| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzaTEUkRU37fsuGy+-otWk9K0-c9=hs0APRz7pJy7rq-5w@mail.gmail.com> Date: Thu, 18 Jul 2024 08:29:23 -0700 From: Andrii Nakryiko <andrii.nakryiko@...il.com> To: Andrii Nakryiko <andrii@...nel.org> Cc: linux-trace-kernel@...r.kernel.org, peterz@...radead.org, rostedt@...dmis.org, mhiramat@...nel.org, x86@...nel.org, mingo@...hat.com, tglx@...utronix.de, jpoimboe@...hat.com, linux-kernel@...r.kernel.org, bpf@...r.kernel.org, rihams@...com, linux-perf-users@...r.kernel.org Subject: Re: [PATCH v5] perf,x86: avoid missing caller address in stack traces captured in uprobe On Wed, Jul 10, 2024 at 12:36 PM Andrii Nakryiko <andrii@...nel.org> wrote: > > When tracing user functions with uprobe functionality, it's common to > install the probe (e.g., a BPF program) at the first instruction of the > function. This is often going to be `push %rbp` instruction in function > preamble, which means that within that function frame pointer hasn't > been established yet. This leads to consistently missing an actual > caller of the traced function, because perf_callchain_user() only > records current IP (capturing traced function) and then following frame > pointer chain (which would be caller's frame, containing the address of > caller's caller). > > So when we have target_1 -> target_2 -> target_3 call chain and we are > tracing an entry to target_3, captured stack trace will report > target_1 -> target_3 call chain, which is wrong and confusing. > > This patch proposes a x86-64-specific heuristic to detect `push %rbp` > (`push %ebp` on 32-bit architecture) instruction being traced. Given > entire kernel implementation of user space stack trace capturing works > under assumption that user space code was compiled with frame pointer > register (%rbp/%ebp) preservation, it seems pretty reasonable to use > this instruction as a strong indicator that this is the entry to the > function. In that case, return address is still pointed to by %rsp/%esp, > so we fetch it and add to stack trace before proceeding to unwind the > rest using frame pointer-based logic. > > We also check for `endbr64` (for 64-bit modes) as another common pattern > for function entry, as suggested by Josh Poimboeuf. Even if we get this > wrong sometimes for uprobes attached not at the function entry, it's OK > because stack trace will still be overall meaningful, just with one > extra bogus entry. If we don't detect this, we end up with guaranteed to > be missing caller function entry in the stack trace, which is worse > overall. > > Signed-off-by: Andrii Nakryiko <andrii@...nel.org> > --- > arch/x86/events/core.c | 63 +++++++++++++++++++++++++++++++++++++++++ > include/linux/uprobes.h | 2 ++ > kernel/events/uprobes.c | 2 ++ > 3 files changed, 67 insertions(+) > Ping. What's the status of this patch? Is it just waiting until after the merge window, or it got lost? > diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c > index 5b0dd07b1ef1..780b8dc36f05 100644 > --- a/arch/x86/events/core.c > +++ b/arch/x86/events/core.c > @@ -41,6 +41,8 @@ > #include <asm/desc.h> > #include <asm/ldt.h> > #include <asm/unwind.h> > +#include <asm/uprobes.h> > +#include <asm/ibt.h> > > #include "perf_event.h" > > @@ -2813,6 +2815,46 @@ static unsigned long get_segment_base(unsigned int segment) [...]
Powered by blists - more mailing lists