lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250415112750.1477339-1-guoj17@chinatelecom.cn>
Date: Tue, 15 Apr 2025 19:27:50 +0800
From: Jin Guo <menglong8.dong@...il.com>
To: rostedt@...dmis.org
Cc: mhiramat@...nel.org,
	mark.rutland@....com,
	mathieu.desnoyers@...icios.com,
	linux-kernel@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org,
	Jin Guo <guoj17@...natelecom.cn>
Subject: [PATCH] ftrace: make ftrace_location() more accurate

The function ftrace_location is used to lookup the ftrace location with an
ip. However, the result that it returns can be wrong in some case.

Let's image that we have the following kallsyms:

  ffffffff812c35f0 T sys_ni_syscall
  ffffffff812c38b0 W __pfx___x64_sys_io_pgetevents_time32
  ffffffff812c38c0 W __x64_sys_io_pgetevents_time32

And the symbol has corresponding ftrace location like this:

  ffffffff812c35f4 sys_ni_syscall
  ffffffff812c3624 __ftrace_invalid_address___52
  ffffffff812c3654 __ftrace_invalid_address___100
  ffffffff812c3684 __ftrace_invalid_address___148
  ffffffff812c36b4 __ftrace_invalid_address___196
  ffffffff812c36e4 __ftrace_invalid_address___244
  ffffffff812c3714 __ftrace_invalid_address___292
  ffffffff812c3744 __ftrace_invalid_address___340
  ffffffff812c3774 __ftrace_invalid_address___388
  ffffffff812c37a4 __ftrace_invalid_address___436
  ffffffff812c37d4 __ftrace_invalid_address___484
  ffffffff812c3804 __ftrace_invalid_address___532
  ffffffff812c3834 __ftrace_invalid_address___580
  ffffffff812c3864 __ftrace_invalid_address___628
  ffffffff812c3894 __ftrace_invalid_address___676
  ffffffff812c38c4 __x64_sys_io_pgetevents_time32
  ffffffff812c38f4 __ia32_sys_io_pgetevents_time32

When we want to lookup the ftrace location for sys_ni_syscall, the ftrace
location "ffffffff812c3894" can be returned, which is totally wrong.

The reason is that we get a wrong function size from
kallsyms_lookup_size_offset(), because of the existing of weak functions.
And when we lookup with ftrace_location_range(), it will return the first
matched location between 0xffffffff812c35f0 and ffffffff812c38c0, as it
searches by binary on a page.

When the macro "FTRACE_MCOUNT_MAX_OFFSET" exists, we can limit the lookup
size no more than FTRACE_MCOUNT_MAX_OFFSET to avoid such error.

The victim of this problem can be BPF_PROG_TYPE_TRACING. When we want to
hook the function sys_ni_syscall with BPF_FENTRY, it will attach
to __ftrace_invalid_address___676(0xffffffff812c3894) successfully
instead, and the user totally can't aware it, which is dangerous.

Signed-off-by: Jin Guo <guoj17@...natelecom.cn>
---
 kernel/trace/ftrace.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 1a48aedb5255..8c9a4009c997 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1658,8 +1658,13 @@ unsigned long ftrace_location(unsigned long ip)
 			return 0;
 
 		/* map sym+0 to __fentry__ */
-		if (!offset)
-			loc = ftrace_location_range(ip, ip + size - 1);
+		if (!offset) {
+			size -= 1;
+#ifdef FTRACE_MCOUNT_MAX_OFFSET
+			size = min(size, FTRACE_MCOUNT_MAX_OFFSET);
+#endif
+			loc = ftrace_location_range(ip, ip + size);
+		}
 	}
 	return loc;
 }
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ