| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190502204958.7868-1-joel@joelfernandes.org>
Date: Thu, 2 May 2019 16:49:58 -0400
From: "Joel Fernandes (Google)" <joel@...lfernandes.org>
To: linux-kernel@...r.kernel.org
Cc: "Joel Fernandes (Google)" <joel@...lfernandes.org>,
Michal Gregorczyk <michalgr@...e.com>,
Adrian Ratiu <adrian.ratiu@...labora.com>,
Mohammad Husain <russoue@...il.com>,
Qais Yousef <qais.yousef@....com>,
Srinivas Ramana <sramana@...eaurora.org>,
duyuchao <yuchao.du@...soc.com>,
Manjo Raja Rao <linux@...ojrajarao.com>,
Karim Yaghmour <karim.yaghmour@...rsys.com>,
Tamir Carmeli <carmeli.tamir@...il.com>,
Yonghong Song <yhs@...com>,
Alexei Starovoitov <ast@...nel.org>,
Brendan Gregg <brendan.d.gregg@...il.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Peter Ziljstra <peterz@...radead.org>,
Steven Rostedt <rostedt@...dmis.org>,
Kees Cook <keescook@...omium.org>, kernel-team@...roid.com,
Daniel Borkmann <daniel@...earbox.net>,
Ingo Molnar <mingo@...hat.com>, netdev@...r.kernel.org
Subject: [PATCH RFC] bpf: Add support for reading user pointers
The eBPF based opensnoop tool fails to read the file path string passed
to the do_sys_open function. This is because it is a pointer to
userspace address and causes an -EFAULT when read with
probe_kernel_read. This is not an issue when running the tool on x86 but
is an issue on arm64. This patch adds a new bpf function call based
which calls the recently proposed probe_user_read function [1].
Using this function call from opensnoop fixes the issue on arm64.
[1] https://lore.kernel.org/patchwork/patch/1051588/
Cc: Michal Gregorczyk <michalgr@...e.com>
Cc: Adrian Ratiu <adrian.ratiu@...labora.com>
Cc: Mohammad Husain <russoue@...il.com>
Cc: Qais Yousef <qais.yousef@....com>
Cc: Srinivas Ramana <sramana@...eaurora.org>
Cc: duyuchao <yuchao.du@...soc.com>
Cc: Manjo Raja Rao <linux@...ojrajarao.com>
Cc: Karim Yaghmour <karim.yaghmour@...rsys.com>
Cc: Tamir Carmeli <carmeli.tamir@...il.com>
Cc: Yonghong Song <yhs@...com>
Cc: Alexei Starovoitov <ast@...nel.org>
Cc: Brendan Gregg <brendan.d.gregg@...il.com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Peter Ziljstra <peterz@...radead.org>
Cc: Steven Rostedt <rostedt@...dmis.org>
Cc: Kees Cook <keescook@...omium.org>
Cc: kernel-team@...roid.com
Signed-off-by: Joel Fernandes (Google) <joel@...lfernandes.org>
---
include/uapi/linux/bpf.h | 7 ++++++-
kernel/trace/bpf_trace.c | 22 ++++++++++++++++++++++
tools/include/uapi/linux/bpf.h | 7 ++++++-
3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index e99e3e6f8b37..6fec701eaa46 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -539,6 +539,10 @@ union bpf_attr {
* @mode: operation mode (enum bpf_adj_room_mode)
* @flags: reserved for future use
* Return: 0 on success or negative error code
+ *
+ * int bpf_probe_read_user(void *dst, int size, void *src)
+ * Read a userspace pointer safely.
+ * Return: 0 on success or negative error
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -591,7 +595,8 @@ union bpf_attr {
FN(get_socket_uid), \
FN(set_hash), \
FN(setsockopt), \
- FN(skb_adjust_room),
+ FN(skb_adjust_room), \
+ FN(probe_read_user),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index dc498b605d5d..1e1a11d9faa8 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -81,6 +81,26 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
.arg3_type = ARG_ANYTHING,
};
+BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, const void *, unsafe_ptr)
+{
+ int ret;
+
+ ret = probe_user_read(dst, unsafe_ptr, size);
+ if (unlikely(ret < 0))
+ memset(dst, 0, size);
+
+ return ret;
+}
+
+static const struct bpf_func_proto bpf_probe_read_user_proto = {
+ .func = bpf_probe_read_user,
+ .gpl_only = true,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_UNINIT_MEM,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_ANYTHING,
+};
+
BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
u32, size)
{
@@ -459,6 +479,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id)
return &bpf_map_delete_elem_proto;
case BPF_FUNC_probe_read:
return &bpf_probe_read_proto;
+ case BPF_FUNC_probe_read_user:
+ return &bpf_probe_read_user_proto;
case BPF_FUNC_ktime_get_ns:
return &bpf_ktime_get_ns_proto;
case BPF_FUNC_tail_call:
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index e99e3e6f8b37..6fec701eaa46 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -539,6 +539,10 @@ union bpf_attr {
* @mode: operation mode (enum bpf_adj_room_mode)
* @flags: reserved for future use
* Return: 0 on success or negative error code
+ *
+ * int bpf_probe_read_user(void *dst, int size, void *src)
+ * Read a userspace pointer safely.
+ * Return: 0 on success or negative error
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -591,7 +595,8 @@ union bpf_attr {
FN(get_socket_uid), \
FN(set_hash), \
FN(setsockopt), \
- FN(skb_adjust_room),
+ FN(skb_adjust_room), \
+ FN(probe_read_user),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
--
2.21.0.593.g511ec345e18-goog
Powered by blists - more mailing lists