lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <559A93BB.7090007@redhat.com>
Date:	Mon, 6 Jul 2015 10:42:03 -0400
From:	William Cohen <wcohen@...hat.com>
To:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	Will Deacon <will.deacon@....com>,
	Pratyush Anand <panand@...hat.com>
Cc:	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	"linux@....linux.org.uk" <linux@....linux.org.uk>,
	Catalin Marinas <Catalin.Marinas@....com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"dave.long@...aro.org" <dave.long@...aro.org>,
	"steve.capper@...aro.org" <steve.capper@...aro.org>
Subject: Re: [PATCH 1/2] arm64: Blacklist non-kprobe-able symbols

On 07/06/2015 07:37 AM, Masami Hiramatsu wrote:
> On 2015/07/06 18:03, Will Deacon wrote:
>> On Mon, Jul 06, 2015 at 06:03:21AM +0100, Pratyush Anand wrote:
>>> Add all function symbols which are called from do_debug_exception under
>>> NOKPROBE_SYMBOL, as they can not kprobed.
>>
>> It's a shame this has to be so manual, but I suppose it's done on a
>> best-effort basis to catch broken probe placement.
> 
> Ah, yes. You can use kprobe-tracer in ftrace by feeding all symbols to
> them and enabling it (and pray).

Yes, this approach isn't guaranteed to find problem functions.  There could be problems hidden on conditional paths that are rarely called.  This was observed with the aarch64 kretprobe trampoline handler.  Most times it wouldn't call kfree and everything would run fine.  However, sometimes the kfree which was instrumented for a systemtap test would get called from inside the trampoline handler and trigger a recursive exception.  This is why aarch64 tramopline was rewritten avoid using kprobe.

Is there some tool that can generate a static call graph of the kernel?  Maybe use the output of that to get more complete list of which functions should be off limits for kprobes.  One complication is that some tools might not analyze functions written in assembly and miss some possible function calls.

-Will Cohen
   
> 
> 
>> If we miss a function and somebody probes it, do we just get stuck in a
>> recursive exception, or could we print something suggesting that a symbol
>> be annotated as NOKPROBE?
> 
> For some cases we can detect recursion, but usually, it may reset
> itself or infinite recursion loop before detecting it. :(
> 
> Thank you,
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ