lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAP-5=fX8ipwPj_M6r3K=rZnYyVnW6VUYWARJhamFbphzLFxx+A@mail.gmail.com>
Date:   Thu, 17 Aug 2023 11:46:59 -0700
From:   Ian Rogers <irogers@...gle.com>
To:     Arnaldo Carvalho de Melo <acme@...nel.org>
Cc:     Namhyung Kim <namhyung@...nel.org>,
        Adrian Hunter <adrian.hunter@...el.com>,
        Alan Maguire <alan.maguire@...cle.com>,
        Jiri Olsa <jolsa@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/1] perf trace: Use heuristic when deciding if a syscall
 tracepoint "const char *" field is really a string

On Thu, Aug 17, 2023 at 11:23 AM Arnaldo Carvalho de Melo
<acme@...nel.org> wrote:
>
> 'perf trace' tries to find BPF progs associated with a syscall that have
> a signature that is similar to syscalls without one to try and reuse,
> so, for instance, the 'open' signature can be reused with many other
> syscalls that have as its first arg a string.
>
> It uses the tracefs events format file for finding a signature that can
> be reused, but then comes the "write" syscall with its second argument
> as a "const char *":
>
>   # cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_write/format
>   name: sys_enter_write
>   ID: 746
>   format:
>         field:unsigned short common_type;       offset:0;       size:2; signed:0;
>         field:unsigned char common_flags;       offset:2;       size:1; signed:0;
>         field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
>         field:int common_pid;   offset:4;       size:4; signed:1;
>
>         field:int __syscall_nr; offset:8;       size:4; signed:1;
>         field:unsigned int fd;  offset:16;      size:8; signed:0;
>         field:const char * buf; offset:24;      size:8; signed:0;
>         field:size_t count;     offset:32;      size:8; signed:0;
>
>   print fmt: "fd: 0x%08lx, buf: 0x%08lx, count: 0x%08lx", ((unsigned long)(REC->fd)), ((unsigned long)(REC->buf)), ((unsigned long)(REC->count))
>   #
>
> Which isn't a string (the man page for glibc has buf as "void *"), so we
> have to use the name of the argument as an heuristic, to consider a
> string just args that are "const char *" and that have in its name  the
> "path", "file", etc substrings.
>
> With that now it reuses:
>
>   [root@...co ~]# perf trace -v --max-events=1 |& grep Reus
>   Reusing "open" BPF sys_enter augmenter for "stat"
>   Reusing "open" BPF sys_enter augmenter for "lstat"
>   Reusing "open" BPF sys_enter augmenter for "access"
>   Reusing "connect" BPF sys_enter augmenter for "accept"
>   Reusing "sendto" BPF sys_enter augmenter for "recvfrom"
>   Reusing "connect" BPF sys_enter augmenter for "bind"
>   Reusing "connect" BPF sys_enter augmenter for "getsockname"
>   Reusing "connect" BPF sys_enter augmenter for "getpeername"
>   Reusing "open" BPF sys_enter augmenter for "execve"
>   Reusing "open" BPF sys_enter augmenter for "truncate"
>   Reusing "open" BPF sys_enter augmenter for "chdir"
>   Reusing "open" BPF sys_enter augmenter for "mkdir"
>   Reusing "open" BPF sys_enter augmenter for "rmdir"
>   Reusing "open" BPF sys_enter augmenter for "creat"
>   Reusing "open" BPF sys_enter augmenter for "link"
>   Reusing "open" BPF sys_enter augmenter for "unlink"
>   Reusing "open" BPF sys_enter augmenter for "symlink"
>   Reusing "open" BPF sys_enter augmenter for "readlink"
>   Reusing "open" BPF sys_enter augmenter for "chmod"
>   Reusing "open" BPF sys_enter augmenter for "chown"
>   Reusing "open" BPF sys_enter augmenter for "lchown"
>   Reusing "open" BPF sys_enter augmenter for "mknod"
>   Reusing "open" BPF sys_enter augmenter for "statfs"
>   Reusing "open" BPF sys_enter augmenter for "pivot_root"
>   Reusing "open" BPF sys_enter augmenter for "chroot"
>   Reusing "open" BPF sys_enter augmenter for "acct"
>   Reusing "open" BPF sys_enter augmenter for "swapon"
>   Reusing "open" BPF sys_enter augmenter for "swapoff"
>   Reusing "open" BPF sys_enter augmenter for "delete_module"
>   Reusing "open" BPF sys_enter augmenter for "setxattr"
>   Reusing "open" BPF sys_enter augmenter for "lsetxattr"
>   Reusing "openat" BPF sys_enter augmenter for "fsetxattr"
>   Reusing "open" BPF sys_enter augmenter for "getxattr"
>   Reusing "open" BPF sys_enter augmenter for "lgetxattr"
>   Reusing "openat" BPF sys_enter augmenter for "fgetxattr"
>   Reusing "open" BPF sys_enter augmenter for "listxattr"
>   Reusing "open" BPF sys_enter augmenter for "llistxattr"
>   Reusing "open" BPF sys_enter augmenter for "removexattr"
>   Reusing "open" BPF sys_enter augmenter for "lremovexattr"
>   Reusing "fsetxattr" BPF sys_enter augmenter for "fremovexattr"
>   Reusing "open" BPF sys_enter augmenter for "mq_open"
>   Reusing "open" BPF sys_enter augmenter for "mq_unlink"
>   Reusing "fsetxattr" BPF sys_enter augmenter for "add_key"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "request_key"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "inotify_add_watch"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "mkdirat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "mknodat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "fchownat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "futimesat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "newfstatat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "unlinkat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "linkat"
>   Reusing "open" BPF sys_enter augmenter for "symlinkat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "readlinkat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "fchmodat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "faccessat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "utimensat"
>   Reusing "connect" BPF sys_enter augmenter for "accept4"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "name_to_handle_at"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "renameat2"
>   Reusing "open" BPF sys_enter augmenter for "memfd_create"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "execveat"
>   Reusing "fremovexattr" BPF sys_enter augmenter for "statx"
>   [root@...co ~]#
>
> Cc: Adrian Hunter <adrian.hunter@...el.com>
> Cc: Alan Maguire <alan.maguire@...cle.com>
> Cc: Ian Rogers <irogers@...gle.com>
> Cc: Jiri Olsa <jolsa@...nel.org>
> Cc: Namhyung Kim <namhyung@...nel.org>
> Link: https://lore.kernel.org/lkml/
> Signed-off-by: Arnaldo Carvalho de Melo <acme@...hat.com>

Reviewed-by: Ian Rogers <irogers@...gle.com>

Thanks,
Ian

> ---
>  tools/perf/builtin-trace.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
> index 3964cf44cdbcb3e8..e541d0e2777ab935 100644
> --- a/tools/perf/builtin-trace.c
> +++ b/tools/perf/builtin-trace.c
> @@ -3398,6 +3398,19 @@ static struct bpf_program *trace__find_usable_bpf_prog_entry(struct trace *trace
>                         if (strcmp(field->type, candidate_field->type))
>                                 goto next_candidate;
>
> +                       /*
> +                        * This is limited in the BPF program but sys_write
> +                        * uses "const char *" for its "buf" arg so we need to
> +                        * use some heuristic that is kinda future proof...
> +                        */
> +                       if (strcmp(field->type, "const char *") == 0 &&
> +                           !(strstr(field->name, "name") ||
> +                             strstr(field->name, "path") ||
> +                             strstr(field->name, "file") ||
> +                             strstr(field->name, "root") ||
> +                             strstr(field->name, "description")))
> +                               goto next_candidate;
> +
>                         is_candidate = true;
>                 }
>
> --
> 2.41.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ