lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZhQVBYQYr5ph33Uu@krava>
Date: Mon, 8 Apr 2024 18:02:13 +0200
From: Jiri Olsa <olsajiri@...il.com>
To: Oleg Nesterov <oleg@...hat.com>
Cc: Jiri Olsa <olsajiri@...il.com>, Masami Hiramatsu <mhiramat@...nel.org>,
	Andrii Nakryiko <andrii.nakryiko@...il.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Andrii Nakryiko <andrii@...nel.org>, linux-kernel@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org, bpf@...r.kernel.org,
	Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
	John Fastabend <john.fastabend@...il.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	"Borislav Petkov (AMD)" <bp@...en8.de>, x86@...nel.org,
	linux-api@...r.kernel.org
Subject: Re: [PATCHv2 1/3] uprobe: Add uretprobe syscall to speed up return
 probe

On Fri, Apr 05, 2024 at 01:02:30PM +0200, Oleg Nesterov wrote:
> On 04/05, Jiri Olsa wrote:
> >
> > On Fri, Apr 05, 2024 at 10:22:03AM +0900, Masami Hiramatsu wrote:
> > >
> > > I think this expects setjmp/longjmp as below
> > >
> > > foo() { <- retprobe1
> > > 	setjmp()
> > > 	bar() { <- retprobe2
> > > 		longjmp()
> > > 	}
> > > } <- return to trampoline
> > >
> > > In this case, we need to skip retprobe2's instance.
> 
> Yes,
> 
> > > My concern is, if we can not find appropriate return instance, what happen?
> > > e.g.
> > >
> > > foo() { <-- retprobe1
> > >    bar() { # sp is decremented
> > >        sys_uretprobe() <-- ??
> > >     }
> > > }
> > >
> > > It seems sys_uretprobe() will handle retprobe1 at that point instead of
> > > SIGILL.
> >
> > yes, and I think it's fine, you get the consumer called in wrong place,
> > but it's your fault and kernel won't crash
> 
> Agreed.
> 
> With or without this patch userpace can also do
> 
> 	foo() { <-- retprobe1
> 		bar() {
> 			jump to xol_area
> 		}
> 	}
> 
> handle_trampoline() will handle retprobe1.
> 
> > this can be fixed by checking the syscall is called from the trampoline
> > and prevent handle_trampoline call if it's not
> 
> Yes, but I still do not think this makes a lot of sense. But I won't argue.
> 
> And what should sys_uretprobe() do if it is not called from the trampoline?
> I'd prefer force_sig(SIGILL) to punish the abuser ;) OK, OK, EINVAL.

so the similar behaviour with int3 ends up with immediate SIGTRAP
and not invoking pending uretprobe consumers, like:

  - setup uretprobe for foo
  - foo() {
      executes int 3 -> sends SIGTRAP
    }

because the int3 handler checks if it got executed from the uretprobe's
trampoline.. if not it treats that int3 as regular trap

while for uretprobe syscall we have at the moment following behaviour:

  - setup uretprobe for foo
  - foo() {
     uretprobe_syscall -> executes foo's uretprobe consumers
    }
  - at some point we get to the 'ret' instruction that jump into uretprobe
    trampoline and the uretprobe_syscall won't find pending uretprobe and
    will send SIGILL


so I think we should mimic int3 behaviour and:

  - setup uretprobe for foo
  - foo() {
     uretprobe_syscall -> check if we got executed from uretprobe's
     trampoline and send SIGILL if that's not the case

I think it's better to have the offending process killed right away,
rather than having more undefined behaviour, waiting for final 'ret'
instruction that jumps to uretprobe trampoline and causes SIGILL

> 
> I agree very much with Andrii,
> 
>        sigreturn()  exists only to allow the implementation of signal handlers.  It should never be
>        called directly.  Details of the arguments (if any) passed to sigreturn() vary depending  on
>        the architecture.
> 
> this is how sys_uretprobe() should be treated/documented.

yes, will include man page patch in new version

jirka

> 
> sigreturn() can be "improved" too. Say, it could validate sigcontext->ip
> and return -EINVAL if this addr is not valid. But why?
> 
> Oleg.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ