From: Francis Deslauriers <francis.deslauriers@efficios.com>
To: rostedt@goodmis.org, mhiramat@kernel.org, peterz@infradead.org
Cc: mathieu.desnoyers@efficios.com, linux-kernel@vger.kernel.org,
Francis Deslauriers <francis.deslauriers@efficios.com>
Subject: [PATCH 0/2] kprobe: Fix: add symbols to kprobe blacklist
Date: Fri, 14 Jul 2017 10:58:33 -0400 [thread overview]
Message-ID: <1500044315-9508-1-git-send-email-francis.deslauriers@efficios.com> (raw)
Hi all,
While fuzzing the Perf kprobe and kretprobe interfaces, I found some inputs
that trigger crashes of a 4.12 kernel(6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c)
on a x86-64 VM. I know that K(ret)probes can crash the kernel in multiple ways
but should Perf be allowed to do it?
To do this analysis, I used the symbols reported by /proc/kallsyms in
conjonction with the Perf debugfs interface. Using this technique, I was able
to find two instrumentation configurations that could crash the kernel. I am
suggesting changes that fixed both issues for me by blacklisting the symbols in
question.
Kprobe on apic_timer_interrupt:
I believe that this is caused by the fact that kprobe adds a INT3 in a apic
interrupt routine.
How to reproduce:
echo 'p:event1 apic_timer_interrupt ' > kprobe_events
<Generate kernel activity. e.g. launch bash>
Crash log:[1]
This can be fixed by blacklisting the apicinterrupt3 symbols directly in the
assembly macro. See patch[1/2]. I am not sure that blacklisting all
apicinterrupt symbols is the right solution.
Kretprobe on ftrace_ops_assist_func and another function:
Those crashes are triggered when hooking a kretprobe on the
ftrace_ops_assist_func symbol and some other functions to make the this first
function reacheable. From my understanding, ftrace_ops_assist_func is the
function called directly when the kprobe is hit. Thus it should be marked
with NOKPROBE_SYMBOL.
Here are some configurations that can easily reproduce this bug. Those other
functions are called during the fork of a process so they are easy to control.
Enable the following kprobes and launch a process to trigger a fork to see the
kernel crash.
Conf #1
echo 'r:event1 ftrace_ops_assist_func' > kprobe_events
echo 'r:event2 clear_all_latency_tracing' > kprobe_events
Crash log:[2]
Conf #2
echo 'r:event1 ftrace_ops_assist_func' > kprobe_events
echo 'r:event2 acct_clear_integrals' > kprobe_events
Crash log:[3]
Conf #3
echo 'r:event1 ftrace_ops_assist_func' > kprobe_events
echo 'r:event2 arch_dup_task_struct' > kprobe_events
Crash log:[4]
The ftrace_ops_assist_func should be included in the kprobe blacklist using
NOKPROBE_SYMBOL. See patch [2/2].
Since those were found using fuzzing, it's not an exhaustive analysis.
Here is the .config I am using[5].
Thanks,
Francis Deslauriers
EfficiOS inc.
[1]: https://pastebin.com/Mpp9Yzqb
[2]: https://pastebin.com/CtsfzUwG
[3]: https://pastebin.com/txxuJXrz
[4]: https://pastebin.com/8qrJvzD3
[5]: https://pastebin.com/x5q0sgyK
Francis Deslauriers (2):
kprobe: fix: Add _ASM_NOKPROBE to x86 apic interrupt macro
kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist
arch/x86/entry/entry_64.S | 1 +
kernel/trace/ftrace.c | 2 ++
2 files changed, 3 insertions(+)
--
2.7.4
next reply other threads:[~2017-07-14 15:08 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-14 14:58 Francis Deslauriers [this message]
2017-07-14 14:58 ` [PATCH 1/2] kprobe: fix: Add _ASM_NOKPROBE to x86 apic interrupt macro Francis Deslauriers
2017-07-14 14:58 ` [PATCH 2/2] kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist Francis Deslauriers
2017-07-14 18:29 ` Steven Rostedt
2018-03-16 15:18 ` Francis Deslauriers
2018-03-16 15:25 ` Steven Rostedt
2018-03-16 16:28 ` Mathieu Desnoyers
2018-03-16 16:41 ` Steven Rostedt
2018-03-16 16:48 ` Steven Rostedt
2018-03-16 17:53 ` Mathieu Desnoyers
2018-03-16 19:02 ` Steven Rostedt
2018-03-17 0:13 ` Masami Hiramatsu
2018-03-17 1:22 ` Masami Hiramatsu
2018-03-17 3:01 ` Steven Rostedt
2018-03-17 7:57 ` Masami Hiramatsu
2018-07-03 22:30 ` Steven Rostedt
2018-07-11 19:34 ` Francis Deslauriers
2018-07-11 19:56 ` Steven Rostedt
2018-07-12 0:40 ` Francis Deslauriers
2018-07-12 13:59 ` Masami Hiramatsu
2018-07-12 13:46 ` Masami Hiramatsu
2018-03-17 0:08 ` Masami Hiramatsu
2018-07-12 17:54 ` [PATCH 0/2] tracing: kprobes: Prohibit probing on notrace functions Francis Deslauriers
2018-07-12 17:54 ` [PATCH 1/2] " Francis Deslauriers
2018-07-12 21:49 ` Steven Rostedt
2018-07-13 2:53 ` Masami Hiramatsu
2018-07-13 12:18 ` Steven Rostedt
2018-07-26 0:41 ` Masami Hiramatsu
2018-07-26 1:13 ` Steven Rostedt
2018-07-12 17:54 ` [PATCH 2/2] selftest/ftrace: Move kprobe selftest function to separate compile unit Francis Deslauriers
2017-07-14 18:27 ` [PATCH 0/2] kprobe: Fix: add symbols to kprobe blacklist Steven Rostedt
2017-07-16 15:59 ` Masami Hiramatsu
2017-07-16 14:37 ` Masami Hiramatsu
2017-07-16 15:46 ` Masami Hiramatsu
2017-07-17 18:46 ` Francis Deslauriers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1500044315-9508-1-git-send-email-francis.deslauriers@efficios.com \
--to=francis.deslauriers@efficios.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).