The eBPF based opensnoop tool fails to read the file path string passed to the do_sys_open function. This is because it is a pointer to userspace address and causes an -EFAULT when read with probe_kernel_read. This is not an issue when running the tool on x86 but is an issue on arm64. This patch adds a new bpf function call based which calls the recently proposed probe_user_read function [1]. Using this function call from opensnoop fixes the issue on arm64.
[1] https://lore.kernel.org/patchwork/patch/1051588/ Cc: Michal Gregorczyk <[email protected]> Cc: Adrian Ratiu <[email protected]> Cc: Mohammad Husain <[email protected]> Cc: Qais Yousef <[email protected]> Cc: Srinivas Ramana <[email protected]> Cc: duyuchao <[email protected]> Cc: Manjo Raja Rao <[email protected]> Cc: Karim Yaghmour <[email protected]> Cc: Tamir Carmeli <[email protected]> Cc: Yonghong Song <[email protected]> Cc: Alexei Starovoitov <[email protected]> Cc: Brendan Gregg <[email protected]> Cc: Masami Hiramatsu <[email protected]> Cc: Peter Ziljstra <[email protected]> Cc: Andrii Nakryiko <[email protected]> Cc: Steven Rostedt <[email protected]> Cc: Kees Cook <[email protected]> Cc: [email protected] Signed-off-by: Joel Fernandes (Google) <[email protected]> --- Masami, could you carry these patches in the series where are you add probe_user_read function? Previous submissions is here: https://lore.kernel.org/patchwork/patch/1069552/ v1->v2: split tools uapi sync into separate commit, added deprecation warning for old bpf_probe_read function. include/uapi/linux/bpf.h | 9 ++++++++- kernel/trace/bpf_trace.c | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 929c8e537a14..8146784b9fe3 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -2431,6 +2431,12 @@ union bpf_attr { * Return * A **struct bpf_sock** pointer on success, or **NULL** in * case of failure. + * + * int bpf_probe_read_user(void *dst, int size, void *src) + * Description + * Read a userspace pointer safely. + * Return + * 0 on success or negative error */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -2531,7 +2537,8 @@ union bpf_attr { FN(sk_fullsock), \ FN(tcp_sock), \ FN(skb_ecn_set_ce), \ - FN(get_listener_sock), + FN(get_listener_sock), \ + FN(probe_read_user), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index d64c00afceb5..7485deb0777f 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -153,6 +153,26 @@ static const struct bpf_func_proto bpf_probe_read_proto = { .arg3_type = ARG_ANYTHING, }; +BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, const void *, unsafe_ptr) +{ + int ret; + + ret = probe_user_read(dst, unsafe_ptr, size); + if (unlikely(ret < 0)) + memset(dst, 0, size); + + return ret; +} + +static const struct bpf_func_proto bpf_probe_read_user_proto = { + .func = bpf_probe_read_user, + .gpl_only = true, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_UNINIT_MEM, + .arg2_type = ARG_CONST_SIZE_OR_ZERO, + .arg3_type = ARG_ANYTHING, +}; + BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { @@ -571,6 +591,8 @@ tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_map_delete_elem_proto; case BPF_FUNC_probe_read: return &bpf_probe_read_proto; + case BPF_FUNC_probe_read_user: + return &bpf_probe_read_user_proto; case BPF_FUNC_ktime_get_ns: return &bpf_ktime_get_ns_proto; case BPF_FUNC_tail_call: -- 2.21.0.1020.gf2820cf01a-goog
