| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Mar 2021 19:06:15 -0600
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Daniel Xu <dxu@...uu.xyz>, Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...nel.org>, X86 ML <x86@...nel.org>,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org, kuba@...nel.org,
mingo@...hat.com, ast@...nel.org, tglx@...utronix.de,
kernel-team@...com, yhs@...com
Subject: Re: [PATCH -tip 0/5] kprobes: Fix stacktrace in kretprobes
On Thu, Mar 11, 2021 at 09:20:18AM +0900, Masami Hiramatsu wrote:
> > > bool unwind_next_frame(struct unwind_state *state)
> > > {
> > > unsigned long ip_p, sp, tmp, orig_ip = state->ip, prev_sp = state->sp;
> > > @@ -536,6 +561,18 @@ bool unwind_next_frame(struct unwind_state *state)
> > >
> > > state->ip = ftrace_graph_ret_addr(state->task, &state->graph_idx,
> > > state->ip, (void *)ip_p);
> > > + /*
> > > + * There are special cases when the stack unwinder is called
> > > + * from the kretprobe handler or the interrupt handler which
> > > + * occurs in the kretprobe trampoline code. In those cases,
> > > + * %sp is shown on the stack instead of the return address.
> > > + * Or, when the unwinder find the return address is replaced
> > > + * by kretprobe_trampoline.
> > > + * In those cases, correct address can be found in kretprobe.
> > > + */
> > > + if (state->ip == sp ||
> >
> > Why is the 'state->ip == sp' needed?
>
> As I commented above, until kretprobe_trampoline writes back the real
> address to the stack, sp value is there (which has been pushed by the
> 'pushq %rsp' at the entry of kretprobe_trampoline.)
>
> ".type kretprobe_trampoline, @function\n"
> "kretprobe_trampoline:\n"
> /* We don't bother saving the ss register */
> " pushq %rsp\n" // THIS
> " pushfq\n"
>
> Thus, from inside the kretprobe handler, like ftrace, you'll see
> the sp value instead of the real return address.
I see. If you change is_kretprobe_trampoline_address() to include the
entire function, like:
static bool is_kretprobe_trampoline_address(unsigned long ip)
{
return (void *)ip >= kretprobe_trampoline &&
(void *)ip < kretprobe_trampoline_end;
}
then the unwinder won't ever read the bogus %rsp value into state->ip,
and the 'state->ip == sp' check can be removed.
> > And it would make the unwinder just work automatically when unwinding
> > from the handler using the regs.
> >
> > It would also work when unwinding from the handler's stack, if we put an
> > UNWIND_HINT_REGS after saving the regs.
>
> At that moment, the real return address is not identified. So we can not
> put it.
True, at the time the regs are originally saved, the real return address
isn't available. But by the time the user handler is called, the return
address *is* available. So if the real return address were placed in
regs->ip before calling the handler, the unwinder could find it there,
when called from the handler.
Then we wouldn't need the call to orc_kretprobe_correct_ip() in
__unwind_start().
But maybe it's not possible due to the regs->ip expectations of legacy
handlers?
--
Josh
Powered by blists - more mailing lists