diff options
author | David S. Miller <davem@davemloft.net> | 2016-07-25 18:07:48 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-07-25 18:07:48 -0700 |
commit | eefc06bd0272264f38f84b10879d3bdb5b5d1ee3 (patch) | |
tree | 17cb747b81a9fce3a7052efc639bbb83488df191 /kernel/trace/bpf_trace.c | |
parent | net/mlx4_core: Check device state before unregistering it (diff) | |
parent | samples/bpf: Add test/example of using bpf_probe_write_user bpf helper (diff) | |
download | linux-dev-eefc06bd0272264f38f84b10879d3bdb5b5d1ee3.tar.xz linux-dev-eefc06bd0272264f38f84b10879d3bdb5b5d1ee3.zip |
Merge branch 'bpf-probe-write-user'
Sargun Dhillon says:
====================
bpf: add bpf_probe_write_user helper & example
This patch series contains two patches that add support for a probe_write
helper to BPF programs. This allows them to manipulate user memory during
the course of tracing. The second patch in the series has an example that
uses it, in one the intended ways to divert execution.
Thanks to Alexei Starovoitov, and Daniel Borkmann for being patient, review, and
helping me get familiar with the code base. I've made changes based on their
recommendations.
This helper should be considered for experimental usage and debugging, so we
print a warning to dmesg when it is along with the command and pid when someone
tries to install a proglet that uses it. A follow-up patchset will contain a
mechanism to verify the safety of the probe beyond what was done by hand.
----
v1->v2: restrict writing to user space, as opposed to globally v2->v3: Fixed
formatting issues v3->v4: Rename copy_to_user -> bpf_probe_write
Simplify checking of whether or not it's safe to write
Add warnings to dmesg
v4->v5: Raise warning level
Cleanup location of warning code
Make test fail when helper is broken
v5->v6: General formatting cleanup
Rename bpf_probe_write -> bpf_probe_write_user
v6->v7: More formatting cleanup.
Clarifying a few comments
Clarified log message
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/trace/bpf_trace.c')
-rw-r--r-- | kernel/trace/bpf_trace.c | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index a12bbd32c0a6..b20438fdb029 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -81,6 +81,49 @@ static const struct bpf_func_proto bpf_probe_read_proto = { .arg3_type = ARG_ANYTHING, }; +static u64 bpf_probe_write_user(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) +{ + void *unsafe_ptr = (void *) (long) r1; + void *src = (void *) (long) r2; + int size = (int) r3; + + /* + * Ensure we're in user context which is safe for the helper to + * run. This helper has no business in a kthread. + * + * access_ok() should prevent writing to non-user memory, but in + * some situations (nommu, temporary switch, etc) access_ok() does + * not provide enough validation, hence the check on KERNEL_DS. + */ + + if (unlikely(in_interrupt() || + current->flags & (PF_KTHREAD | PF_EXITING))) + return -EPERM; + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EPERM; + if (!access_ok(VERIFY_WRITE, unsafe_ptr, size)) + return -EPERM; + + return probe_kernel_write(unsafe_ptr, src, size); +} + +static const struct bpf_func_proto bpf_probe_write_user_proto = { + .func = bpf_probe_write_user, + .gpl_only = true, + .ret_type = RET_INTEGER, + .arg1_type = ARG_ANYTHING, + .arg2_type = ARG_PTR_TO_STACK, + .arg3_type = ARG_CONST_STACK_SIZE, +}; + +static const struct bpf_func_proto *bpf_get_probe_write_proto(void) +{ + pr_warn_ratelimited("%s[%d] is installing a program with bpf_probe_write_user helper that may corrupt user memory!", + current->comm, task_pid_nr(current)); + + return &bpf_probe_write_user_proto; +} + /* * limited trace_printk() * only %d %u %x %ld %lu %lx %lld %llu %llx %p %s conversion specifiers allowed @@ -362,6 +405,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id) return &bpf_get_smp_processor_id_proto; case BPF_FUNC_perf_event_read: return &bpf_perf_event_read_proto; + case BPF_FUNC_probe_write_user: + return bpf_get_probe_write_proto(); default: return NULL; } |