diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2015-04-16 03:40:25 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2015-04-16 06:47:45 -0400 |
| commit | fd0f86b66425bd8c6af8985881e82b28c30fd450 (patch) | |
| tree | 560bb471b03abe7b501f0e6ce9cc971223fe2660 /arch/x86 | |
| parent | 0a15584d72760a3b83d97af85d37ffaa2c42068d (diff) | |
x86/ptrace: Fix the TIF_FORCED_TF logic in handle_signal()
When the TIF_SINGLESTEP tracee dequeues a signal,
handle_signal() clears TIF_FORCED_TF and X86_EFLAGS_TF but
leaves TIF_SINGLESTEP set.
If the tracer does PTRACE_SINGLESTEP again, enable_single_step()
sets X86_EFLAGS_TF but not TIF_FORCED_TF. This means that the
subsequent PTRACE_CONT doesn't not clear X86_EFLAGS_TF, and the
tracee gets the wrong SIGTRAP.
Test-case (needs -O2 to avoid prologue insns in signal handler):
#include <unistd.h>
#include <stdio.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <assert.h>
#include <stddef.h>
void handler(int n)
{
asm("nop");
}
int child(void)
{
assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
signal(SIGALRM, handler);
kill(getpid(), SIGALRM);
return 0x23;
}
void *getip(int pid)
{
return (void*)ptrace(PTRACE_PEEKUSER, pid,
offsetof(struct user, regs.rip), 0);
}
int main(void)
{
int pid, status;
pid = fork();
if (!pid)
return child();
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGALRM);
assert(ptrace(PTRACE_SINGLESTEP, pid, 0, SIGALRM) == 0);
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP);
assert((getip(pid) - (void*)handler) == 0);
assert(ptrace(PTRACE_SINGLESTEP, pid, 0, SIGALRM) == 0);
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP);
assert((getip(pid) - (void*)handler) == 1);
assert(ptrace(PTRACE_CONT, pid, 0,0) == 0);
assert(wait(&status) == pid);
assert(WIFEXITED(status) && WEXITSTATUS(status) == 0x23);
return 0;
}
The last assert() fails because PTRACE_CONT wrongly triggers
another single-step and X86_EFLAGS_TF can't be cleared by
debugger until the tracee does sys_rt_sigreturn().
Change handle_signal() to do user_disable_single_step() if
stepping, we do not need to preserve TIF_SINGLESTEP because we
are going to do ptrace_notify(), and it is simply wrong to leak
this bit.
While at it, change the comment to explain why we also need to
clear TF unconditionally after setup_rt_frame().
Note: in the longer term we should probably change
setup_sigcontext() to use get_flags() and then just remove this
user_disable_single_step(). And, the state of TIF_FORCED_TF can
be wrong after restore_sigcontext() which can set/clear TF, this
needs another fix.
This fix fixes the 'single_step_syscall_32' testcase in
the x86 testsuite:
Before:
~/linux/tools/testing/selftests/x86> ./single_step_syscall_32
[RUN] Set TF and check nop
[OK] Survived with TF set and 9 traps
[RUN] Set TF and check int80
[OK] Survived with TF set and 9 traps
[RUN] Set TF and check a fast syscall
[WARN] Hit 10000 SIGTRAPs with si_addr 0xf7789cc0, ip 0xf7789cc0
Trace/breakpoint trap (core dumped)
After:
~/linux/linux/tools/testing/selftests/x86> ./single_step_syscall_32
[RUN] Set TF and check nop
[OK] Survived with TF set and 9 traps
[RUN] Set TF and check int80
[OK] Survived with TF set and 9 traps
[RUN] Set TF and check a fast syscall
[OK] Survived with TF set and 39 traps
[RUN] Fast syscall with TF cleared
[OK] Nothing unexpected happened
Reported-by: Evan Teran <eteran@alum.rit.edu>
Reported-by: Pedro Alves <palves@redhat.com>
Tested-by: Andres Freund <andres@anarazel.de>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
[ Added x86 self-test info. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'arch/x86')
| -rw-r--r-- | arch/x86/kernel/signal.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 3e581865c8e2..d185bdd95a4b 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c | |||
| @@ -630,7 +630,8 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) | |||
| 630 | static void | 630 | static void |
| 631 | handle_signal(struct ksignal *ksig, struct pt_regs *regs) | 631 | handle_signal(struct ksignal *ksig, struct pt_regs *regs) |
| 632 | { | 632 | { |
| 633 | bool failed; | 633 | bool stepping, failed; |
| 634 | |||
| 634 | /* Are we from a system call? */ | 635 | /* Are we from a system call? */ |
| 635 | if (syscall_get_nr(current, regs) >= 0) { | 636 | if (syscall_get_nr(current, regs) >= 0) { |
| 636 | /* If so, check system call restarting.. */ | 637 | /* If so, check system call restarting.. */ |
| @@ -654,12 +655,13 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) | |||
| 654 | } | 655 | } |
| 655 | 656 | ||
| 656 | /* | 657 | /* |
| 657 | * If TF is set due to a debugger (TIF_FORCED_TF), clear the TF | 658 | * If TF is set due to a debugger (TIF_FORCED_TF), clear TF now |
| 658 | * flag so that register information in the sigcontext is correct. | 659 | * so that register information in the sigcontext is correct and |
| 660 | * then notify the tracer before entering the signal handler. | ||
| 659 | */ | 661 | */ |
| 660 | if (unlikely(regs->flags & X86_EFLAGS_TF) && | 662 | stepping = test_thread_flag(TIF_SINGLESTEP); |
| 661 | likely(test_and_clear_thread_flag(TIF_FORCED_TF))) | 663 | if (stepping) |
| 662 | regs->flags &= ~X86_EFLAGS_TF; | 664 | user_disable_single_step(current); |
| 663 | 665 | ||
| 664 | failed = (setup_rt_frame(ksig, regs) < 0); | 666 | failed = (setup_rt_frame(ksig, regs) < 0); |
| 665 | if (!failed) { | 667 | if (!failed) { |
| @@ -670,10 +672,8 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) | |||
| 670 | * it might disable possible debug exception from the | 672 | * it might disable possible debug exception from the |
| 671 | * signal handler. | 673 | * signal handler. |
| 672 | * | 674 | * |
| 673 | * Clear TF when entering the signal handler, but | 675 | * Clear TF for the case when it wasn't set by debugger to |
| 674 | * notify any tracer that was single-stepping it. | 676 | * avoid the recursive send_sigtrap() in SIGTRAP handler. |
| 675 | * The tracer may want to single-step inside the | ||
| 676 | * handler too. | ||
| 677 | */ | 677 | */ |
| 678 | regs->flags &= ~(X86_EFLAGS_DF|X86_EFLAGS_RF|X86_EFLAGS_TF); | 678 | regs->flags &= ~(X86_EFLAGS_DF|X86_EFLAGS_RF|X86_EFLAGS_TF); |
| 679 | /* | 679 | /* |
| @@ -682,7 +682,7 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) | |||
| 682 | if (used_math()) | 682 | if (used_math()) |
| 683 | fpu_reset_state(current); | 683 | fpu_reset_state(current); |
| 684 | } | 684 | } |
| 685 | signal_setup_done(failed, ksig, test_thread_flag(TIF_SINGLESTEP)); | 685 | signal_setup_done(failed, ksig, stepping); |
| 686 | } | 686 | } |
| 687 | 687 | ||
| 688 | #ifdef CONFIG_X86_32 | 688 | #ifdef CONFIG_X86_32 |