From: fche@redhat.com (Frank Ch. Eigler)
To: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [ANNOUNCE] ktap 0.1 released
Date: Tue, 21 May 2013 14:13:09 -0400 [thread overview]
Message-ID: <y0m8v38jj62.fsf@fche.csb> (raw)
In-Reply-To: <519AF05E.1050808@huawei.com> (jovi.zhangwei@huawei.com's message of "Tue, 21 May 2013 11:56:14 +0800")
"zhangwei(Jovi)" <jovi.zhangwei@huawei.com> writes:
> I'm pleased to announce that ktap release v0.1, this is the first official
> release of ktap project [...]
Congrats.
> = what's ktap?
>
> Because this is the first release, so there wouldn't include too
> much features, just contain several basic features about tracing,
> [...]
Nice progress. Reviewing the safety/security items from
https://lkml.org/lkml/2013/1/17/623, I see improvement in most.
For example, you seem to be using GFP_ATOMIC for run-time memory
allocation, which is safer than before (though still could exhaust
resources). OTOH your code doesn't handle *failure* of such
allocation attempts (see call sites to kp_*alloc).
There still doesn't seem to be safety constraints on the incoming
byte code (like jump ranges, or loop counts).
It's nice to see some arithmetic OP_* checks, and the user_string
function is probably safe enough now. You'll need something analogous
for kernel space (and possibly as verification for the various %s
kp_printfs). The hash tables might be susceptible to the deliberate
hash collision attacks from last year.
It's nice to see the *_STACK_SIZE constraints in the bytecode
interpreter; is there any C-level recursion remaining to consume
excessive kernel stack?
Exposing os.sleep/os.wait (or general kernel functions) to become
callable from the scripts is fraught with danger. You just can't call
the underlying functions from random kernel context (imagine from the
most pessimal possible kprobe or tracepoint, somewhere within an
atomic section), and you'll get crashes.
You should write several time/space/invasivity stress-tests to help
see how future progress improves the code's performance/safety on
these and other problem areas.
> = Planned Changes
>
> we are planning to enable more kernel ineroperability into ktap [...]
As per the above, you'll want to be extremely careful about the idea
to export FFI to let the lua scripts call into arbitrary kernel
functions. Perhaps wrap it into a 'guru' mode flag?
- FChE
next prev parent reply other threads:[~2013-05-21 18:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-21 3:56 [ANNOUNCE] ktap 0.1 released zhangwei(Jovi)
2013-05-21 18:13 ` Frank Ch. Eigler [this message]
2013-05-24 3:17 ` zhangwei(Jovi)
2013-05-21 22:19 ` Jonathan Corbet
2013-05-22 3:29 ` zhangwei(Jovi)
2013-05-22 4:15 ` Ming Lei
2013-05-22 4:19 ` Ming Lei
2013-05-22 4:34 ` Ming Lei
2013-05-22 7:00 ` zhangwei(Jovi)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=y0m8v38jj62.fsf@fche.csb \
--to=fche@redhat.com \
--cc=jovi.zhangwei@huawei.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox