x86/kprobes: Push a fake return address at kretprobe_trampoline

author Masami Hiramatsu <mhiramat@kernel.org>

Tue, 14 Sep 2021 14:42:22 +0000 (23:42 +0900)

committer Steven Rostedt (VMware) <rostedt@goodmis.org>

Fri, 1 Oct 2021 01:24:07 +0000 (21:24 -0400)
author Masami Hiramatsu <mhiramat@kernel.org>
Tue, 14 Sep 2021 14:42:22 +0000 (23:42 +0900)
committer Steven Rostedt (VMware) <rostedt@goodmis.org>
Fri, 1 Oct 2021 01:24:07 +0000 (21:24 -0400)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c

index d1436d7..7e1111c 100644 (file)
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -1022,28 +1022,33 @@ asm(
         ".global __kretprobe_trampoline\n"
         ".type __kretprobe_trampoline, @function\n"
         "__kretprobe_trampoline:\n"
-       /* We don't bother saving the ss register */
  #ifdef CONFIG_X86_64
-       "       pushq %rsp\n"
+       /* Push a fake return address to tell the unwinder it's a kretprobe. */
+       "       pushq $__kretprobe_trampoline\n"
         UNWIND_HINT_FUNC
+       /* Save the 'sp - 8', this will be fixed later. */
+       "       pushq %rsp\n"
         "       pushfq\n"
         SAVE_REGS_STRING
         "       movq %rsp, %rdi\n"
         "       call trampoline_handler\n"
-       /* Replace saved sp with true return address. */
-       "       movq %rax, 19*8(%rsp)\n"
         RESTORE_REGS_STRING
+       /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
+       "       addq $8, %rsp\n"
         "       popfq\n"
  #else
-       "       pushl %esp\n"
+       /* Push a fake return address to tell the unwinder it's a kretprobe. */
+       "       pushl $__kretprobe_trampoline\n"
         UNWIND_HINT_FUNC
+       /* Save the 'sp - 4', this will be fixed later. */
+       "       pushl %esp\n"
         "       pushfl\n"
         SAVE_REGS_STRING
         "       movl %esp, %eax\n"
         "       call trampoline_handler\n"
-       /* Replace saved sp with true return address. */
-       "       movl %eax, 15*4(%esp)\n"
         RESTORE_REGS_STRING
+       /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
+       "       addl $4, %esp\n"
         "       popfl\n"
  #endif
         "       ret\n"
@@ -1063,8 +1068,10 @@ STACK_FRAME_NON_STANDARD_FP(__kretprobe_trampoline);
  /*
   * Called from __kretprobe_trampoline
   */
-__used __visible void *trampoline_handler(struct pt_regs *regs)
+__used __visible void trampoline_handler(struct pt_regs *regs)
  {
+       unsigned long *frame_pointer;
+
         /* fixup registers */
         regs->cs = __KERNEL_CS;
  #ifdef CONFIG_X86_32
@@ -1072,8 +1079,17 @@ __used __visible void *trampoline_handler(struct pt_regs *regs)
  #endif
         regs->ip = (unsigned long)&__kretprobe_trampoline;
         regs->orig_ax = ~0UL;
+       regs->sp += sizeof(long);
+       frame_pointer = &regs->sp + 1;
+
+       /* Replace fake return address with real one. */
+       *frame_pointer = kretprobe_trampoline_handler(regs, frame_pointer);
  
-       return (void *)kretprobe_trampoline_handler(regs, &regs->sp);
+       /*
+        * Copy FLAGS to 'pt_regs::sp' so that __kretprobe_trapmoline()
+        * can do RET right after POPF.
+        */
+       regs->sp = regs->flags;
  }
  NOKPROBE_SYMBOL(trampoline_handler);
author	Masami Hiramatsu <mhiramat@kernel.org>
	Tue, 14 Sep 2021 14:42:22 +0000 (23:42 +0900)
committer	Steven Rostedt (VMware) <rostedt@goodmis.org>
	Fri, 1 Oct 2021 01:24:07 +0000 (21:24 -0400)