Commit 96ae5227 authored by Sargun Dhillon's avatar Sargun Dhillon Committed by David S. Miller
Browse files

bpf: Add bpf_probe_write_user BPF helper to be called in tracers 



This allows user memory to be written to during the course of a kprobe.
It shouldn't be used to implement any kind of security mechanism
because of TOC-TOU attacks, but rather to debug, divert, and
manipulate execution of semi-cooperative processes.

Although it uses probe_kernel_write, we limit the address space
the probe can write into by checking the space with access_ok.
We do this as opposed to calling copy_to_user directly, in order
to avoid sleeping. In addition we ensure the threads's current fs
/ segment is USER_DS and the thread isn't exiting nor a kernel thread.

Given this feature is meant for experiments, and it has a risk of
crashing the system, and running programs, we print a warning on
when a proglet that attempts to use this helper is installed,
along with the pid and process name.

Signed-off-by: default avatarSargun Dhillon <sargun@sargun.me>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9b022a6e

include/uapi/linux/bpf.h

+10 −0
Original line number Diff line number Diff line
@@ -365,6 +365,16 @@ enum bpf_func_id { 
	 */

	BPF_FUNC_get_current_task,



	/**

	 * bpf_probe_write_user(void *dst, void *src, int len)

	 * safely attempt to write to a location

	 * @dst: destination address in userspace

	 * @src: source address on stack

	 * @len: number of bytes to copy

	 * Return: 0 on success or negative error

	 */

	BPF_FUNC_probe_write_user,



	__BPF_FUNC_MAX_ID,

};

kernel/trace/bpf_trace.c

+45 −0
Original line number Diff line number Diff line
@@ -81,6 +81,49 @@ static const struct bpf_func_proto bpf_probe_read_proto = { 
	.arg3_type	= ARG_ANYTHING,

};



static u64 bpf_probe_write_user(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)

{

	void *unsafe_ptr = (void *) (long) r1;

	void *src = (void *) (long) r2;

	int size = (int) r3;



	/*

	 * Ensure we're in user context which is safe for the helper to

	 * run. This helper has no business in a kthread.

	 *

	 * access_ok() should prevent writing to non-user memory, but in

	 * some situations (nommu, temporary switch, etc) access_ok() does

	 * not provide enough validation, hence the check on KERNEL_DS.

	 */



	if (unlikely(in_interrupt() ||

		     current->flags & (PF_KTHREAD | PF_EXITING)))

		return -EPERM;

	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))

		return -EPERM;

	if (!access_ok(VERIFY_WRITE, unsafe_ptr, size))

		return -EPERM;



	return probe_kernel_write(unsafe_ptr, src, size);

}



static const struct bpf_func_proto bpf_probe_write_user_proto = {

	.func		= bpf_probe_write_user,

	.gpl_only	= true,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_ANYTHING,

	.arg2_type	= ARG_PTR_TO_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

};



static const struct bpf_func_proto *bpf_get_probe_write_proto(void)

{

	pr_warn_ratelimited("%s[%d] is installing a program with bpf_probe_write_user helper that may corrupt user memory!",

			    current->comm, task_pid_nr(current));



	return &bpf_probe_write_user_proto;

}



/*

 * limited trace_printk()

 * only %d %u %x %ld %lu %lx %lld %llu %llx %p %s conversion specifiers allowed
@@ -362,6 +405,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id) 
		return &bpf_get_smp_processor_id_proto;

	case BPF_FUNC_perf_event_read:

		return &bpf_perf_event_read_proto;

	case BPF_FUNC_probe_write_user:

		return bpf_get_probe_write_proto();

	default:

		return NULL;

	}

samples/bpf/bpf_helpers.h

+2 −0
Original line number Diff line number Diff line
@@ -41,6 +41,8 @@ static int (*bpf_perf_event_output)(void *ctx, void *map, int index, void *data, 
	(void *) BPF_FUNC_perf_event_output;

static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =

	(void *) BPF_FUNC_get_stackid;

static int (*bpf_probe_write_user)(void *dst, void *src, int size) =

	(void *) BPF_FUNC_probe_write_user;



/* llvm builtin functions that eBPF C program may use to

 * emit BPF_LD_ABS and BPF_LD_IND instructions

CRA Git | Maintained and supported by SUSTech CRA and CCSE