Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp9826247rwr; Thu, 11 May 2023 23:03:27 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7PhXDqLd9Ex7wNS1scfnd67pFQnh9ZfNPO4yO3C88uu7OPV9h7r1lhtU7Iwgg3/8VC7w5o X-Received: by 2002:a05:6a20:a5a8:b0:d9:adc3:6a71 with SMTP id bc40-20020a056a20a5a800b000d9adc36a71mr23766630pzb.1.1683871406842; Thu, 11 May 2023 23:03:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683871406; cv=none; d=google.com; s=arc-20160816; b=fCG67/U7B2lA3wmbEqQArRAMXmtytoQS8Y3MIFyckkRwzFl7Z1NMssTeRUN5WPY7ah 3kZQmnfVe2zEYYk6hXHGCypzfGpqqCT/NiNWapVjPY38x/8uH/YpI1zwJskuyGm7wICg wFF5kDLNUS1VgdpQhobEUbdEsRUcnhc9PcpxaZZ+zhUVx5ZF6xli+mTnLqttMkvEmpqr Kv9CukSNSKTr6S0YGCfVyTj4CHKuE/WjPYuFpktoKACguyy4raaaqjWHshpG8V4rd3z+ i1rLFcxEyKec1N1/AvT/YNAFPT7aAwVL+dGPT1AvPfj3Ub5gxfScN68EyuYPQjve538L BJ3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=zxEocq0cfbYqCnvqhVYRjwnXYTxjRtW9m6JsKrCrFjQ=; b=QCtGOTXsKcTKsM+xq6i3Dw8ZUYLCt4GaeiOu/5B/ZMNhgZMgLWutk2MuP9/1JaEe4W jakNVTgSislfrJDdRMVzNzR5A9ehB2w3KtKf1bqS5dgNLUxgMOUctpp2AleZ60qrj1Yz O+uAffs5FngcejABnZMGD/yLuxW92xmZSFjepb6YBrndFZwqqwKepWLYxBKX67Tt2kHI /HJr/WxmyLYZQ6BjSBWTj5L/1DWGlBSz+qqPeFsYP0uewgsCXdIan1JY2mQrXA/HKudH F2Jy6OFDwVVTLghH7z8uaLu4I02mZrSSOdl6deiZZR2OUplHWJLQh/YOUEqVD/sab/9f HM9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=brIEtQei; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c19-20020a637253000000b004fc39adf481si9050385pgn.381.2023.05.11.23.03.13; Thu, 11 May 2023 23:03:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=brIEtQei; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239934AbjELFxY (ORCPT + 99 others); Fri, 12 May 2023 01:53:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239603AbjELFxW (ORCPT ); Fri, 12 May 2023 01:53:22 -0400 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A6CB30E1; Thu, 11 May 2023 22:53:21 -0700 (PDT) Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-50bc4ba28cbso16829188a12.0; Thu, 11 May 2023 22:53:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683870800; x=1686462800; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zxEocq0cfbYqCnvqhVYRjwnXYTxjRtW9m6JsKrCrFjQ=; b=brIEtQeiBhOcopDhT/dmPSOsg8BwWq0rrYoH3l62MzdBqpGWO1YOtQ252k+4PnaIH/ RjuoYyyi+cqmj7otFmPpRIx//Oz8yLLfoBe9RwC6a8BnQ+KYG0CqElWKfLuMa6cHw0fG WEVRhrfiwTnxtNYxz3BBVC2/dE29DSmpdQwmL9pJm5qbXIVC+YQhX1D4KUngrIA9u1bK /nkwJ6459gqfHyhYrOFbQ16vrGtjnjgNFzLgLkVoRhRvRwb6o9q/R5882wOXRxPhnP+u Wg/OIsFjRfbL5r8Il93oFcpV9oYjpIWu5w3Ysptvk4jFMmprBh+T5B8zIKiU5HQxnXgN +j6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683870800; x=1686462800; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zxEocq0cfbYqCnvqhVYRjwnXYTxjRtW9m6JsKrCrFjQ=; b=ht9UYXWHNn5friLaUg4wbY25AsNbnEfVwOduo4QfhZZ9lLSNA/Pu7Lld9pIU5S+FVM kgpFy8eKtR/fqlW/HmU74l1oUXkjhFX9UpRV5bZSSQjBMFZUDrc2RYu4ZcdlRdpc499C fcHxVekctKAyuJNxI5VQrhinKJyaU+9zXdAqODhaatuLCgJZVdUoCXEEW5vkZDx1iHHx keUHiNmkSSBivkPyYsd0bXnYGNy294b9oGHvlShAaFucW+EXSD25e9Z5cnICtQUrRkuc McxLdAN37J36XzWfRfS5iRnaxgawoYnz+7mGMszquGJlGM0CgpMNdusRkoknRkaqGapt XliA== X-Gm-Message-State: AC+VfDx2Km/VJ0DhtkIVQImnW133/ET6ztdgBMFN2bAjWccQaEYB200s Yttabku+b2AD7px1yDkL6sOOmPZj2fPA6+cZDI5cXKWU4f9xfQ== X-Received: by 2002:aa7:c546:0:b0:4be:b39b:ea8f with SMTP id s6-20020aa7c546000000b004beb39bea8fmr17653998edr.2.1683870799671; Thu, 11 May 2023 22:53:19 -0700 (PDT) MIME-Version: 1.0 References: <20230510122045.2259-1-zegao@tencent.com> <6308b8e0-8a54-e574-a312-0a97cfbf810c@meta.com> In-Reply-To: From: Ze Gao Date: Fri, 12 May 2023 13:53:08 +0800 Message-ID: Subject: Re: [PATCH] bpf: reject blacklisted symbols in kprobe_multi to avoid recursive trap To: Jiri Olsa Cc: Yonghong Song , Song Liu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Steven Rostedt , Masami Hiramatsu , Ze Gao , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yes, Jiri. Thanks for pointing it out. It's true that not all probe blacklisted functions should be banned from bpf_kprobe. I tried some of them, and all kprobe blacklisted symbols I hooked works fine except preempt_count_{sub, add}. so the takeaway here is preempt_cout_{sub, add} must be rejected at least for now since kprobe_multi_link_prog_run ( i.e., the fprobe handler) and rethook_trampoline_handler( i.e. the rethook handler) calls preempt_cout_{sub, add}. I'm considering providing a general fprobe_blacklist framework just like what kprobe does to allow others to mark functions used inside fprobe handler or rethook handler as NOFPROBE to avoid potential stack recursion. But only after I figure out how ftrace handles recursion problems currently and why it fails in the case I ran into. Thanks Ze On Thu, May 11, 2023 at 1:28=E2=80=AFAM Jiri Olsa wrot= e: > > On Wed, May 10, 2023 at 07:13:58AM -0700, Yonghong Song wrote: > > > > > > On 5/10/23 5:20 AM, Ze Gao wrote: > > > BPF_LINK_TYPE_KPROBE_MULTI attaches kprobe programs through fprobe, > > > however it does not takes those kprobe blacklisted into consideration= , > > > which likely introduce recursive traps and blows up stacks. > > > > > > this patch adds simple check and remove those are in kprobe_blacklist > > > from one fprobe during bpf_kprobe_multi_link_attach. And also > > > check_kprobe_address_safe is open for more future checks. > > > > > > note that ftrace provides recursion detection mechanism, but for kpro= be > > > only, we can directly reject those cases early without turning to ftr= ace. > > > > > > Signed-off-by: Ze Gao > > > --- > > > kernel/trace/bpf_trace.c | 37 +++++++++++++++++++++++++++++++++++++ > > > 1 file changed, 37 insertions(+) > > > > > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > > > index 9a050e36dc6c..44c68bc06bbd 100644 > > > --- a/kernel/trace/bpf_trace.c > > > +++ b/kernel/trace/bpf_trace.c > > > @@ -2764,6 +2764,37 @@ static int get_modules_for_addrs(struct module= ***mods, unsigned long *addrs, u3 > > > return arr.mods_cnt; > > > } > > > +static inline int check_kprobe_address_safe(unsigned long addr) > > > +{ > > > + if (within_kprobe_blacklist(addr)) > > > + return -EINVAL; > > > + else > > > + return 0; > > > +} > > > + > > > +static int check_bpf_kprobe_addrs_safe(unsigned long *addrs, int num= ) > > > +{ > > > + int i, cnt; > > > + char symname[KSYM_NAME_LEN]; > > > + > > > + for (i =3D 0; i < num; ++i) { > > > + if (check_kprobe_address_safe((unsigned long)addrs[i])) { > > > + lookup_symbol_name(addrs[i], symname); > > > + pr_warn("bpf_kprobe: %s at %lx is blacklisted\n",= symname, addrs[i]); > > > > So user request cannot be fulfilled and a warning is issued and some > > of user requests are discarded and the rest is proceeded. Does not > > sound a good idea. > > > > Maybe we should do filtering in user space, e.g., in libbpf, check > > /sys/kernel/debug/kprobes/blacklist and return error > > earlier? bpftrace/libbpf-tools/bcc-tools all do filtering before > > requesting kprobe in the kernel. > > also fprobe uses ftrace drectly without paths in kprobe, so I wonder > some of the kprobe blacklisted functions are actually safe > > jirka > > > > > > + /* mark blacklisted symbol for remove */ > > > + addrs[i] =3D 0; > > > + } > > > + } > > > + > > > + /* remove blacklisted symbol from addrs */ > > > + for (i =3D 0, cnt =3D 0; i < num; ++i) { > > > + if (addrs[i]) > > > + addrs[cnt++] =3D addrs[i]; > > > + } > > > + > > > + return cnt; > > > +} > > > + > > > int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct= bpf_prog *prog) > > > { > > > struct bpf_kprobe_multi_link *link =3D NULL; > > > @@ -2859,6 +2890,12 @@ int bpf_kprobe_multi_link_attach(const union b= pf_attr *attr, struct bpf_prog *pr > > > else > > > link->fp.entry_handler =3D kprobe_multi_link_handler; > > > + cnt =3D check_bpf_kprobe_addrs_safe(addrs, cnt); > > > + if (!cnt) { > > > + err =3D -EINVAL; > > > + goto error; > > > + } > > > + > > > link->addrs =3D addrs; > > > link->cookies =3D cookies; > > > link->cnt =3D cnt;