem hiding this comment.
From rh_kabi.h
* RH_KABI_EXTEND
* Adds a new field to a struct. This must always be added to the end of
* the struct. Before using this macro, make sure this is actually safe
* to do - there is a number of conditions under which it is *not* safe.
* In particular (but not limited to), this macro cannot be used:
* - if the struct in question is embedded in another struct, or
* - if the struct is allocated by drivers either statically or
* dynamically, or
* - if the struct is allocated together with driver data (an example of
* such behavior is struct net_device or struct request).
*
From the comment it seems like RH_KABI_EXTEND is meant to be used for adding new fields to the end of a struct, but here it is in the middle. In some cases adding a field to the end of a struct might be acceptable kabi breakage so I imagine that is what this macro is for. Here it may be placating check-kabi but the kabi is straight up broken. I think that would be RH_KABI_BROKEN_INSERT IFF a and b are true
* RH_KABI_BROKEN_INSERT
* RH_KABI_BROKEN_REMOVE
* Insert a field to the middle of a struct / delete a field from a struct.
* Note that this breaks kABI! It can be done only when it's certain that
* no 3rd party driver can validly reach into the struct. A typical
* example is a struct that is: both (a) referenced only through a long
* chain of pointers from another struct that is part of a whitelisted
* symbol and (b) kernel internal only, it should have never been visible
* to genksyms in the first place.
*
* Another example are structs that are explicitly exempt from kABI
* guarantee but we did not have enough foresight to use RH_KABI_EXCLUDE.
* In this case, the warning for RH_KABI_EXCLUDE applies.
*
* A detailed explanation of correctness of every RH_KABI_BROKEN_* macro
* use is especially important.
There was a problem hiding this comment.
@bmastbergen I am wondering if we can just move the field to the end?
There was a problem hiding this comment.
I think putting it at the end would work here.
There was a problem hiding this comment.
Yes, putting it at the end of the struct works in this case because both of these statements are true:
-
The perf event API forces all users to dynamically allocate the struct through its own function
perf_event_alloc(), because there's no API to accept a preallocated struct. -
The struct is never allocated as an array, so expanding the struct size won't break anything.
🔍 Upstream Linux Kernel Commit Check
This is an automated message from the kernel commit checker workflow. |
This wasn't automated, I ran my upstream commit checker script locally |
shreeya-patel98
force-pushed
the
{spatel}_ciqlts9_2
branch
from
6237664 to
8968285
Compare
Sorry I didn't comment on this earlier. As Pratham said, usually we just do one commit with an upstream-diff explaining the macro usage. I think that would be my preference here. |
I think we should pick this up as well. Usually we'd tag this with 'cve-bf CVE-2023-5717' |
So your script checks if there were any fixes upstreamed for this particular patch. That's cool :) |
shreeya-patel98
force-pushed
the
{spatel}_ciqlts9_2
branch
from
8968285 to
28a6c6e
Compare
jira VULN-6760 cve CVE-2023-5717 commit-author Peter Zijlstra <peterz@infradead.org> commit 32671e3 upstream-diff This patch causes kABI breakage due to a change in the struct perf_event layout after adding the group_generation field. Hence, to preserve kABI compatibility, use RH_KABI_EXTEND macro to safely append the new field without affecting the existing layout. Also, add an upstream patch 28a6c6e ("perf/core: Fix potential NULL deref") which fixes a NULL pointer deref issue in the existing CVE fix. Because group consistency is non-atomic between parent (filedesc) and children (inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum non-matching counter groups -- with non-sensical results. Add group_generation to distinguish the case where a parent group removes and adds an event and thus has the same number, but a different configuration of events as inherited groups. This became a problem when commit fa8c269 ("perf/core: Invert perf_read_group() loops") flipped the order of child_list and sibling_list. Previously it would iterate the group (sibling_list) first, and for each sibling traverse the child_list. In this order, only the group composition of the parent is relevant. By flipping the order the group composition of the child (inherited) events becomes an issue and the mis-match in group composition becomes evident. That said; even prior to this commit, while reading of a group that is not equally inherited was not broken, it still made no sense. (Ab)use ECHILD as error return to indicate issues with child process group composition. Fixes: fa8c269 ("perf/core: Invert perf_read_group() loops") Reported-by: Budimir Markovic <markovicbudimir@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20231018115654.GK33217@noisy.programming.kicks-ass.net (cherry picked from commit 32671e3) Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-6760 cve-bf CVE-2023-5717 commit-author Peter Zijlstra <peterz@infradead.org> commit a71ef31 Smatch is awesome. Fixes: 32671e3 ("perf: Disallow mis-matched inherited group reads") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> (cherry picked from commit a71ef31) Signed-off-by: Shreeya Patel <spatel@ciq.com>
shreeya-patel98
force-pushed
the
{spatel}_ciqlts9_2
branch
from
28a6c6e to
df61ae5
Compare
Commit message
Kernel build logs
kernel-build.log
Kselftests
kselftest-before.log
kselftest-after.log