Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8153535rwr; Wed, 10 May 2023 19:17:02 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7yfP+jGMjtMX3rD8JAuUWn/JptBzwJDUuhlPcNn0ajv7odmNFfyPgTaFWoghR2mtv1qo7P X-Received: by 2002:a05:6a20:4658:b0:f8:7372:66c0 with SMTP id eb24-20020a056a20465800b000f8737266c0mr19205304pzb.26.1683771421943; Wed, 10 May 2023 19:17:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683771421; cv=none; d=google.com; s=arc-20160816; b=WStxJF4XbzT7pUtpWJYbwDR5AzTbtRAunLcvjOvNqXkjQZ0s4avW3q3CYlA9JE2N66 YjxOPegziOL7eLE91QTvzcaCUIAtUkC0T57QTo5HPHNureUeIQ2UENVagtyx85kZ7xxm LyMn5Ly3DRJEt6VfsT7+FrThhVcMzpN9If182w+6mxyASuhNQEcKR+kTbL8LjozRlaJn JwY+4KREiqt+KfBUw6+jJQffaAD03eyqv5eQTYDukGr4AzoX091vt3TylrGw/fNdd+nJ VUt35B1jXJ5dzOZeD0X7pXzz2vwkYy9K6SkojbprAYaeeiKFceUQVhj3246QutWy/V4f 0L/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=t7iPZ+S9lIWU484gy9gFEvIir4SYB7qgUik/l/6/al8=; b=R8p75Fcj3VpwUKMHwMmcsiJvquqTjEO8NU+68cQhgoIoJwYuBbbQlu1xzpTuuJuhCp jI7NA5GGjOsVDidpUAa9iWFXRNBZwM9rDbiNXjGoKppvVLnh6TlmC8twP+f+QJ+AYLIP RW9YCQPEvy4q1nhutd/U91ktJEWT61Cu+wRxZYBSxdUSoTY0eVhNYIkE6fpi635KHEyC ekHESjy9nf+ihoM2l5wjU8MSL7ox3q8NPVcVx5k5VqAkUMQwJWCZFf9lJRN8WbSwp2Lx IaB4C0NJFipXM+6GavS78E4qD0v48F3fDKdyOlImMWLK6dcrgyy0/3tLkHaVqJqDW2MQ c/Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=btQqyyVZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v15-20020a63b64f000000b00524eefa6d61si5431365pgt.736.2023.05.10.19.16.45; Wed, 10 May 2023 19:17:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=btQqyyVZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230316AbjEKCG4 (ORCPT + 99 others); Wed, 10 May 2023 22:06:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231797AbjEKCGw (ORCPT ); Wed, 10 May 2023 22:06:52 -0400 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CC00469D; Wed, 10 May 2023 19:06:42 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-50c8d87c775so10590723a12.3; Wed, 10 May 2023 19:06:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683770800; x=1686362800; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=t7iPZ+S9lIWU484gy9gFEvIir4SYB7qgUik/l/6/al8=; b=btQqyyVZRjHkwxAhnJhY1niX9rzTTbi6F3EhnhvKjQ6kqfzqo6mucqbUQUEq1TvqMG y07ywc8gMlEGRllLGt73OKbIpyxH5d2+6vvHsB78HdWS/sRHVHaKxJRX3TBp0GwzqT1l uwpQj5nBMDgiuRwELvI+kUU4PQSVPHelfCfGSb6MBWHJEkcwXKblo1bHQYoBFuC7PVaO 4eEyecYJgUx8MQq8lkL5dpntlMrbP3qMVdFGLNH/BNlXr+bJ3/fAR3om40U15Y3t1zub SojVaKzqiqdBDmKBNNQhH35fpkqjGAuIPSlbpCySB+MqSFOUsWiqwDS7zH+s/QFY3uB7 LoaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683770800; x=1686362800; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t7iPZ+S9lIWU484gy9gFEvIir4SYB7qgUik/l/6/al8=; b=K0JjUcAkCOD57DSKt4CHXCoT9HDVbgUwy3hX7nnGtLtgdOrbfZMhXu+giFpr5vr77G UuETfiMxBgUFqw/DEyCoYGKsNZioCv8e0fDD/CHXwQfbPVBbwUllOre16KO0+voZAf2W TnuloL36tjM2Zp7T3KXJB47Q2XgkEPDPW1ynIrpa9o1W0Zal4TZwjk8YRL3FSS68NhdP jxVLSqiwtbvH/qrpQJb8DyFbRsMGP3ZpI6U5/trUa55d2ER19wuFH+jB0WB/VldlKeVC /1Eq1qB0FYV20/oJ3GqxTHzX+umD6m1FPq2pKmuM4DYz7TaXbOY9GhIVQQY2Hp4spOtH dvPg== X-Gm-Message-State: AC+VfDyRXMlVPiiLnjH0DMFNJTF2r0JJFRQcyEa1rhExnWDXxLYkPdjz HfbWX1zWjkJu8kCnNIcEvOkefTUYwcYxpvzmf2A= X-Received: by 2002:aa7:d659:0:b0:508:14f2:399c with SMTP id v25-20020aa7d659000000b0050814f2399cmr18400597edr.10.1683770800383; Wed, 10 May 2023 19:06:40 -0700 (PDT) MIME-Version: 1.0 References: <20230510122045.2259-1-zegao@tencent.com> <6308b8e0-8a54-e574-a312-0a97cfbf810c@meta.com> <1195c4bd-ef54-2f1d-b079-2a11af42c62f@meta.com> <89159b33-3be4-487b-7647-0cbbd20c233d@meta.com> In-Reply-To: From: Ze Gao Date: Thu, 11 May 2023 10:06:29 +0800 Message-ID: Subject: Re: [PATCH] bpf: reject blacklisted symbols in kprobe_multi to avoid recursive trap To: Yonghong Song Cc: Jiri Olsa , Song Liu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Steven Rostedt , Masami Hiramatsu , Ze Gao , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I just looked through fprobe_handler, it already does the recursion check from the code. So the root cause of the case I mentioned above which triggers kernel crash may be much more complicated than I read from the exception backtrace. It seems more effort is needed to look for a better solution than my initial proposal. I will keep the thread updated if there is any progress anyway. Thanks Ze On Thu, May 11, 2023 at 9:24=E2=80=AFAM Ze Gao wrote: > > Thank yonghong for your sage reviews. > Yes, this is an option I am also considering . I will try this out > later to see if works > > But like you said it's not clear whether kprobe blacklist=3D=3D fprobe bl= acklist. > And also there are cases I need to investigate on, like how to avoid recu= rsions > when kprobes and fprobes are mixed. > > Rejecting symbols kprobe_blacklisted is kinda brute-force yet a straight= way to > avoid kernel crash AFAIK. > > Ze > > On Thu, May 11, 2023 at 7:54=E2=80=AFAM Yonghong Song wrot= e: > > > > > > > > On 5/10/23 1:20 PM, Yonghong Song wrote: > > > > > > > > > On 5/10/23 10:27 AM, Jiri Olsa wrote: > > >> On Wed, May 10, 2023 at 07:13:58AM -0700, Yonghong Song wrote: > > >>> > > >>> > > >>> On 5/10/23 5:20 AM, Ze Gao wrote: > > >>>> BPF_LINK_TYPE_KPROBE_MULTI attaches kprobe programs through fprobe= , > > >>>> however it does not takes those kprobe blacklisted into considerat= ion, > > >>>> which likely introduce recursive traps and blows up stacks. > > >>>> > > >>>> this patch adds simple check and remove those are in kprobe_blackl= ist > > >>>> from one fprobe during bpf_kprobe_multi_link_attach. And also > > >>>> check_kprobe_address_safe is open for more future checks. > > >>>> > > >>>> note that ftrace provides recursion detection mechanism, but for k= probe > > >>>> only, we can directly reject those cases early without turning to > > >>>> ftrace. > > >>>> > > >>>> Signed-off-by: Ze Gao > > >>>> --- > > >>>> kernel/trace/bpf_trace.c | 37 +++++++++++++++++++++++++++++++++= ++++ > > >>>> 1 file changed, 37 insertions(+) > > >>>> > > >>>> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > > >>>> index 9a050e36dc6c..44c68bc06bbd 100644 > > >>>> --- a/kernel/trace/bpf_trace.c > > >>>> +++ b/kernel/trace/bpf_trace.c > > >>>> @@ -2764,6 +2764,37 @@ static int get_modules_for_addrs(struct > > >>>> module ***mods, unsigned long *addrs, u3 > > >>>> return arr.mods_cnt; > > >>>> } > > >>>> +static inline int check_kprobe_address_safe(unsigned long addr) > > >>>> +{ > > >>>> + if (within_kprobe_blacklist(addr)) > > >>>> + return -EINVAL; > > >>>> + else > > >>>> + return 0; > > >>>> +} > > >>>> + > > >>>> +static int check_bpf_kprobe_addrs_safe(unsigned long *addrs, int = num) > > >>>> +{ > > >>>> + int i, cnt; > > >>>> + char symname[KSYM_NAME_LEN]; > > >>>> + > > >>>> + for (i =3D 0; i < num; ++i) { > > >>>> + if (check_kprobe_address_safe((unsigned long)addrs[i])) { > > >>>> + lookup_symbol_name(addrs[i], symname); > > >>>> + pr_warn("bpf_kprobe: %s at %lx is blacklisted\n", > > >>>> symname, addrs[i]); > > >>> > > >>> So user request cannot be fulfilled and a warning is issued and som= e > > >>> of user requests are discarded and the rest is proceeded. Does not > > >>> sound a good idea. > > >>> > > >>> Maybe we should do filtering in user space, e.g., in libbpf, check > > >>> /sys/kernel/debug/kprobes/blacklist and return error > > >>> earlier? bpftrace/libbpf-tools/bcc-tools all do filtering before > > >>> requesting kprobe in the kernel. > > >> > > >> also fprobe uses ftrace drectly without paths in kprobe, so I wonder > > >> some of the kprobe blacklisted functions are actually safe > > > > > > Could you give a pointer about 'some of the kprobe blacklisted > > > functions are actually safe'? > > > > Thanks Jiri for answering my question. it is not clear whether > > kprobe blacklist =3D=3D fprobe blacklist, probably not. > > > > You mentioned: > > note that ftrace provides recursion detection mechanism, > > but for kprobe only > > Maybe the right choice is to improve ftrace to provide recursion > > detection mechanism for fprobe as well? > > > > > > > >> > > >> jirka > > >> > > >>> > > >>>> + /* mark blacklisted symbol for remove */ > > >>>> + addrs[i] =3D 0; > > >>>> + } > > >>>> + } > > >>>> + > > >>>> + /* remove blacklisted symbol from addrs */ > > >>>> + for (i =3D 0, cnt =3D 0; i < num; ++i) { > > >>>> + if (addrs[i]) > > >>>> + addrs[cnt++] =3D addrs[i]; > > >>>> + } > > >>>> + > > >>>> + return cnt; > > >>>> +} > > >>>> + > > >>>> int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, > > >>>> struct bpf_prog *prog) > > >>>> { > > >>>> struct bpf_kprobe_multi_link *link =3D NULL; > > >>>> @@ -2859,6 +2890,12 @@ int bpf_kprobe_multi_link_attach(const unio= n > > >>>> bpf_attr *attr, struct bpf_prog *pr > > >>>> else > > >>>> link->fp.entry_handler =3D kprobe_multi_link_handler; > > >>>> + cnt =3D check_bpf_kprobe_addrs_safe(addrs, cnt); > > >>>> + if (!cnt) { > > >>>> + err =3D -EINVAL; > > >>>> + goto error; > > >>>> + } > > >>>> + > > >>>> link->addrs =3D addrs; > > >>>> link->cookies =3D cookies; > > >>>> link->cnt =3D cnt;