| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Mar 2022 21:48:36 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Song Liu <songliubraving@...com>
Cc: open list <linux-kernel@...r.kernel.org>,
bpf <bpf@...r.kernel.org>, Ingo Molnar <mingo@...hat.com>,
Kernel Team <Kernel-team@...com>
Subject: Re: ftrace_direct (used by bpf trampoline) conflicts with live
patch
On Fri, 1 Apr 2022 01:11:01 +0000
Song Liu <songliubraving@...com> wrote:
> Hi Steven,
>
> We hit an issue with bpf trampoline and kernel live patch on the
> same function.
>
> Basically, we have tracing and live patch on the same function.
> If we use kprobe (over ftrace) for tracing, it works fine with
> live patch. However, fentry on the same function does not work
> with live patch (the one comes later fails to attach).
>
> After digging into this, I found this is because bpf trampoline
> uses register_ftrace_direct, which enables IPMODIFY by default.
> OTOH, it seems that BPF doesn't really need IPMODIFY. As BPF
> trampoline does a "goto do_fexit" in jit for BPF_TRAMP_MODIFY_RETURN.
>
> IIUC, we can let bpf trampoline and live patch work together with
> an ipmodify-less version of register_ftrace_direct, like attached
> below.
>
> Does this make sense to you? Did I miss something?
I thought the BPF trampoline does:
call bpf_trace_before_function
call original_function + X86_PATCH_SIZE
call bpf_trace_after_function
Thus, the bpf direct trampoline calls the unpatched version of the
function call making the live patch useless. Or is this not what it
does?
-- Steve
Powered by blists - more mailing lists