Re: [RFC PATCH v2 1/4] arm64: Implement infrastructure for stack trace reliability checks

From: Madhavan T. Venkataraman
Date: Thu Apr 08 2021 - 19:30:26 EST

Next message: pr-tracker-bot: "Re: [GIT PULL] Please pull RDMA subsystem changes"
Previous message: Kees Cook: "[PATCH] LoadPin: Allow filesystem switch when not enforcing"
In reply to: Madhavan T. Venkataraman: "Re: [RFC PATCH v2 1/4] arm64: Implement infrastructure for stack trace reliability checks"
Next in thread: Mark Brown: "Re: [RFC PATCH v2 1/4] arm64: Implement infrastructure for stack trace reliability checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/8/21 2:30 PM, Madhavan T. Venkataraman wrote:
>
>
> On 4/8/21 12:17 PM, Mark Brown wrote:
>> On Mon, Apr 05, 2021 at 03:43:10PM -0500, madvenka@xxxxxxxxxxxxxxxxxxx wrote:
>>
>>> These checks will involve checking the return PC to see if it falls inside
>>> any special functions where the stack trace is considered unreliable.
>>> Implement the infrastructure needed for this.
>>
>> Following up again based on an off-list discussion with Mark Rutland:
>> while I think this is a reasonable implementation for specifically
>> listing functions that cause problems we could make life easier for
>> ourselves by instead using annotations at the call sites to put things
>> into sections which indicate that they're unsafe for unwinding, we can
>> then check for any address in one of those sections (or possibly do the
>> reverse and check for any address in a section we specifically know is
>> safe) rather than having to enumerate problematic functions in the
>> unwinder. This also has the advantage of not having a list that's
>> separate to the functions themselves so it's less likely that the
>> unwinder will get out of sync with the rest of the code as things evolve.
>>
>> We already have SYM_CODE_START() annotations in the code for assembly
>> functions that aren't using the standard calling convention which should
>> help a lot here, we could add a variant of that for things that we know
>> are safe on stacks (like those we expect to find at the bottom of
>> stacks).
>>
>
> As I already mentioned before, I like the idea of sections. The only reason that I did
> not try it was that I have to address FTRACE trampolines and the kretprobe_trampoline
> (and optprobes in the future).
>
> I have the following options:
>
> 1. Create a common section (I will have to come up with an appropriate name) and put
> all such functions in that one section.
>
> 2. Create one section for each logical type (exception section, ftrace section and
> kprobe section) or some such.
>

For now, I will start with idea 2. I will create a special section for each class of
functions (EL1 exception handlers, FTRACE trampolines, KPROBE trampolines). Instead of a
special functions array, I will implement a special_sections array. The rest of the code
should just fall into place.

Let me know if you prefer something different.

Thanks.

Madhavan

> 3. Use the section idea only for the el1 exceptions. For the others use the current
> special_functions[] approach.
>
> Which one do you and Mark Rutland prefer? Or, is there another choice?
>
> Madhavan
>

Next message: pr-tracker-bot: "Re: [GIT PULL] Please pull RDMA subsystem changes"
Previous message: Kees Cook: "[PATCH] LoadPin: Allow filesystem switch when not enforcing"
In reply to: Madhavan T. Venkataraman: "Re: [RFC PATCH v2 1/4] arm64: Implement infrastructure for stack trace reliability checks"
Next in thread: Mark Brown: "Re: [RFC PATCH v2 1/4] arm64: Implement infrastructure for stack trace reliability checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]