[PATCH v3 3/3] arm64: kprobe: disable probe of fault prone ptrauth instruction

Mon Jun 22 10:40:26 EDT 2020

On Thu, Jun 18, 2020 at 10:40:29AM +0530, Amit Daniel Kachhap wrote:
> This patch disables the probing of authenticate ptrauth instruction (AUT*)
> which falls under the hint instructions region. This is done to disallow
> probe of authenticate instruction which may lead to ptrauth faults with the
> addition of Armv8.6 enhanced ptrauth features.
> 
> The corresponding append pac ptrauth instruction (PAC*) is not disabled
> and they can still be probed.

Seems sensible.  Might be worth noting here why we think this is
reasonable: AUT* instructions make no sense at function entry points,
so most realistic probes would be unaffected by this change.

Since stepping on older hardware is safe, we could make this conditional
based on cpufeatures.  It hardly seems worth it, though.

> Signed-off-by: Amit Daniel Kachhap <amit.kachhap at arm.com>
> ---
> Change since v2:
>  * Modified this patch to consider the merged changes for whitelisting
>   of nops by commit 47d67e4d19184e ("arm64: insn: Report PAC and BTI").
> 
>  arch/arm64/kernel/insn.c               | 6 ------
>  arch/arm64/kernel/probes/decode-insn.c | 2 +-
>  2 files changed, 1 insertion(+), 7 deletions(-)
> 
> diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
> index 684d871ae38d..9cd10edefc96 100644
> --- a/arch/arm64/kernel/insn.c
> +++ b/arch/arm64/kernel/insn.c
> @@ -60,16 +60,10 @@ bool __kprobes aarch64_insn_is_steppable_hint(u32 insn)
>  	case AARCH64_INSN_HINT_XPACLRI:
>  	case AARCH64_INSN_HINT_PACIA_1716:
>  	case AARCH64_INSN_HINT_PACIB_1716:
> -	case AARCH64_INSN_HINT_AUTIA_1716:
> -	case AARCH64_INSN_HINT_AUTIB_1716:
>  	case AARCH64_INSN_HINT_PACIAZ:
>  	case AARCH64_INSN_HINT_PACIASP:
>  	case AARCH64_INSN_HINT_PACIBZ:
>  	case AARCH64_INSN_HINT_PACIBSP:
> -	case AARCH64_INSN_HINT_AUTIAZ:
> -	case AARCH64_INSN_HINT_AUTIASP:
> -	case AARCH64_INSN_HINT_AUTIBZ:
> -	case AARCH64_INSN_HINT_AUTIBSP:
>  	case AARCH64_INSN_HINT_BTI:
>  	case AARCH64_INSN_HINT_BTIC:
>  	case AARCH64_INSN_HINT_BTIJ:
> diff --git a/arch/arm64/kernel/probes/decode-insn.c b/arch/arm64/kernel/probes/decode-insn.c
> index 263d5fba4c8a..c26c638b260e 100644
> --- a/arch/arm64/kernel/probes/decode-insn.c
> +++ b/arch/arm64/kernel/probes/decode-insn.c
> @@ -42,7 +42,7 @@ static bool __kprobes aarch64_insn_is_steppable(u32 insn)
>  			     != AARCH64_INSN_SPCLREG_DAIF;
>  
>  		/*
> -		 * The HINT instruction is is problematic when single-stepping,
> +		 * The HINT instruction is problematic when single-stepping,

Nit: doesn't matter too much, but ideally this should be a separate
patch (or just don't bother).

Cheers
---Dave