lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <e74318e0-0cdf-e55d-bf06-b481541e2697@linux.vnet.ibm.com>
Date:   Mon, 12 Feb 2018 18:46:06 +0530
From:   Ravi Bangoria <ravi.bangoria@...ux.vnet.ibm.com>
To:     Oleg Nesterov <oleg@...hat.com>
Cc:     Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
        "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>,
        ananth@...ux.vnet.ibm.com, lkml <linux-kernel@...r.kernel.org>
Subject: Uprobe: Bug(?) when probing small binaries

Hi Oleg,

I'm observing a bug in the uprobe infrastructure. When target binary
is quite small, uprobe replaces 'trap' instruction at two different
places. Ex,

Simple test.c that loops for 100 seconds:

    void main()
    {
        int i = 0;
   
        while (i++ != 100) {
            printf("hi: %d", i);
            sleep(1);
        }
    }

Add a probe on function main() in test.c

  $ perf probe -x ./a.out main
    Added new event:
      probe_a:main          (on main in /home/ravi/a.out)

Start the target program and pause it.

  $ gdb --args ./a.out
    (gdb) r
    main: 1
    main: 2
    ^C

  (gdb) disassemble main
       0x000000001000069c <+8>:    mflr    r0
 
  (gdb) x/w 0x1001069c
    0x1001069c:    2080899750

Now enable the probe:

  # echo 1 > events/probe_a/main/enable

Check probed instruction:

  (gdb) disassemble main
       0x000000001000069c <+8>:    trap

*Bug*:

  (gdb) x/w 0x1001069c
    0x1001069c:  2145386504

In short, when it replaces the probe instruction, it does some corruption
in the readonly vma. This seems to be a bug.

How did I get the other address 0x1001069c?I found build_map_info()
returns these two vmas for the single probe:

  10000000-10010000 r-xp 00000000 08:05 67325595   /home/ravi/a.out
  10010000-10020000 r--p 00000000 08:05 67325595   /home/ravi/a.out

and thusregister_for_each_vmas() calls install_breakpoint() on both of
thesevmas with different vaddr.

The example is on powerpc but same issue is observed on x86 as well. As,
the code is common, it should be reproducible on every architecture.

Also, I don't observe this issue for bigger binaries (maybe for those
whose vma spans across multiple pages).

Thanks,
Ravi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ