lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 3 May 2019 13:12:34 +0100
From:   Qais Yousef <qais.yousef@....com>
To:     "Joel Fernandes (Google)" <joel@...lfernandes.org>
Cc:     linux-kernel@...r.kernel.org,
        Michal Gregorczyk <michalgr@...e.com>,
        Adrian Ratiu <adrian.ratiu@...labora.com>,
        Mohammad Husain <russoue@...il.com>,
        Srinivas Ramana <sramana@...eaurora.org>,
        duyuchao <yuchao.du@...soc.com>,
        Manjo Raja Rao <linux@...ojrajarao.com>,
        Karim Yaghmour <karim.yaghmour@...rsys.com>,
        Tamir Carmeli <carmeli.tamir@...il.com>,
        Yonghong Song <yhs@...com>,
        Alexei Starovoitov <ast@...nel.org>,
        Brendan Gregg <brendan.d.gregg@...il.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Peter Ziljstra <peterz@...radead.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Kees Cook <keescook@...omium.org>, kernel-team@...roid.com,
        Daniel Borkmann <daniel@...earbox.net>,
        Ingo Molnar <mingo@...hat.com>, netdev@...r.kernel.org
Subject: Re: [PATCH RFC] bpf: Add support for reading user pointers

Hi Joel

On 05/02/19 16:49, Joel Fernandes (Google) wrote:
> The eBPF based opensnoop tool fails to read the file path string passed
> to the do_sys_open function. This is because it is a pointer to
> userspace address and causes an -EFAULT when read with
> probe_kernel_read. This is not an issue when running the tool on x86 but
> is an issue on arm64. This patch adds a new bpf function call based

I just did an experiment and if I use Android 4.9 kernel I indeed fail to see
PATH info when running opensnoop. But if I run on 5.1-rc7 opensnoop behaves
correctly on arm64.

My guess either a limitation that was fixed on later kernel versions or Android
kernel has some strict option/modifications that make this fail?




root@...ldroot:/# uname -a
Linux buildroot 5.1.0-rc7-00164-ga00214620959-dirty #41 SMP PREEMPT Thu May 2 16:33:00 BST 2019 aarch64 GNU/Linux
root@...ldroot:/# opensnoop
PID    COMM               FD ERR PATH
5180   default.script     -1   2 /etc/ld.so.cache
5180   default.script     -1   2 /lib/tls/v8l/neon/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/tls/v8l/neon/libresolv.so.2
5180   default.script     -1   2 /lib/tls/v8l/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/tls/v8l/libresolv.so.2
5180   default.script     -1   2 /lib/tls/neon/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/tls/neon/libresolv.so.2
5180   default.script     -1   2 /lib/tls/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/tls/libresolv.so.2
5180   default.script     -1   2 /lib/v8l/neon/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/v8l/neon/libresolv.so.2
5180   default.script     -1   2 /lib/v8l/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/v8l/libresolv.so.2
5180   default.script     -1   2 /lib/neon/vfp/libresolv.so.2
5180   default.script     -1   2 /lib/neon/libresolv.so.2
5180   default.script     -1   2 /lib/vfp/libresolv.so.2
5180   default.script      3   0 /lib/libresolv.so.2
5180   default.script      3   0 /lib/libc.so.6
5180   default.script      3   0 /usr/share/udhcpc/default.script
5180   default.script      3   0 /usr/share/udhcpc/default.script.d/




--
Qais Yousef

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ