| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241105133610.1937089-1-elver@google.com>
Date: Tue, 5 Nov 2024 14:34:05 +0100
From: Marco Elver <elver@...gle.com>
To: elver@...gle.com, Steven Rostedt <rostedt@...dmis.org>,
Kees Cook <keescook@...omium.org>
Cc: Masami Hiramatsu <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Andrew Morton <akpm@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>,
linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com
Subject: [PATCH] tracing: Add task_prctl_unknown tracepoint
prctl() is a complex syscall which multiplexes its functionality based
on a large set of PR_* options. Currently we count 64 such options. The
return value of unknown options is -EINVAL, and doesn't distinguish from
known options that were passed invalid args that also return -EINVAL.
To understand if programs are attempting to use prctl() options not yet
available on the running kernel, provide the task_prctl_unknown
tracepoint.
Note, this tracepoint is in an unlikely cold path, and would therefore
be suitable for continuous monitoring (e.g. via perf_event_open).
While the above is likely the simplest usecase, additionally this
tracepoint can help unlock some testing scenarios (where probing
sys_enter or sys_exit causes undesirable performance overheads):
a. unprivileged triggering of a test module: test modules may register a
probe to be called back on task_prctl_unknown, and pick a very large
unknown prctl() option upon which they perform a test function for an
unprivileged user;
b. unprivileged triggering of an eBPF program function: similar
as idea (a).
Example trace_pipe output:
<...>-366 [004] ..... 146.439400: task_prctl_unknown: pid=366 comm=a.out option=1234 arg2=101 arg3=102 arg4=103 arg5=104
Signed-off-by: Marco Elver <elver@...gle.com>
---
include/trace/events/task.h | 43 +++++++++++++++++++++++++++++++++++++
kernel/sys.c | 3 +++
2 files changed, 46 insertions(+)
diff --git a/include/trace/events/task.h b/include/trace/events/task.h
index 47b527464d1a..ab711e581094 100644
--- a/include/trace/events/task.h
+++ b/include/trace/events/task.h
@@ -56,6 +56,49 @@ TRACE_EVENT(task_rename,
__entry->newcomm, __entry->oom_score_adj)
);
+/**
+ * task_prctl_unknown - called on unknown prctl() option
+ * @task: pointer to the current task
+ * @option: option passed
+ * @arg2: arg2 passed
+ * @arg3: arg3 passed
+ * @arg4: arg4 passed
+ * @arg5: arg5 passed
+ *
+ * Called on an unknown prctl() option.
+ */
+TRACE_EVENT(task_prctl_unknown,
+
+ TP_PROTO(struct task_struct *task, int option, unsigned long arg2, unsigned long arg3,
+ unsigned long arg4, unsigned long arg5),
+
+ TP_ARGS(task, option, arg2, arg3, arg4, arg5),
+
+ TP_STRUCT__entry(
+ __field( pid_t, pid )
+ __string( comm, task->comm )
+ __field( int, option)
+ __field( unsigned long, arg2)
+ __field( unsigned long, arg3)
+ __field( unsigned long, arg4)
+ __field( unsigned long, arg5)
+ ),
+
+ TP_fast_assign(
+ __entry->pid = task->pid;
+ __assign_str(comm);
+ __entry->option = option;
+ __entry->arg2 = arg2;
+ __entry->arg3 = arg3;
+ __entry->arg4 = arg4;
+ __entry->arg5 = arg5;
+ ),
+
+ TP_printk("pid=%d comm=%s option=%d arg2=%ld arg3=%ld arg4=%ld arg5=%ld",
+ __entry->pid, __get_str(comm), __entry->option,
+ __entry->arg2, __entry->arg3, __entry->arg4, __entry->arg5)
+);
+
#endif
/* This part must be outside protection */
diff --git a/kernel/sys.c b/kernel/sys.c
index 4da31f28fda8..dd0a71b68558 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -75,6 +75,8 @@
#include <asm/io.h>
#include <asm/unistd.h>
+#include <trace/events/task.h>
+
#include "uid16.h"
#ifndef SET_UNALIGN_CTL
@@ -2785,6 +2787,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = RISCV_SET_ICACHE_FLUSH_CTX(arg2, arg3);
break;
default:
+ trace_task_prctl_unknown(me, option, arg2, arg3, arg4, arg5);
error = -EINVAL;
break;
}
--
2.47.0.199.ga7371fff76-goog
Powered by blists - more mailing lists