From: Jiri Olsa <olsajiri@gmail.com>
To: Yonghong Song <yhs@meta.com>
Cc: Ze Gao <zegao2021@gmail.com>, Song Liu <song@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Ze Gao <zegao@tencent.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org
Subject: Re: [PATCH] bpf: reject blacklisted symbols in kprobe_multi to avoid recursive trap
Date: Wed, 10 May 2023 10:27:59 -0700 [thread overview]
Message-ID: <ZFvUH+p0ebcgnwEg@krava> (raw)
In-Reply-To: <6308b8e0-8a54-e574-a312-0a97cfbf810c@meta.com>
On Wed, May 10, 2023 at 07:13:58AM -0700, Yonghong Song wrote:
>
>
> On 5/10/23 5:20 AM, Ze Gao wrote:
> > BPF_LINK_TYPE_KPROBE_MULTI attaches kprobe programs through fprobe,
> > however it does not takes those kprobe blacklisted into consideration,
> > which likely introduce recursive traps and blows up stacks.
> >
> > this patch adds simple check and remove those are in kprobe_blacklist
> > from one fprobe during bpf_kprobe_multi_link_attach. And also
> > check_kprobe_address_safe is open for more future checks.
> >
> > note that ftrace provides recursion detection mechanism, but for kprobe
> > only, we can directly reject those cases early without turning to ftrace.
> >
> > Signed-off-by: Ze Gao <zegao@tencent.com>
> > ---
> > kernel/trace/bpf_trace.c | 37 +++++++++++++++++++++++++++++++++++++
> > 1 file changed, 37 insertions(+)
> >
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index 9a050e36dc6c..44c68bc06bbd 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -2764,6 +2764,37 @@ static int get_modules_for_addrs(struct module ***mods, unsigned long *addrs, u3
> > return arr.mods_cnt;
> > }
> > +static inline int check_kprobe_address_safe(unsigned long addr)
> > +{
> > + if (within_kprobe_blacklist(addr))
> > + return -EINVAL;
> > + else
> > + return 0;
> > +}
> > +
> > +static int check_bpf_kprobe_addrs_safe(unsigned long *addrs, int num)
> > +{
> > + int i, cnt;
> > + char symname[KSYM_NAME_LEN];
> > +
> > + for (i = 0; i < num; ++i) {
> > + if (check_kprobe_address_safe((unsigned long)addrs[i])) {
> > + lookup_symbol_name(addrs[i], symname);
> > + pr_warn("bpf_kprobe: %s at %lx is blacklisted\n", symname, addrs[i]);
>
> So user request cannot be fulfilled and a warning is issued and some
> of user requests are discarded and the rest is proceeded. Does not
> sound a good idea.
>
> Maybe we should do filtering in user space, e.g., in libbpf, check
> /sys/kernel/debug/kprobes/blacklist and return error
> earlier? bpftrace/libbpf-tools/bcc-tools all do filtering before
> requesting kprobe in the kernel.
also fprobe uses ftrace drectly without paths in kprobe, so I wonder
some of the kprobe blacklisted functions are actually safe
jirka
>
> > + /* mark blacklisted symbol for remove */
> > + addrs[i] = 0;
> > + }
> > + }
> > +
> > + /* remove blacklisted symbol from addrs */
> > + for (i = 0, cnt = 0; i < num; ++i) {
> > + if (addrs[i])
> > + addrs[cnt++] = addrs[i];
> > + }
> > +
> > + return cnt;
> > +}
> > +
> > int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> > {
> > struct bpf_kprobe_multi_link *link = NULL;
> > @@ -2859,6 +2890,12 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> > else
> > link->fp.entry_handler = kprobe_multi_link_handler;
> > + cnt = check_bpf_kprobe_addrs_safe(addrs, cnt);
> > + if (!cnt) {
> > + err = -EINVAL;
> > + goto error;
> > + }
> > +
> > link->addrs = addrs;
> > link->cookies = cookies;
> > link->cnt = cnt;
next prev parent reply other threads:[~2023-05-10 17:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-10 12:20 [PATCH] bpf: reject blacklisted symbols in kprobe_multi to avoid recursive trap Ze Gao
2023-05-10 14:13 ` Yonghong Song
2023-05-10 17:27 ` Jiri Olsa [this message]
2023-05-10 20:20 ` Yonghong Song
2023-05-10 23:54 ` Yonghong Song
2023-05-11 1:24 ` Ze Gao
2023-05-11 2:06 ` Ze Gao
2023-05-16 4:57 ` Masami Hiramatsu
2023-05-12 5:53 ` Ze Gao
2023-05-12 14:29 ` Yonghong Song
2023-05-12 22:33 ` Jiri Olsa
2023-05-13 4:17 ` Steven Rostedt
2023-05-13 9:19 ` Ze Gao
2023-05-14 17:11 ` Yonghong Song
2023-05-16 4:31 ` Masami Hiramatsu
2023-05-16 5:10 ` Masami Hiramatsu
2023-05-16 5:49 ` Masami Hiramatsu
2023-05-16 15:16 ` Yonghong Song
2023-05-11 1:06 ` Ze Gao
2023-05-15 5:59 ` Ze Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFvUH+p0ebcgnwEg@krava \
--to=olsajiri@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=yhs@fb.com \
--cc=yhs@meta.com \
--cc=zegao2021@gmail.com \
--cc=zegao@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox