lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 21 Dec 2020 21:31:42 +0800
From:   "Wangshaobo (bobo)" <>
To:     Masami Hiramatsu <>
CC:     Steven Rostedt <>, <>,
        <>, <>,
        <>, <>,
Subject: Re: [PATCH] kretprobe: avoid re-registration of the same kretprobe

Hi steven, Masami,
We have encountered a problem, when we attempted to use steven's suggestion as following,

>>> If you call this here, you must make sure kprobe_addr() is called on rp->kp.
>>> But if kretprobe_blacklist_size == 0, kprobe_addr() is not called before
>>> this check. So it should be in between kprobe_on_func_entry() and
>>> kretprobe_blacklist_size check, like this
>>> 	if (!kprobe_on_func_entry(rp->kp.addr, rp->kp.symbol_name, rp->kp.offset))
>>> 		return -EINVAL;
>>> 	addr = kprobe_addr(&rp->kp);
>>> 	if (IS_ERR(addr))
>>> 		return PTR_ERR(addr);
>>> 	rp->kp.addr = addr;

//there exists no-atomic operation risk, we should not modify any rp->kp's information, not all arch ensure atomic operation here.

>>> 	ret = check_kprobe_rereg(&rp->kp);
>>> 	if (WARN_ON(ret))
>>> 		return ret;
>>>           if (kretprobe_blacklist_size) {
>>> 		for (i = 0; > > +	ret = check_kprobe_rereg(&rp->kp);

it returns failure from register_kprobe() end called by register_kretprobe() when
we registered a kretprobe through .symbol_name at first time(through .addr is OK),
kprobe_addr() called at the begaining of register_kprobe() will recheck and
failed at following place because at this time we symbol_name is not NULL and addr is also.

   static kprobe_opcode_t *_kprobe_addr(const char *symbol_name,
                          unsigned int offset)
          if ((symbol_name && addr) || (!symbol_name && !addr))  //we failed here

So we attempted to move this sentence rp->kp.addr = addr to __get_valid_kprobe() like this to
avoid explict usage of rp->kp.addr = addr in register_kretprobe().

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index dd5821f753e6..ea014779edfe 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1502,10 +1502,15 @@ static kprobe_opcode_t *kprobe_addr(struct kprobe *p)
  static struct kprobe *__get_valid_kprobe(struct kprobe *p)
         struct kprobe *ap, *list_p;
+       void *addr;


-       ap = get_kprobe(p->addr);
+       addr = kprobe_addr(p);
+       if (IS_ERR(addr))
+               return NULL;
+       ap = get_kprobe(addr);
         if (unlikely(!ap))
                 return NULL;

But it also failed when we second time attempted to register a same kretprobe, it is also
becasue symbol_name and addr is not NULL when we used __get_valid_kprobe().

So it seems has no idea expect for modifying _kprobe_addr() like following this, the reason is that
the patch 0bd476e6c671 ("kallsyms: unexport kallsyms_lookup_name() and kallsyms_on_each_symbol()")
has telled us we'd better use symbol name to register but not address anymore.

-static kprobe_opcode_t *_kprobe_addr(kprobe_opcode_t *addr,
-                       const char *symbol_name, unsigned int offset)
+static kprobe_opcode_t *_kprobe_addr(const char *symbol_name,
+                       unsigned int offset)
-       if ((symbol_name && addr) || (!symbol_name && !addr))
+       kprobe_opcode_t *addr;
+       if (!symbol_name)
                 goto invalid;

For us, this modification has not caused a big impact on other modules, only expects a little
influence on bpf from calling trace_kprobe_on_func_entry(), it can not use addr to fill in in struct trace_event_call anymore.

So i want to know your views, and i will resend this patch soon.

Wang Shaobo


Powered by blists - more mailing lists