lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 23 Mar 2015 11:12:53 +0100
From:	Petr Mladek <pmladek@...e.cz>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	"David S. Miller" <davem@...emloft.net>,
	Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
	Ananth NMavinakayanahalli <ananth@...ibm.com>,
	Frederic Weisbecker <fweisbec@...il.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Ingo Molnar <mingo@...hat.com>, Jiri Kosina <jkosina@...e.cz>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] kprobes: Disable Kprobe when ftrace arming fails

On Mon 2015-03-23 09:54:26, Ingo Molnar wrote:
> 
> * Petr Mladek <pmladek@...e.cz> wrote:
> 
> > arm_kprobe_ftrace() could fail, especially after introducing ftrace 
> > IPMODIFY flag and LifePatching. But this situation is not properly 
> > handled.
> 
> s/LifePatching/LivePatching?

Great catch! This is well hidden typo. Please, find the fixed version
below.


> Why not fix live patching to still allow kprobes that worked before?

Yup, Kretprobes would work out of box. Masami is working on removing
the conflict there.

Jprobes are doable but the solution would be rather complicated.
LivePatching would need to tell Jprobe the right address where to
continue (according to the universe). We currently solve this by
the conflict. I am not sure if a better solution is worth the effort.
IMHO, LivePatch users won't want to have Kprobes on a production
system all the time. They could use Kprobe or attach Jprobe to the
new version of the function when needed.

Kprobes are basically impossible to keep if they are attached inside
the patched function. We would need to disassemble the code and guess
the location. Instead, we are going to print warning when a Kprobe
will get ignored.


Below is the patch with the fixed typo.


>From 1cc3e6f44462bdad651bdd75c87a5c7ed884bec5 Mon Sep 17 00:00:00 2001
From: Petr Mladek <pmladek@...e.cz>
Date: Fri, 6 Feb 2015 17:46:20 +0100
Subject: [PATCH v3] kprobes: Disable Kprobe when ftrace arming fails

arm_kprobe_ftrace() could fail, especially after introducing ftrace IPMODIFY
flag and LivePatching. But this situation is not properly handled.
This patch adds the most important changes.

First, it does not make sense to register "kprobe_ftrace_ops" if the filter was
not set.

Second, we should remove the filter if the registration of "kprobe_ftrace_ops"
fails. The failure might be caused by conflict between the Kprobe and
a life patch via the IPMODIFY flag. If we remove the filter, we will allow
to register "kprobe_ftrace_ops" for another non-conflicting Kprobe later.

Third, we need to make sure that "kprobe_ftrace_enabled" is incremented only
when "kprobe_ftrace_ops" is successfully registered. Otherwise, another
Kprobe will not try to register it again. Note that we could move the
manipulation with this counter because it is accessed only under "kprobe_mutex".

Four, we should mark the probe as disabled if the ftrace stuff is not usable.
It will be the correct status. Also it will prevent the unregistration code
from producing another failure.

It looks more safe to disable the Kprobe directly in "kprobe_ftrace_ops". Note
that we need to disable also all listed Kprobes in case of an aggregated probe.
It would be enough to disable only the new one but we do not know which one it
was. They should be in sync anyway.

Signed-off-by: Petr Mladek <pmladek@...e.cz>
Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
---
Changes in v3:

  + added brackets for complex if-statement (Steven)

Changes in v2:

  + sent the patch separately
  + added Acked-by Masami

 kernel/kprobes.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index c90e417bb963..94bd06f57538 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -932,15 +932,33 @@ static int prepare_kprobe(struct kprobe *p)
 /* Caller must lock kprobe_mutex */
 static void arm_kprobe_ftrace(struct kprobe *p)
 {
+	struct kprobe *kp;
 	int ret;
 
 	ret = ftrace_set_filter_ip(&kprobe_ftrace_ops,
 				   (unsigned long)p->addr, 0, 0);
-	WARN(ret < 0, "Failed to arm kprobe-ftrace at %p (%d)\n", p->addr, ret);
-	kprobe_ftrace_enabled++;
-	if (kprobe_ftrace_enabled == 1) {
+	if (WARN(ret < 0,
+		 "Failed to arm kprobe-ftrace at %p (%d). The kprobe gets disabled.\n",
+		 p->addr, ret))
+		goto err_filter;
+
+	if (!kprobe_ftrace_enabled) {
 		ret = register_ftrace_function(&kprobe_ftrace_ops);
-		WARN(ret < 0, "Failed to init kprobe-ftrace (%d)\n", ret);
+		if (WARN(ret < 0,
+			 "Failed to init kprobe-ftrace (%d). The probe at %p gets disabled\n",
+			 ret, p->addr))
+			goto err_function;
+	}
+	kprobe_ftrace_enabled++;
+	return;
+
+err_function:
+	ftrace_set_filter_ip(&kprobe_ftrace_ops, (unsigned long)p->addr, 1, 0);
+err_filter:
+	p->flags |= KPROBE_FLAG_DISABLED;
+	if (kprobe_aggrprobe(p)) {
+		list_for_each_entry_rcu(kp, &p->list, list)
+			kp->flags |= KPROBE_FLAG_DISABLED;
 	}
 }
 
-- 
1.8.5.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ