[PATCH] Kprobes: Verify probepoint in register_jprobe()

[PATCH] Kprobes: Verify probepoint in register_jprobe()

[Luca Falavigna]

This patch, built against version 2.6.12, checks if probepoint address is a
function entry point using an offset value, obtained from kallsyms_lookup().
If offset is zero, we register jprobe, otherwise we return -EINVAL.


Signed-off-by: Luca Falavigna <dktrkranz@gmail.com>

--- ./kernel/kprobes.c.orig	2005-06-29 00:17:43.000000000 +0000
+++ ./kernel/kprobes.c	2005-06-29 11:08:02.000000000 +0000
@@ -33,6 +33,7 @@
 #include <linux/hash.h>
 #include <linux/init.h>
 #include <linux/module.h>
+#include <linux/kallsyms.h>
 #include <asm/cacheflush.h>
 #include <asm/errno.h>
 #include <asm/kdebug.h>
@@ -245,7 +246,15 @@ static struct notifier_block kprobe_exce

 int register_jprobe(struct jprobe *jp)
 {
-	/* Todo: Verify probepoint is a function entry point */
+	unsigned long size, offset;
+	char *modname, namebuf[KSYM_NAME_LEN+1];
+	
+	kallsyms_lookup((unsigned long)jp->kp.addr, &size,
+			&offset, &modname, namebuf);
+	
+	if(unlikely(offset))
+		return -EINVAL;
+	
 	jp->kp.pre_handler = setjmp_pre_handler;
 	jp->kp.break_handler = longjmp_break_handler;


Regards,
-- 
					Luca

Re: [PATCH] Kprobes: Verify probepoint in register_jprobe()

[Andrew Morton]

Luca Falavigna <dktrkranz@gmail.com> wrote:
>
> This patch, built against version 2.6.12, checks if probepoint address is a
> function entry point using an offset value, obtained from kallsyms_lookup().
> If offset is zero, we register jprobe, otherwise we return -EINVAL.
> 

a) kallsyms holds symbols other than just function names.

b) This won't work with CONFIG_KALLSYMS=n

> 
> --- ./kernel/kprobes.c.orig	2005-06-29 00:17:43.000000000 +0000
> +++ ./kernel/kprobes.c	2005-06-29 11:08:02.000000000 +0000
> @@ -33,6 +33,7 @@
>  #include <linux/hash.h>
>  #include <linux/init.h>
>  #include <linux/module.h>
> +#include <linux/kallsyms.h>
>  #include <asm/cacheflush.h>
>  #include <asm/errno.h>
>  #include <asm/kdebug.h>
> @@ -245,7 +246,15 @@ static struct notifier_block kprobe_exce
> 
>  int register_jprobe(struct jprobe *jp)
>  {
> -	/* Todo: Verify probepoint is a function entry point */
> +	unsigned long size, offset;
> +	char *modname, namebuf[KSYM_NAME_LEN+1];
> +	
> +	kallsyms_lookup((unsigned long)jp->kp.addr, &size,
> +			&offset, &modname, namebuf);
> +	
> +	if(unlikely(offset))
> +		return -EINVAL;
> +	
>  	jp->kp.pre_handler = setjmp_pre_handler;
>  	jp->kp.break_handler = longjmp_break_handler;
> 

Re: [PATCH] Kprobes: Verify probepoint in register_jprobe()

[Paulo Marques]

Luca Falavigna wrote:
> [...]
>  int register_jprobe(struct jprobe *jp)
>  {
> -	/* Todo: Verify probepoint is a function entry point */
> +	unsigned long size, offset;
> +	char *modname, namebuf[KSYM_NAME_LEN+1];
> +	
> +	kallsyms_lookup((unsigned long)jp->kp.addr, &size,
> +			&offset, &modname, namebuf);
> +	
> +	if(unlikely(offset))
> +		return -EINVAL;

Hmmm, kallsyms_lookup might return NULL if either the address is not 
found or CONFIG_KALLSYMS is not set, and in this case "offset" is not 
initialized at all before this test.

We should either fail in this case, or accept the address as valid 
without confirmation. I don't have sufficient knowledge about kprobes to 
advise either way, but a test should be made nevertheless (or we could 
just initialize "offset" to 0, if we want to accept the address without 
confirmation).

-- 
Paulo Marques - www.grupopie.com

It is a mistake to think you can solve any major problems
just with potatoes.
Douglas Adams