* Re: [PATCH 1/2] x86: Prevent syscall hooking [not found] <20260218144735.24307-1-ellyesparza8@gmail.com> @ 2026-02-18 15:18 ` Dave Hansen 2026-02-18 15:32 ` Peter Zijlstra 2026-02-18 15:52 ` Steven Rostedt 0 siblings, 2 replies; 9+ messages in thread From: Dave Hansen @ 2026-02-18 15:18 UTC (permalink / raw) To: Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel, Kees Cook ... adding kprobes folks and Kees to cc On 2/18/26 06:47, Elly I. Esparza wrote: > Kprobes can be used by rootkits to find the address of x64_sys_call(), > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > to find an specific syscall handler and hook it. > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > blacklist. I'm an occasional, but not super regular kprobes user. Is this going to hurt folks who are legitimately probing the syscall dispatch functions? I'm a bit worried that the rootkits will just move on to something else and this will become a never ending game of whack-a-mole where half the kernel needs NOKPROBE_SYMBOL(). ;) ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-18 15:18 ` [PATCH 1/2] x86: Prevent syscall hooking Dave Hansen @ 2026-02-18 15:32 ` Peter Zijlstra 2026-02-19 21:51 ` H. Peter Anvin 2026-02-18 15:52 ` Steven Rostedt 1 sibling, 1 reply; 9+ messages in thread From: Peter Zijlstra @ 2026-02-18 15:32 UTC (permalink / raw) To: Dave Hansen Cc: Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel, Kees Cook On Wed, Feb 18, 2026 at 07:18:25AM -0800, Dave Hansen wrote: > ... adding kprobes folks and Kees to cc > > On 2/18/26 06:47, Elly I. Esparza wrote: > > Kprobes can be used by rootkits to find the address of x64_sys_call(), > > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > > to find an specific syscall handler and hook it. > > > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > > blacklist. > I'm an occasional, but not super regular kprobes user. Is this going to > hurt folks who are legitimately probing the syscall dispatch functions? > > I'm a bit worried that the rootkits will just move on to something else > and this will become a never ending game of whack-a-mole where half the > kernel needs NOKPROBE_SYMBOL(). ;) So I really think this should be noinstr; pretty much all the code here is noinstr already, so why not include the syscall dispatch. Better still, noinstr ensures the spectre-v1 mitigation actually works. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-18 15:32 ` Peter Zijlstra @ 2026-02-19 21:51 ` H. Peter Anvin 0 siblings, 0 replies; 9+ messages in thread From: H. Peter Anvin @ 2026-02-19 21:51 UTC (permalink / raw) To: Peter Zijlstra, Dave Hansen Cc: Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel, Kees Cook On February 18, 2026 7:32:44 AM PST, Peter Zijlstra <peterz@infradead.org> wrote: >On Wed, Feb 18, 2026 at 07:18:25AM -0800, Dave Hansen wrote: >> ... adding kprobes folks and Kees to cc >> >> On 2/18/26 06:47, Elly I. Esparza wrote: >> > Kprobes can be used by rootkits to find the address of x64_sys_call(), >> > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits >> > to find an specific syscall handler and hook it. >> > >> > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes >> > blacklist. >> I'm an occasional, but not super regular kprobes user. Is this going to >> hurt folks who are legitimately probing the syscall dispatch functions? >> >> I'm a bit worried that the rootkits will just move on to something else >> and this will become a never ending game of whack-a-mole where half the >> kernel needs NOKPROBE_SYMBOL(). ;) > >So I really think this should be noinstr; pretty much all the code here >is noinstr already, so why not include the syscall dispatch. > >Better still, noinstr ensures the spectre-v1 mitigation actually works. Yes, and merging the x64 and x32 dispatches into one function actually enables a lot of code sharing. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-18 15:18 ` [PATCH 1/2] x86: Prevent syscall hooking Dave Hansen 2026-02-18 15:32 ` Peter Zijlstra @ 2026-02-18 15:52 ` Steven Rostedt 2026-02-18 16:58 ` ellyndra 2026-02-19 18:45 ` Kees Cook 1 sibling, 2 replies; 9+ messages in thread From: Steven Rostedt @ 2026-02-18 15:52 UTC (permalink / raw) To: Dave Hansen Cc: Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel, Kees Cook On Wed, 18 Feb 2026 07:18:25 -0800 Dave Hansen <dave.hansen@intel.com> wrote: > ... adding kprobes folks and Kees to cc > > On 2/18/26 06:47, Elly I. Esparza wrote: > > Kprobes can be used by rootkits to find the address of x64_sys_call(), > > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > > to find an specific syscall handler and hook it. > > > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > > blacklist. > I'm an occasional, but not super regular kprobes user. Is this going to > hurt folks who are legitimately probing the syscall dispatch functions? > > I'm a bit worried that the rootkits will just move on to something else > and this will become a never ending game of whack-a-mole where half the > kernel needs NOKPROBE_SYMBOL(). ;) Honesty, if you are worried about this, just run LOCKDOWN on tracing, and prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this information once you have kprobes enabled and have root access. This patch is hurting legitimate debugging of running systems more than it is limiting rootkits from hacking the kernel. In other words, this is causing more harm than good. Because, I do hook these functions a lot, and this will definitely put a cramp into my debugging of running systems if this gets applied. noinstr has already hurt debugging NO_HZ_FULL to track when userspace goes into the kernel. Because now it's much more difficult to trace the latency the kernel causes a task. -- Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-18 15:52 ` Steven Rostedt @ 2026-02-18 16:58 ` ellyndra 2026-02-19 18:45 ` Kees Cook 1 sibling, 0 replies; 9+ messages in thread From: ellyndra @ 2026-02-18 16:58 UTC (permalink / raw) To: Steven Rostedt Cc: Dave Hansen, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel, Kees Cook On Wed, Feb 18, 2026 at 12:52 PM Steven Rostedt <rostedt@goodmis.org> wrote: > > On Wed, 18 Feb 2026 07:18:25 -0800 > Dave Hansen <dave.hansen@intel.com> wrote: > > > ... adding kprobes folks and Kees to cc > > > > On 2/18/26 06:47, Elly I. Esparza wrote: > > > Kprobes can be used by rootkits to find the address of x64_sys_call(), > > > x32_sys_call() and ia32_sys_call(). This in turn allows for the rootkits > > > to find an specific syscall handler and hook it. > > > > > > Add x64_sys_call(), x32_sys_call() and ia32_sys_call() to the kprobes > > > blacklist. > > I'm an occasional, but not super regular kprobes user. Is this going to > > hurt folks who are legitimately probing the syscall dispatch functions? > > > > I'm a bit worried that the rootkits will just move on to something else > > and this will become a never ending game of whack-a-mole where half the > > kernel needs NOKPROBE_SYMBOL(). ;) > > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > information once you have kprobes enabled and have root access. This patch > is hurting legitimate debugging of running systems more than it is limiting > rootkits from hacking the kernel. > > In other words, this is causing more harm than good. > > Because, I do hook these functions a lot, and this will definitely put a > cramp into my debugging of running systems if this gets applied. > > noinstr has already hurt debugging NO_HZ_FULL to track when userspace goes > into the kernel. Because now it's much more difficult to trace the latency > the kernel causes a task. > > -- Steve Fair, thanks for the quick responses. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-18 15:52 ` Steven Rostedt 2026-02-18 16:58 ` ellyndra @ 2026-02-19 18:45 ` Kees Cook 2026-02-20 2:45 ` Masami Hiramatsu 1 sibling, 1 reply; 9+ messages in thread From: Kees Cook @ 2026-02-19 18:45 UTC (permalink / raw) To: Steven Rostedt Cc: Dave Hansen, Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > information once you have kprobes enabled and have root access. This patch > is hurting legitimate debugging of running systems more than it is limiting > rootkits from hacking the kernel. Yeah, I agree. If kprobes is available, there is a lot of harm an attacker can already do. If a bright line between root/ring-0 is desired, a system needs to be configured to be using lockdown or similar things to turn off the interfaces that let root write to kernel state. -- Kees Cook ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-19 18:45 ` Kees Cook @ 2026-02-20 2:45 ` Masami Hiramatsu 2026-02-20 17:04 ` Christoph Hellwig 0 siblings, 1 reply; 9+ messages in thread From: Masami Hiramatsu @ 2026-02-20 2:45 UTC (permalink / raw) To: Kees Cook Cc: Steven Rostedt, Dave Hansen, Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, Masami Hiramatsu, linux-trace-kernel On Thu, 19 Feb 2026 10:45:02 -0800 Kees Cook <kees@kernel.org> wrote: > On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > > information once you have kprobes enabled and have root access. This patch > > is hurting legitimate debugging of running systems more than it is limiting > > rootkits from hacking the kernel. > > Yeah, I agree. If kprobes is available, there is a lot of harm an > attacker can already do. If a bright line between root/ring-0 is > desired, a system needs to be configured to be using lockdown or similar > things to turn off the interfaces that let root write to kernel state. Agreed. The blacklist (or blocklist) of kprobes is designed for preventing nesting software breakpoint handling, not for security. Thank you, -- Masami Hiramatsu (Google) <mhiramat@kernel.org> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-20 2:45 ` Masami Hiramatsu @ 2026-02-20 17:04 ` Christoph Hellwig 2026-02-20 17:12 ` Steven Rostedt 0 siblings, 1 reply; 9+ messages in thread From: Christoph Hellwig @ 2026-02-20 17:04 UTC (permalink / raw) To: Masami Hiramatsu Cc: Kees Cook, Steven Rostedt, Dave Hansen, Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, linux-trace-kernel On Fri, Feb 20, 2026 at 11:45:40AM +0900, Masami Hiramatsu wrote: > On Thu, 19 Feb 2026 10:45:02 -0800 > Kees Cook <kees@kernel.org> wrote: > > > On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > > > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > > > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > > > information once you have kprobes enabled and have root access. This patch > > > is hurting legitimate debugging of running systems more than it is limiting > > > rootkits from hacking the kernel. > > > > Yeah, I agree. If kprobes is available, there is a lot of harm an > > attacker can already do. If a bright line between root/ring-0 is > > desired, a system needs to be configured to be using lockdown or similar > > things to turn off the interfaces that let root write to kernel state. > > Agreed. The blacklist (or blocklist) of kprobes is designed for preventing > nesting software breakpoint handling, not for security. It still can be useful. As mention in the other thread, we just need to make it clear. I.e. add something like "noprobe_for_security". And if we really, really care it could be conditional on a config option. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] x86: Prevent syscall hooking 2026-02-20 17:04 ` Christoph Hellwig @ 2026-02-20 17:12 ` Steven Rostedt 0 siblings, 0 replies; 9+ messages in thread From: Steven Rostedt @ 2026-02-20 17:12 UTC (permalink / raw) To: Christoph Hellwig Cc: Masami Hiramatsu, Kees Cook, Dave Hansen, Elly I. Esparza, linux-kernel, luto, tglx, mingo, bp, dave.hansen, x86, hpa, Naveen N Rao, David S. Miller, linux-trace-kernel On Fri, 20 Feb 2026 09:04:39 -0800 Christoph Hellwig <hch@infradead.org> wrote: > > Agreed. The blacklist (or blocklist) of kprobes is designed for preventing > > nesting software breakpoint handling, not for security. > > It still can be useful. As mention in the other thread, we just need > to make it clear. I.e. add something like "noprobe_for_security". > And if we really, really care it could be conditional on a config > option. As I already mentioned, we have the LOCKDOWN infrastructure for that. If you care about security of kprobes, use lockdown to disable it. As previously stated, there's 1000 other ways kprobes can get this same information. Adding a "noprobe_for_security" will lead to a false sense of security. Basically the same as leaving your car unlocked and hiding the keys in the visor and thinking nobody will steal your car. -- Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-02-20 17:12 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260218144735.24307-1-ellyesparza8@gmail.com>
2026-02-18 15:18 ` [PATCH 1/2] x86: Prevent syscall hooking Dave Hansen
2026-02-18 15:32 ` Peter Zijlstra
2026-02-19 21:51 ` H. Peter Anvin
2026-02-18 15:52 ` Steven Rostedt
2026-02-18 16:58 ` ellyndra
2026-02-19 18:45 ` Kees Cook
2026-02-20 2:45 ` Masami Hiramatsu
2026-02-20 17:04 ` Christoph Hellwig
2026-02-20 17:12 ` Steven Rostedt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox