[PATCH 1/2] powerpc/perf: Fix kernel address leak to userspace via BHRB buffer
Madhavan Srinivasan
maddy at linux.vnet.ibm.com
Wed Mar 7 15:54:30 AEDT 2018
On Monday 05 March 2018 11:46 AM, Balbir Singh wrote:
> On Sun, Mar 4, 2018 at 10:55 PM, Madhavan Srinivasan
> <maddy at linux.vnet.ibm.com> wrote:
>> The current Branch History Rolling Buffer (BHRB) code does
>> not check for any privilege levels before updating the data
>> from BHRB. This leaks kernel addresses to userspace even when
>> profiling only with userspace privileges. Add proper checks
>> to prevent it.
>>
>> Signed-off-by: Madhavan Srinivasan <maddy at linux.vnet.ibm.com>
>> ---
>> arch/powerpc/perf/core-book3s.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
>> index f89bbd54ecec..337db5831749 100644
>> --- a/arch/powerpc/perf/core-book3s.c
>> +++ b/arch/powerpc/perf/core-book3s.c
>> @@ -457,6 +457,10 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw)
>> /* invalid entry */
>> continue;
>>
>> + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) &&
>> + is_kernel_addr(addr))
>> + continue;
>> +
>
> Looks good to me. The scope of the leaks concern is KASLR related or
> something else (figuring out what's in the cache?)
I did not look at it closely. But will get the information.
Thanks for the review
Maddy
>
> Acked-by: Balbir Singh <bsingharora at gmail.com>
>
> Balbir Singh.
>
More information about the Linuxppc-dev
mailing list