x86/kprobes: Fix JNG/JNLE emulation

anadav · Ingo Molnar · commit 8924779df820 · 2022-08-14T11:27:17.000+02:00
When kprobes emulates JNG/JNLE instructions on x86 it uses the wrong condition. For JNG (opcode: 0F 8E), according to Intel SDM, the jump is performed if (ZF == 1 or SF != OF). However the kernel emulation currently uses 'and' instead of 'or'. As a result, setting a kprobe on JNG/JNLE might cause the kernel to behave incorrectly whenever the kprobe is hit. Fix by changing the 'and' to 'or'. Fixes: 6256e66 ("x86/kprobes: Use int3 instead of debug trap for single-step") Signed-off-by: Nadav Amit <namit@vmware.com> Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220813225943.143767-1-namit@vmware.com
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
@@ -505,7 +505,7 @@ static void kprobe_emulate_jcc(struct kprobe *p, struct pt_regs *regs)
 		match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^
 			((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT);
 		if (p->ainsn.jcc.type >= 0xe)
-			match = match && (regs->flags & X86_EFLAGS_ZF);
+			match = match || (regs->flags & X86_EFLAGS_ZF);
 	}
 	__kprobe_emulate_jmp(p, regs, (match && !invert) || (!match && invert));
 }

Original file line number	Diff line number	Diff line change
`@@ -505,7 +505,7 @@ static void kprobe_emulate_jcc(struct kprobe p, struct pt_regs regs)`
`505`	`505`	`match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^`
`506`	`506`	`((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT);`
`507`	`507`	`if (p->ainsn.jcc.type >= 0xe)`
`508`		`- match = match && (regs->flags & X86_EFLAGS_ZF);`
	`508`	`+ match = match \|\| (regs->flags & X86_EFLAGS_ZF);`
`509`	`509`	`}`
`510`	`510`	`__kprobe_emulate_jmp(p, regs, (match && !invert) \|\| (!match && invert));`
`511`	`511`	`}`