| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHsH6Gs3Eh8DFU0wq58c_LF8A4_+o6z456J7BidmcVY2AqOnHQ@mail.gmail.com>
Date: Fri, 10 Jan 2025 07:12:02 -0800
From: Eyal Birger <eyal.birger@...il.com>
To: Jiri Olsa <jolsa@...nel.org>
Cc: olsajiri@...il.com, mhiramat@...nel.org, oleg@...hat.com,
linux-kernel <linux-kernel@...r.kernel.org>, linux-trace-kernel@...r.kernel.org,
BPF-dev-list <bpf@...r.kernel.org>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>, peterz@...radead.org, tglx@...utronix.de,
bp@...en8.de, x86@...nel.org, linux-api@...r.kernel.org,
Andrii Nakryiko <andrii@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii.nakryiko@...il.com>,
"rostedt@...dmis.org" <rostedt@...dmis.org>, rafi@....io,
Shmulik Ladkani <shmulik.ladkani@...il.com>
Subject: Crash when attaching uretprobes to processes running in Docker
Hi,
When attaching uretprobes to processes running inside docker, the attached
process is segfaulted when encountering the retprobe. The offending commit
is:
ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe")
To my understanding, the reason is that now that uretprobe is a system call,
the default seccomp filters in docker block it as they only allow a specific
set of known syscalls.
This behavior can be reproduced by the below bash script, which works before
this commit.
Reported-by: Rafael Buchbinder <rafi@....io>
Eyal.
--- CODE ---
#!/bin/bash
cat > /tmp/x.c << EOF
#include <stdio.h>
#include <seccomp.h>
char *syscalls[] = {
"write",
"exit_group",
};
__attribute__((noinline)) int probed(void)
{
printf("Probed\n");
return 1;
}
void apply_seccomp_filter(char **syscalls, int num_syscalls)
{
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_ERRNO(1));
for (int i = 0; i < num_syscalls; i++) {
seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
seccomp_syscall_resolve_name(syscalls[i]), 0);
}
seccomp_load(ctx);
seccomp_release(ctx);
}
int main(int argc, char *argv[])
{
int num_syscalls = sizeof(syscalls) / sizeof(syscalls[0]);
apply_seccomp_filter(syscalls, num_syscalls);
probed();
return 0;
}
EOF
cat > /tmp/trace.bt << EOF
uretprobe:/tmp/x:probed
{
printf("ret=%d\n", retval);
}
EOF
gcc -o /tmp/x /tmp/x.c -lseccomp
/usr/bin/bpftrace /tmp/trace.bt &
sleep 5 # wait for uretprobe attach
/tmp/x
pkill bpftrace
rm /tmp/x /tmp/x.c /tmp/trace.bt
Powered by blists - more mailing lists