From: Andrii Nakryiko <andrii.nakryiko@gmail.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: How to disassemble a BPF program?
Date: Wed, 20 Apr 2022 09:48:19 -0700 [thread overview]
Message-ID: <CAEf4Bzbugg4dy_2J=cFKYYQEJx-irF-cRZvkkwCx4QQwXm5OpA@mail.gmail.com> (raw)
In-Reply-To: <909c72b6-83f9-69a0-af80-d9cb3bc2bd0e@I-love.SAKURA.ne.jp>
On Wed, Apr 20, 2022 at 4:38 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> Ping?
>
> Since how to fix this "current top five crasher" bug depends on how a kernel
> socket is created via BPF program, this bug wants help from BPF developers.
If the BPF program is loaded/verified successfully, the easiest way to
go about this would be to prevent repro from proceeding right after
successful validation (e.g, do scanf()) and then use bpftool to find
that program's ID and dump disassembly while that program is in the
kernel.
$ sudo bpftool prog show
...
654439: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2022-04-20T06:14:08-0700 uid 0
xlated 64B jited 54B memlock 4096B
pids systemd(1)
$ sudo bpftool prog dump xlat id 654439
0: (bf) r6 = r1
1: (69) r7 = *(u16 *)(r6 +176)
2: (b4) w8 = 0
3: (44) w8 |= 2
4: (b7) r0 = 1
5: (55) if r8 != 0x2 goto pc+1
6: (b7) r0 = 0
7: (95) exit
Hope that helps. I don't know any tool that allows to disassemble raw
bytes into BPF assembly. Normally I use llvm-objdump to disassemble
well-formed BPF ELF files. Not sure if you can wrange llvm-objdump to
disassemble raw bytes without ELF file itself.
>
> On 2022/04/12 20:04, Tetsuo Handa wrote:
> > Hello.
> >
> > I'm not a BPF user, but I want to know what a BPF program stored in
> > "static const char program[2053] =" at
> > https://lkml.kernel.org/r/c389e47f-8f82-fd62-8c1d-d9481d2f71ff@I-love.SAKURA.ne.jp
> > is doing so that I can parse syzkaller-generated BPF programs like C programs.
> >
> > Do you have a utility for this purpose?
> >
> > Regards.
next prev parent reply other threads:[~2022-04-20 16:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 11:04 How to disassemble a BPF program? Tetsuo Handa
2022-04-20 11:38 ` Tetsuo Handa
2022-04-20 16:48 ` Andrii Nakryiko [this message]
2022-04-21 7:17 ` Tetsuo Handa
2022-04-21 11:15 ` Tetsuo Handa
2022-04-22 6:44 ` Tetsuo Handa
2022-04-25 13:48 ` Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEf4Bzbugg4dy_2J=cFKYYQEJx-irF-cRZvkkwCx4QQwXm5OpA@mail.gmail.com' \
--to=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.