lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 20 Dec 2017 09:33:13 -0800
From:   Alexei Starovoitov <ast@...com>
To:     Masami Hiramatsu <mhiramat@...nel.org>,
        Josef Bacik <josef@...icpanda.com>
CC:     <rostedt@...dmis.org>, <mingo@...hat.com>, <davem@...emloft.net>,
        <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <ast@...nel.org>, <kernel-team@...com>, <daniel@...earbox.net>,
        <linux-btrfs@...r.kernel.org>, <darrick.wong@...cle.com>,
        Josef Bacik <jbacik@...com>
Subject: Re: [PATCH v10 1/5] add infrastructure for tagging functions as error
 injectable

On 12/20/17 3:00 AM, Masami Hiramatsu wrote:
> On Fri, 15 Dec 2017 14:12:52 -0500
> Josef Bacik <josef@...icpanda.com> wrote:
>
>> From: Josef Bacik <jbacik@...com>
>>
>> Using BPF we can override kprob'ed functions and return arbitrary
>> values.  Obviously this can be a bit unsafe, so make this feature opt-in
>> for functions.  Simply tag a function with KPROBE_ERROR_INJECT_SYMBOL in
>> order to give BPF access to that function for error injection purposes.
>>
>> Signed-off-by: Josef Bacik <jbacik@...com>
>> Acked-by: Ingo Molnar <mingo@...nel.org>
>> ---
>>  include/asm-generic/vmlinux.lds.h |  10 +++
>>  include/linux/bpf.h               |  11 +++
>>  include/linux/kprobes.h           |   1 +
>>  include/linux/module.h            |   5 ++
>>  kernel/kprobes.c                  | 163 ++++++++++++++++++++++++++++++++++++++
>>  kernel/module.c                   |   6 +-
>>  6 files changed, 195 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
>> index ee8b707d9fa9..a2e8582d094a 100644
>> --- a/include/asm-generic/vmlinux.lds.h
>> +++ b/include/asm-generic/vmlinux.lds.h
>> @@ -136,6 +136,15 @@
>>  #define KPROBE_BLACKLIST()
>>  #endif
>>
>> +#ifdef CONFIG_BPF_KPROBE_OVERRIDE
>> +#define ERROR_INJECT_LIST()	. = ALIGN(8);						\
>> +				VMLINUX_SYMBOL(__start_kprobe_error_inject_list) = .;	\
>> +				KEEP(*(_kprobe_error_inject_list))			\
>> +				VMLINUX_SYMBOL(__stop_kprobe_error_inject_list) = .;
>> +#else
>> +#define ERROR_INJECT_LIST()
>> +#endif
>> +
>>  #ifdef CONFIG_EVENT_TRACING
>>  #define FTRACE_EVENTS()	. = ALIGN(8);					\
>>  			VMLINUX_SYMBOL(__start_ftrace_events) = .;	\
>> @@ -564,6 +573,7 @@
>>  	FTRACE_EVENTS()							\
>>  	TRACE_SYSCALLS()						\
>>  	KPROBE_BLACKLIST()						\
>> +	ERROR_INJECT_LIST()						\
>>  	MEM_DISCARD(init.rodata)					\
>>  	CLK_OF_TABLES()							\
>>  	RESERVEDMEM_OF_TABLES()						\
>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>> index e55e4255a210..7f4d2a953173 100644
>> --- a/include/linux/bpf.h
>> +++ b/include/linux/bpf.h
>> @@ -576,4 +576,15 @@ extern const struct bpf_func_proto bpf_sock_map_update_proto;
>>  void bpf_user_rnd_init_once(void);
>>  u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);
>>
>> +#if defined(__KERNEL__) && !defined(__ASSEMBLY__)
>> +#ifdef CONFIG_BPF_KPROBE_OVERRIDE
>> +#define BPF_ALLOW_ERROR_INJECTION(fname)				\
>> +static unsigned long __used						\
>> +	__attribute__((__section__("_kprobe_error_inject_list")))	\
>> +	_eil_addr_##fname = (unsigned long)fname;
>> +#else
>> +#define BPF_ALLOW_ERROR_INJECTION(fname)
>> +#endif
>> +#endif
>
> This part shows this feature belongs to bpf, if it is a part of kprobes,
> it should be defined in include/asm-generic/kprobes.h as NOKPROBE_SYMBOL
> does.
>
> Why this is defined in BPF, but list is under kprobes?

because Ingo specifically requested that macro that marks the function
will be in bpf.h, so any .c file that starts adding such marks will
include that file instead of pulling stuff from kprobe.

>
> So there is no direct relationship with kprobe.
> For example, kprobe user modules can OVERRIDE any functions.
> And there is no generic error injection code in the kernel
> except for the bpf currently.

_currently_ is key word.

> Of course, I can accept this code if you accept that I make a
> generic error injection code on ftrace without BPF.

what stops other pieces of kernel to use the same technique?
The bpf verifier coupled together with opt-in
per-function marks via BPF_ALLOW_ERROR_INJECTION
give _safe_ way to do error injection.

I can imagine how you can hack kprobe text based interface to
use the same technique, but I suggest to wait and see how we
build on it in bpf land before replicating things in
pure kprobe land.

Powered by blists - more mailing lists