lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEf4BzZxXDsB+_Oyu=gDP9_7c5vc4Z6QFfW5TnY3GTA86X6hSQ@mail.gmail.com>
Date: Tue, 2 Jul 2024 10:17:24 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Andrii Nakryiko <andrii@...nel.org>, linux-trace-kernel@...r.kernel.org, 
	rostedt@...dmis.org, mhiramat@...nel.org, x86@...nel.org, mingo@...hat.com, 
	tglx@...utronix.de, bpf@...r.kernel.org, rihams@...com, 
	linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Josh Poimboeuf <jpoimboe@...hat.com>
Subject: Re: [PATCH] perf,x86: avoid missing caller address in stack traces
 captured in uprobe

On Tue, Jul 2, 2024 at 2:50 AM Peter Zijlstra <peterz@...radead.org> wrote:
>
>
> +Josj +LKML
>

ack, will add for next revision


> On Mon, Jul 01, 2024 at 04:10:27PM -0700, Andrii Nakryiko wrote:
> > When tracing user functions with uprobe functionality, it's common to
> > install the probe (e.g., a BPF program) at the first instruction of the
> > function. This is often going to be `push %rbp` instruction in function
> > preamble, which means that within that function frame pointer hasn't
> > been established yet. This leads to consistently missing an actual
> > caller of the traced function, because perf_callchain_user() only
> > records current IP (capturing traced function) and then following frame
> > pointer chain (which would be caller's frame, containing the address of
> > caller's caller).
> >
> > So when we have target_1 -> target_2 -> target_3 call chain and we are
> > tracing an entry to target_3, captured stack trace will report
> > target_1 -> target_3 call chain, which is wrong and confusing.
> >
> > This patch proposes a x86-64-specific heuristic to detect `push %rbp`
> > instruction being traced. Given entire kernel implementation of user
> > space stack trace capturing works under assumption that user space code
> > was compiled with frame pointer register (%rbp) preservation, it seems
> > pretty reasonable to use this instruction as a strong indicator that
> > this is the entry to the function. In that case, return address is still
> > pointed to by %rsp, so we fetch it and add to stack trace before
> > proceeding to unwind the rest using frame pointer-based logic.
> >
> > Signed-off-by: Andrii Nakryiko <andrii@...nel.org>
> > ---
> >  arch/x86/events/core.c  | 20 ++++++++++++++++++++
> >  include/linux/uprobes.h |  2 ++
> >  kernel/events/uprobes.c |  2 ++
> >  3 files changed, 24 insertions(+)
> >
> > diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> > index 5b0dd07b1ef1..82d5570b58ff 100644
> > --- a/arch/x86/events/core.c
> > +++ b/arch/x86/events/core.c
> > @@ -2884,6 +2884,26 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
> >               return;
> >
> >       pagefault_disable();
> > +
> > +#ifdef CONFIG_UPROBES
> > +     /*
> > +      * If we are called from uprobe handler, and we are indeed at the very
> > +      * entry to user function (which is normally a `push %rbp` instruction,
> > +      * under assumption of application being compiled with frame pointers),
> > +      * we should read return address from *regs->sp before proceeding
> > +      * to follow frame pointers, otherwise we'll skip immediate caller
> > +      * as %rbp is not yet setup.
> > +      */
> > +     if (current->utask) {
> > +             struct arch_uprobe *auprobe = current->utask->auprobe;
> > +             u64 ret_addr;
> > +
> > +             if (auprobe && auprobe->insn[0] == 0x55 /* push %rbp */ &&
> > +                 !__get_user(ret_addr, (const u64 __user *)regs->sp))
>
> This u64 is wrong, perf_callchain_user() is always native size.
>
> Additionally, I suppose you should also add a hunk to
> perf_callchain_user32(), which is the compat case.
>

Ah, I misunderstood the purpose of perf_callchain_user32(), and so
assumed u64 is correct here. I get it now, perf_callchain_user32() is
compat 32-in-64 case, but the general case can be either 32 or 64 bit.
Will fix it, thanks!

> > +                     perf_callchain_store(entry, ret_addr);
> > +     }
> > +#endif
> > +
> >       while (entry->nr < entry->max_stack) {
> >               if (!valid_user_frame(fp, sizeof(frame)))
> >                       break;
> > diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
> > index b503fafb7fb3..a270a5892ab4 100644
> > --- a/include/linux/uprobes.h
> > +++ b/include/linux/uprobes.h
> > @@ -76,6 +76,8 @@ struct uprobe_task {
> >       struct uprobe                   *active_uprobe;
> >       unsigned long                   xol_vaddr;
> >
> > +     struct arch_uprobe              *auprobe;
> > +
> >       struct return_instance          *return_instances;
> >       unsigned int                    depth;
> >  };
> > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> > index 99be2adedbc0..6e22e4d80f1e 100644
> > --- a/kernel/events/uprobes.c
> > +++ b/kernel/events/uprobes.c
> > @@ -2082,6 +2082,7 @@ static void handler_chain(struct uprobe *uprobe, struct pt_regs *regs)
> >       bool need_prep = false; /* prepare return uprobe, when needed */
> >
> >       down_read(&uprobe->register_rwsem);
> > +     current->utask->auprobe = &uprobe->arch;
> >       for (uc = uprobe->consumers; uc; uc = uc->next) {
> >               int rc = 0;
> >
> > @@ -2096,6 +2097,7 @@ static void handler_chain(struct uprobe *uprobe, struct pt_regs *regs)
> >
> >               remove &= rc;
> >       }
> > +     current->utask->auprobe = NULL;
> >
> >       if (need_prep && !remove)
> >               prepare_uretprobe(uprobe, regs); /* put bp at return */
> > --
> > 2.43.0
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ