mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 00:50:50 +07:00
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
This allows user memory to be written to during the course of a kprobe. It shouldn't be used to implement any kind of security mechanism because of TOC-TOU attacks, but rather to debug, divert, and manipulate execution of semi-cooperative processes. Although it uses probe_kernel_write, we limit the address space the probe can write into by checking the space with access_ok. We do this as opposed to calling copy_to_user directly, in order to avoid sleeping. In addition we ensure the threads's current fs / segment is USER_DS and the thread isn't exiting nor a kernel thread. Given this feature is meant for experiments, and it has a risk of crashing the system, and running programs, we print a warning on when a proglet that attempts to use this helper is installed, along with the pid and process name. Signed-off-by: Sargun Dhillon <sargun@sargun.me> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
9b022a6e0f
commit
96ae522795
@ -365,6 +365,16 @@ enum bpf_func_id {
|
||||
*/
|
||||
BPF_FUNC_get_current_task,
|
||||
|
||||
/**
|
||||
* bpf_probe_write_user(void *dst, void *src, int len)
|
||||
* safely attempt to write to a location
|
||||
* @dst: destination address in userspace
|
||||
* @src: source address on stack
|
||||
* @len: number of bytes to copy
|
||||
* Return: 0 on success or negative error
|
||||
*/
|
||||
BPF_FUNC_probe_write_user,
|
||||
|
||||
__BPF_FUNC_MAX_ID,
|
||||
};
|
||||
|
||||
|
@ -81,6 +81,49 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
|
||||
.arg3_type = ARG_ANYTHING,
|
||||
};
|
||||
|
||||
static u64 bpf_probe_write_user(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
|
||||
{
|
||||
void *unsafe_ptr = (void *) (long) r1;
|
||||
void *src = (void *) (long) r2;
|
||||
int size = (int) r3;
|
||||
|
||||
/*
|
||||
* Ensure we're in user context which is safe for the helper to
|
||||
* run. This helper has no business in a kthread.
|
||||
*
|
||||
* access_ok() should prevent writing to non-user memory, but in
|
||||
* some situations (nommu, temporary switch, etc) access_ok() does
|
||||
* not provide enough validation, hence the check on KERNEL_DS.
|
||||
*/
|
||||
|
||||
if (unlikely(in_interrupt() ||
|
||||
current->flags & (PF_KTHREAD | PF_EXITING)))
|
||||
return -EPERM;
|
||||
if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
|
||||
return -EPERM;
|
||||
if (!access_ok(VERIFY_WRITE, unsafe_ptr, size))
|
||||
return -EPERM;
|
||||
|
||||
return probe_kernel_write(unsafe_ptr, src, size);
|
||||
}
|
||||
|
||||
static const struct bpf_func_proto bpf_probe_write_user_proto = {
|
||||
.func = bpf_probe_write_user,
|
||||
.gpl_only = true,
|
||||
.ret_type = RET_INTEGER,
|
||||
.arg1_type = ARG_ANYTHING,
|
||||
.arg2_type = ARG_PTR_TO_STACK,
|
||||
.arg3_type = ARG_CONST_STACK_SIZE,
|
||||
};
|
||||
|
||||
static const struct bpf_func_proto *bpf_get_probe_write_proto(void)
|
||||
{
|
||||
pr_warn_ratelimited("%s[%d] is installing a program with bpf_probe_write_user helper that may corrupt user memory!",
|
||||
current->comm, task_pid_nr(current));
|
||||
|
||||
return &bpf_probe_write_user_proto;
|
||||
}
|
||||
|
||||
/*
|
||||
* limited trace_printk()
|
||||
* only %d %u %x %ld %lu %lx %lld %llu %llx %p %s conversion specifiers allowed
|
||||
@ -362,6 +405,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id)
|
||||
return &bpf_get_smp_processor_id_proto;
|
||||
case BPF_FUNC_perf_event_read:
|
||||
return &bpf_perf_event_read_proto;
|
||||
case BPF_FUNC_probe_write_user:
|
||||
return bpf_get_probe_write_proto();
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
|
@ -41,6 +41,8 @@ static int (*bpf_perf_event_output)(void *ctx, void *map, int index, void *data,
|
||||
(void *) BPF_FUNC_perf_event_output;
|
||||
static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =
|
||||
(void *) BPF_FUNC_get_stackid;
|
||||
static int (*bpf_probe_write_user)(void *dst, void *src, int size) =
|
||||
(void *) BPF_FUNC_probe_write_user;
|
||||
|
||||
/* llvm builtin functions that eBPF C program may use to
|
||||
* emit BPF_LD_ABS and BPF_LD_IND instructions
|
||||
|
Loading…
Reference in New Issue
Block a user