From: Jakub Sitnicki <jakub@cloudflare.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: How to disassemble a BPF program?
Date: Mon, 25 Apr 2022 15:48:26 +0200 [thread overview]
Message-ID: <87tuah6ziv.fsf@cloudflare.com> (raw)
In-Reply-To: <CAEf4Bzbugg4dy_2J=cFKYYQEJx-irF-cRZvkkwCx4QQwXm5OpA@mail.gmail.com>
On Wed, Apr 20, 2022 at 09:48 AM -07, Andrii Nakryiko wrote:
> On Wed, Apr 20, 2022 at 4:38 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>
>> Ping?
>>
>> Since how to fix this "current top five crasher" bug depends on how a kernel
>> socket is created via BPF program, this bug wants help from BPF developers.
>
> If the BPF program is loaded/verified successfully, the easiest way to
> go about this would be to prevent repro from proceeding right after
> successful validation (e.g, do scanf()) and then use bpftool to find
> that program's ID and dump disassembly while that program is in the
> kernel.
>
> $ sudo bpftool prog show
> ...
> 654439: cgroup_skb tag 6deef7357e7b4530 gpl
> loaded_at 2022-04-20T06:14:08-0700 uid 0
> xlated 64B jited 54B memlock 4096B
> pids systemd(1)
>
> $ sudo bpftool prog dump xlat id 654439
> 0: (bf) r6 = r1
> 1: (69) r7 = *(u16 *)(r6 +176)
> 2: (b4) w8 = 0
> 3: (44) w8 |= 2
> 4: (b7) r0 = 1
> 5: (55) if r8 != 0x2 goto pc+1
> 6: (b7) r0 = 0
> 7: (95) exit
>
> Hope that helps. I don't know any tool that allows to disassemble raw
> bytes into BPF assembly. Normally I use llvm-objdump to disassemble
> well-formed BPF ELF files. Not sure if you can wrange llvm-objdump to
> disassemble raw bytes without ELF file itself.
You can disassemble raw BPF binaries with GNU objdump, but the assembly
mnemonics are different:
$ sudo bpftool prog dump xlated id 77
0: (bf) r6 = r1
1: (69) r7 = *(u16 *)(r6 +176)
2: (b4) w8 = 0
3: (44) w8 |= 2
4: (b7) r0 = 1
5: (55) if r8 != 0x2 goto pc+1
6: (b7) r0 = 0
7: (95) exit
$ sudo bpftool prog dump xlated id 77 file prog.bin
$ sudo objdump -D -b binary -m bpf prog.bin
prog.bin: file format binary
Disassembly of section .data:
0000000000000000 <.data>:
0: bf 16 00 00 00 00 00 00 mov %r6,%r1
8: 69 67 b0 00 00 00 00 00 ldxh %r7,[%r6+0xb0]
10: b4 08 00 00 00 00 00 00 mov32 %r8,0
18: 44 08 00 00 02 00 00 00 or32 %r8,2
20: b7 00 00 00 01 00 00 00 mov %r0,1
28: 55 08 01 00 02 00 00 00 jne %r8,2,1
30: b7 00 00 00 00 00 00 00 mov %r0,0
38: 95 00 00 00 00 00 00 00 exit
$
prev parent reply other threads:[~2022-04-25 13:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 11:04 How to disassemble a BPF program? Tetsuo Handa
2022-04-20 11:38 ` Tetsuo Handa
2022-04-20 16:48 ` Andrii Nakryiko
2022-04-21 7:17 ` Tetsuo Handa
2022-04-21 11:15 ` Tetsuo Handa
2022-04-22 6:44 ` Tetsuo Handa
2022-04-25 13:48 ` Jakub Sitnicki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tuah6ziv.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.