From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: rostedt <rostedt@goodmis.org>
Cc: Francis Deslauriers <francis.deslauriers@efficios.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH 2/2] kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist
Date: Fri, 16 Mar 2018 12:28:59 -0400 (EDT) [thread overview]
Message-ID: <229385456.11580.1521217739037.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <20180316112517.66bdd85a@gandalf.local.home>
----- On Mar 16, 2018, at 11:25 AM, rostedt rostedt@goodmis.org wrote:
> On Fri, 16 Mar 2018 11:18:25 -0400
> Francis Deslauriers <francis.deslauriers@efficios.com> wrote:
>
>> Hi Steven,
>>
>> I completely forgot about this issue until recently when I encountered it again.
>> Instrumenting the ftrace_ops_assist_func symbol and some other symbol
>> seems to be causing problems.
>>
>> Placing kretprobes like in the following configuration crashes my
>> kernel (4.16.0-rc5) on a Qemu/KVM virtual machine:
>>
>> config 1:
>> echo "r:event_1 __fdget" >> kprobe_events
>> echo "r:event_2 ftrace_ops_assist_func" >> kprobe_events
>>
>> config 2:
>> echo "r:event_1 __fdget_pos" >> kprobe_events
>> echo "r:event_2 ftrace_ops_assist_func" >> kprobe_events
>>
>> config 3:
>> echo 'r:event_1 arch_dup_task_struct' >> kprobe_events
>> echo 'r:event_2 ftrace_ops_assist_func' >> kprobe_events
>>
>> config 4:
>> echo 'r:event_1 sys_open' >> kprobe_events
>> echo 'r:event_2 ftrace_ops_assist_func' >> kprobe_events
>>
>> Here is my kernel config [1]:
>>
>> In a previous email [2], you mentioned that you would like to add the
>> ftrace-related symbols to a section to un-blacklist them all at once
>> on demand but wanted to discuss it at Linux Plumbers. Do you still
>> think that it's the right approach?
>
> We probably didn't discuss it (as there was a lot to discuss, and this
> was probably overshadowed by that). But yes, you should not probe
> ftrace called functions. That is guaranteed to crash and that crash is
> not a bug, but a feature.
Are you really arguing that crashing the kernel from an ABI visible from
userspace (even if it's only root user) is not a bug ? You are joking right ?
Is there an EXPERIMENTAL config option that people need to select in order to
make sure those ftrace interfaces don't end up on production systems ?
>
> The ftrace and ring buffer files should be blacklisted from being
> probed. Perhaps the entire directory.
All code reachable from a kprobe handler should be blacklisted from
kprobes, yes.
>
> Anyway, I don't see this as much of an urgent matter, as it's one of
> those "Patient: Doc, it hurts when I do this. Doc: Don't do that"
> cases. And there's a lot of urgent issues that currently need to be
> dealt with.
OK, short-term we'll remove everything related to ftrace functions
from our CI fuzzer coverage. Arguably, the fact that a root user can
crash the kernel through tracefs files is not that great security-wise
though.
Considering that our current focus is to test the kprobe instrumentation
layer (and not ftrace per se), we will move our fuzzer to the LTTng ABI
instead, which should take care of removing crashes introduced by ftrace
from our fuzzing results.
Thanks,
Mathieu
>
> -- Steve
>
>
>>
>> I can easily test any patch regarding this issue.
>>
>> [1] http://paste.ubuntu.com/p/BJWvgMnW8z/
>> [2] https://lkml.org/lkml/2017/7/14/568
>>
>> Thank you,
>>
>> 2017-07-14 14:29 GMT-04:00 Steven Rostedt <rostedt@goodmis.org>:
>> > On Fri, 14 Jul 2017 10:58:35 -0400
>> > Francis Deslauriers <francis.deslauriers@efficios.com> wrote:
>> >
>> >> This function is called when a kprobe is hit. Thus it should be
>> >> blacklisted to prevent kprobe to be triggered by kprobes.
>> >>
>> >> Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com>
>> >> ---
>> >> kernel/trace/ftrace.c | 2 ++
>> >> 1 file changed, 2 insertions(+)
>> >>
>> >> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
>> >> index b308be3..c473d9b 100644
>> >> --- a/kernel/trace/ftrace.c
>> >> +++ b/kernel/trace/ftrace.c
>> >> @@ -36,6 +36,7 @@
>> >>
>> >> #include <trace/events/sched.h>
>> >>
>> >> +#include <asm/kprobes.h>
>> >> #include <asm/sections.h>
>> >> #include <asm/setup.h>
>> >>
>> >> @@ -5739,6 +5740,7 @@ static void ftrace_ops_assist_func(unsigned long ip,
>> >> unsigned long parent_ip,
>> >> preempt_enable_notrace();
>> >> trace_clear_recursion(bit);
>> >> }
>> >> +NOKPROBE_SYMBOL(ftrace_ops_assist_func);
>> >
>> > Continuing from what I said in the other email, this is fixing a
>> > symptom and not the problem. The real fix will be much more involved. I
>> > have a good idea on how to accomplish it too.
>> >
>> > -- Steve
>> >
>> >
>> >>
>> >> /**
>> >> * ftrace_ops_get_func - get the function a trampoline should call
>> >
>>
>>
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2018-03-16 16:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-14 14:58 [PATCH 0/2] kprobe: Fix: add symbols to kprobe blacklist Francis Deslauriers
2017-07-14 14:58 ` [PATCH 1/2] kprobe: fix: Add _ASM_NOKPROBE to x86 apic interrupt macro Francis Deslauriers
2017-07-14 14:58 ` [PATCH 2/2] kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist Francis Deslauriers
2017-07-14 18:29 ` Steven Rostedt
2018-03-16 15:18 ` Francis Deslauriers
2018-03-16 15:25 ` Steven Rostedt
2018-03-16 16:28 ` Mathieu Desnoyers [this message]
2018-03-16 16:41 ` Steven Rostedt
2018-03-16 16:48 ` Steven Rostedt
2018-03-16 17:53 ` Mathieu Desnoyers
2018-03-16 19:02 ` Steven Rostedt
2018-03-17 0:13 ` Masami Hiramatsu
2018-03-17 1:22 ` Masami Hiramatsu
2018-03-17 3:01 ` Steven Rostedt
2018-03-17 7:57 ` Masami Hiramatsu
2018-07-03 22:30 ` Steven Rostedt
2018-07-11 19:34 ` Francis Deslauriers
2018-07-11 19:56 ` Steven Rostedt
2018-07-12 0:40 ` Francis Deslauriers
2018-07-12 13:59 ` Masami Hiramatsu
2018-07-12 13:46 ` Masami Hiramatsu
2018-03-17 0:08 ` Masami Hiramatsu
2018-07-12 17:54 ` [PATCH 0/2] tracing: kprobes: Prohibit probing on notrace functions Francis Deslauriers
2018-07-12 17:54 ` [PATCH 1/2] " Francis Deslauriers
2018-07-12 21:49 ` Steven Rostedt
2018-07-13 2:53 ` Masami Hiramatsu
2018-07-13 12:18 ` Steven Rostedt
2018-07-26 0:41 ` Masami Hiramatsu
2018-07-26 1:13 ` Steven Rostedt
2018-07-12 17:54 ` [PATCH 2/2] selftest/ftrace: Move kprobe selftest function to separate compile unit Francis Deslauriers
2017-07-14 18:27 ` [PATCH 0/2] kprobe: Fix: add symbols to kprobe blacklist Steven Rostedt
2017-07-16 15:59 ` Masami Hiramatsu
2017-07-16 14:37 ` Masami Hiramatsu
2017-07-16 15:46 ` Masami Hiramatsu
2017-07-17 18:46 ` Francis Deslauriers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=229385456.11580.1521217739037.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=francis.deslauriers@efficios.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox