From: Masami Hiramatsu <mhiramat@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
David Miller <davem@davemloft.net>,
Masami Hiramatsu <mhiramat@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Andy Lutomirski <luto@amacapital.net>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
stable <stable@vger.kernel.org>,
Changbin Du <changbin.du@gmail.com>, Jann Horn <jannh@google.com>,
Kees Cook <keescook@chromium.org>,
Andrew Lutomirski <luto@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Netdev <netdev@vger.kernel.org>,
bpf@vger.kernel.org
Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault
Date: Sat, 23 Feb 2019 13:51:26 +0900 [thread overview]
Message-ID: <20190223135126.1722237ffda9c50e66fff135@kernel.org> (raw)
In-Reply-To: <20190222235618.dxewmv5dukltaoxl@ast-mbp.dhcp.thefacebook.com>
On Fri, 22 Feb 2019 15:56:20 -0800
Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
> On Fri, Feb 22, 2019 at 03:16:35PM -0800, Linus Torvalds wrote:
> >
> > So a kernel pointer value of 0x12345678 could be a value kernel
> > pointer pointing to some random kmalloc'ed kernel memory, and a user
> > pointer value of 0x12345678 could be a valid _user_ pointer pointing
> > to some user mapping.
> >
> > See?
> >
> > If you access a user pointer, you need to use a user accessor function
> > (eg "get_user()"), while if you access a kernel pointer you need to
> > just dereference it directly (unless you can't trust it, in which case
> > you need to use a _different_ accessor function).
>
> that was clear already.
> Reading 0x12345678 via probe_kernel_read can return valid value
> and via get_user() can return another valid value on _some_ architectures.
>
> > The fact that user and kernel pointers happen to be distinct on x86-64
> > (right now) is just a random implementation detail.
>
> yes and my point that people already rely on this implementation detail.
> Say we implement
> int bpf_probe_read(void *val, void *unsafe_ptr)
> {
> if (probe_kernel_read(val, unsafe_ptr) == OK) {
> return 0;
> } else (get_user(val, unsafe_ptr) == OK) {
> return 0;
> } else {
> *val = 0;
> return -EFAULT;
> }
> }
Note that we can not use get_user() form kprobe handler. If you use it,
you have to prepare fault_handler() and make bpf itself can be aborted.
So, maybe you can use probe_user_read().
Hmm, however, it still doesn't work correctly on "some" architecture,
since whether a pointer (address) points user-space or kernel-space
depends on the context. In kprobe/bpf, the context means where you
put the probe and which pointer you record.
I think only "__user" tag tells us which one is user-space. But
unfortunately, that "__user" tag is only for compiler or checker, not
for runtime binary. Such useful attribute goes away when we execute it.
So, even if we introduce "ustring", ftrace/perf users has to decide to use
it by themselves. As far as I know, DWARF(debuginfo) also doesn't have
that attribute. So perf-probe can not help it from debuginfo.
(Maybe if we introduce C parser, it might be detected...)
> It will preserve existing bpf_probe_read() behavior on x86.
> If x86 implementation changes tomorrow then progs that read user
> addresses may start failing randomly because first probe_kernel_read()
> will be returning random values from kernel memory and that's no good,
> but at least we won't be breaking them today, so we have time to
> introduce bpf_user_read and bpf_kernel_read and folks have time to adopt them.
I see. I think bpf also has to introduce new bpf_probe_read_user() and
keep bpf_probe_read() for kernel dataa only.
> Imo that's much better than making current bpf_probe_read() fail
> on user addresses today and not providing a non disruptive path forward.
Agreed.
Thank you,
--
Masami Hiramatsu <mhiramat@kernel.org>
next prev parent reply other threads:[~2019-02-23 4:51 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 17:47 [PATCH 0/2 v2] [GIT PULL (take two)] tracing: Two more fixes Steven Rostedt
2019-02-15 17:47 ` [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault Steven Rostedt
2019-02-15 17:55 ` Linus Torvalds
2019-02-15 22:15 ` Steven Rostedt
2019-02-15 23:49 ` Andy Lutomirski
2019-02-16 0:19 ` Steven Rostedt
2019-02-16 1:32 ` Andy Lutomirski
2019-02-16 2:08 ` Steven Rostedt
2019-02-16 2:14 ` Andy Lutomirski
2019-02-16 2:21 ` Steven Rostedt
2019-02-18 17:58 ` Linus Torvalds
2019-02-18 18:23 ` Linus Torvalds
2019-02-19 16:18 ` Steven Rostedt
2019-02-19 18:43 ` Linus Torvalds
2019-02-19 19:03 ` Steven Rostedt
2019-02-20 8:10 ` Masami Hiramatsu
2019-02-20 13:57 ` Jann Horn
2019-02-20 14:47 ` Steven Rostedt
2019-02-20 15:08 ` Masami Hiramatsu
2019-02-20 14:49 ` Steven Rostedt
2019-02-20 16:04 ` Masami Hiramatsu
2019-02-20 16:42 ` Steven Rostedt
2019-02-21 7:37 ` Masami Hiramatsu
2019-02-22 8:27 ` Masami Hiramatsu
2019-02-22 8:35 ` Masami Hiramatsu
2019-02-22 17:43 ` Linus Torvalds
2019-02-22 17:48 ` Andy Lutomirski
2019-02-22 18:28 ` Linus Torvalds
2019-02-22 19:52 ` Andy Lutomirski
2019-02-22 19:27 ` Alexei Starovoitov
2019-02-22 19:30 ` Steven Rostedt
2019-02-22 19:34 ` Alexei Starovoitov
2019-02-22 19:39 ` Steven Rostedt
2019-02-22 19:55 ` Andy Lutomirski
2019-02-22 21:43 ` Jann Horn
2019-02-22 22:08 ` Nadav Amit
2019-02-22 22:17 ` Jann Horn
2019-02-22 22:21 ` Nadav Amit
2019-02-22 22:39 ` Nadav Amit
2019-02-22 23:02 ` Jann Horn
2019-02-22 23:22 ` Nadav Amit
2019-02-22 23:59 ` Andy Lutomirski
2019-02-23 0:03 ` Alexei Starovoitov
2019-02-23 0:15 ` Nadav Amit
2019-02-24 19:35 ` Andy Lutomirski
2019-02-25 13:36 ` Masami Hiramatsu
2019-02-22 21:20 ` Linus Torvalds
2019-02-22 21:38 ` David Miller
2019-02-22 21:59 ` Linus Torvalds
2019-02-22 22:51 ` Alexei Starovoitov
2019-02-22 23:11 ` Jann Horn
2019-02-22 23:16 ` David Miller
2019-02-22 23:16 ` Linus Torvalds
2019-02-22 23:56 ` Alexei Starovoitov
2019-02-23 0:08 ` Linus Torvalds
2019-02-23 2:28 ` Alexei Starovoitov
2019-02-23 2:32 ` Linus Torvalds
2019-02-23 3:02 ` Steven Rostedt
2019-02-23 4:51 ` Masami Hiramatsu [this message]
2019-02-26 3:57 ` Christoph Hellwig
2019-02-26 15:24 ` Joel Fernandes
2019-02-28 12:29 ` Masami Hiramatsu
2019-02-28 15:18 ` Joel Fernandes
2019-02-23 3:47 ` Masami Hiramatsu
2019-02-24 0:44 ` Steven Rostedt
2019-02-24 4:38 ` Andy Lutomirski
2019-02-24 15:17 ` Masami Hiramatsu
2019-02-24 17:26 ` Linus Torvalds
2019-02-25 2:40 ` Masami Hiramatsu
2019-02-25 4:49 ` Andy Lutomirski
2019-02-25 8:09 ` Masami Hiramatsu
2019-02-25 16:40 ` Steven Rostedt
2019-02-26 1:35 ` Masami Hiramatsu
2019-02-25 8:33 ` Peter Zijlstra
2019-02-25 14:52 ` Peter Zijlstra
2019-02-25 16:48 ` Kees Cook
2019-02-25 16:58 ` Andy Lutomirski
2019-02-25 17:07 ` Kees Cook
2019-02-21 7:52 ` Masami Hiramatsu
2019-02-21 14:36 ` Steven Rostedt
2019-02-21 15:58 ` Masami Hiramatsu
2019-02-21 16:16 ` Masami Hiramatsu
2019-02-21 16:32 ` Steven Rostedt
2019-02-23 14:48 ` Masami Hiramatsu
2019-02-15 17:47 ` [PATCH 2/2 v2] tracing: Fix number of entries in trace header Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190223135126.1722237ffda9c50e66fff135@kernel.org \
--to=mhiramat@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=changbin.du@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).