lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 03 Sep 2013 14:09:07 +0530
From:	Janani Venkataraman <jananive@...ux.vnet.ibm.com>
To:	linux-kernel@...r.kernel.org
CC:	Jeremy Fitzhardinge <jeremy.fitzhardinge@...rix.com>,
	Daisuke HATAYAMA <d.hatayama@...fujitsu.com>,
	Andi Kleen <andi@...stfloor.org>,
	Roland McGrath <roland@...k.frob.com>,
	Amerigo Wang <amwang@...hat.com>,
	Christoph Hellwig <hch@....de>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Masami Hiramatsu <mhiramat@...hat.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Alexey Dobriyan <adobriyan@...il.com>, xemul@...allels.com,
	Oleg Nesterov <oleg@...hat.com>, Tejun Heo <tj@...nel.org>,
	avagin@...nvz.org, gorcunov@...nvz.org,
	James Hogan <james.hogan@...tec.com>,
	Mike Frysinger <vapier@...too.org>,
	"Randy.Dunlap" <rdunlap@...otime.net>,
	Eric Paris <eparis@...hat.com>, ananth@...ibm.com,
	suzuki@...ibm.com, aravinda@...ux.vnet.ibm.com,
	tarundeep.singh@...ibm.com
Subject: RFD: Non-Disruptive Core Dump Infrastructure

Hello,

We are working on an infrastructure to create a system core file of a specific 
process at run-time, non-disruptively. It can also be extended to a case where 
a process is able to take a self-core dump. 

gcore, an existing utility creates a core image of the specified process. It
attaches to the process using gdb and runs the gdb gcore command and then 
detaches. In gcore the dump cannot be issued from a signal handler context as
fork() is not signal safe and moreover it is disruptive in nature as the gdb 
attaches using ptrace which sends a SIGSTOP signal. Hence the gcore method 
cannot be used if the process wants to initiate a self dump. 

Previously the non-disruptive dump was tried with the Utrace approach [1]. 
First, all the threads would be assembled at a common place and quiesced using
UTRACE_INTERRUPT. Then the core dump would be triggered upon receiving the 
event, indicating that the last thread of the process has quiesced, from its 
quiesce callback. After several reviews and discussions, the Linux community 
decided not to accept this proposal and has not pushed it upstream due to 
various dependencies and potential risk of breaking existing implementations.
Hence the UTRACE approach is not being pursued. Also Roland had mentioned that
even if the approach worked smoothly,the pause could be a significant 
perturbation [2].

Another approach was using the Freezer subsystem[3]. The freezer functions in 
kernel essentially help start and stop sets of tasks and this approach 
exploited the existing freezer subsystem kernel interface effectively to 
quiesce all the threads of the application before triggering the core dump. 
This approach was not accepted due to the potential Dos attack. Also the 
community discussed that "freeze" is a bit dangerous because an application
which is frozen cannot be ended and while it's frozen and there is no 
information "its frozen" via usual user commands as 'ps' or 'top'.

So ideally what we are trying to do is to export the infrastructure using 
/proc/pid/core. Reading the file would give an ELF Format core-dump at that 
instant non-disruptively,without killing the process.

This would involve basically three operations:

1) Holding the threads of a process without sending a signal (SIGSTOP). At this 
point we can collect the register set snapshot and collect other information 
required to  create the ELF header. The above operation could be initiated with
the open() call.
2) Once the ELF header is created, read() can return the CORE DUMP data 
including, the process memory page-by-page, based on the fpos (file position).
3) The threads could be released upon a close().

So the sub-problem here would be "How to hold these threads,collect the data
and release them non-disruptively?" in order to take a consistent dump.

As Roland had mentioned we could have a user option of having a minimal dump or
a full dump. The minimal dump can get a full register snapshot of the threads 
running in user mode, and as much information as possible for those threads 
that are blocked. Wheres a full dump can additionally get a memory dump as well.

If we provide the user a way to abort the operation, say keeping the threads in
an interruptible state, we should be able to prevent the doS attack which was 
present in the method using the Freezer subsystem. For example we can send a 
signal to the process and it should abort the dump operation and release the 
threads. 

We have analyzed the following options and we would like to know what people 
think is the best or if there are any other mechanisms to perform the operation,
we would be happy to look at it.

1) Task work add 

task_work_add() is an interface and an API. The task work add will run any 
queued work before returning to user space from the kernel. So that work is 
guaranteed to be done before user space can run again. 

* Exploit this function to hold the threads when they are returning to the 
user space.
* Wait until all the threads of the process to be dumped, reach task_work_add.
* Once all the threads have reached, the dump is taken and they are released.

Disadvantage :
* A thread which is blocked in kernel space,would not return to user space soon
and hence wouldn't be trapped in the task_work_add function 
* The dump may be delayed as the other threads would be waiting for this 
specific blocked thread to reach.

Solution:
* A way to solve this problem is to make the other threads that are waiting, 
wait for a fixed time for the blocked thread and then just create a pt_note 
with zeroes to indicate the presence of the blocked thread.

2) CRIU Approach :

This makes use of the CRIU tool and checkpoints when a dump is called, collects 
the required details and continues the running process.
* A self dump cannot be initiated using the command line CRIU which is similar 
to the limitation of gcore.
* A system call to do the same is being implemented which would help us create 
a self dump.The system call is not upstream yet. We could explore that option as
well.

3) PTRACE (SEIZE + INTERRUPT) via kernel thread

In this approach, a kernel thread will play the role of seizing and registering
the states of the threads of the process to be dumped. We could make use of the 
PTRACE_SEIZE + PTRACE_INTERRUPT within the open() to stop the threads without 
SIGSTOP. However during self dump, we cannot make use of the PTRACE_SEIZE as a 
self seize isn't permitted. One option is to offload this to a kernel thread 
and let it capture the information. Once it is complete,the caller may be 
released, so that it could continue with the dump.

* The open call reaches the kernel space during a self dump, a kernel thread
is spawned to seize all the threads of the process including the caller (the 
process that called open) using a PTRACE_SEIZE.
* A PTRACE_INTERRUPT is issued and the required information is collected.
* On a self-dump, the kernel thread releases the caller, so that it can proceed 
with the dumping.


APPENDIX: 

[1] http://www.redhat.com/archives/utrace-devel/2009-July/msg00149.html 
[2] http://www.redhat.com/archives/utrace-devel/2009-August/msg00006.html  
[3] http://lwn.net/Articles/419756// 

Thanking You.
With Regards,
Janani Venkataraman


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ