Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault

From: Steven Rostedt
Date: Tue Feb 19 2019 - 14:03:35 EST


On Tue, 19 Feb 2019 10:43:36 -0800
Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> On Tue, Feb 19, 2019 at 8:18 AM Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> >
> > > So it would be good to not just say "user or kernel", but actually say
> > > what *kind* of kernel access it expects.
> >
> > Note, kprobes are a different kind of beast. I've used kprobes to probe
> > userspace information as well as kernel. Heck, I could see someone
> > even using kprobes to probe IO memory to check if a device is doing
> > what they expect it's doing.
>
> Note that even if that is the case, you _need_ to special "user vs
> kernel" information.
>
> Because the exact same address might exist in both.
>
> Right now I think that only happens on sparc32, but vendors used to
> have that issue on x86-32 too (if they had the 4G:4G patches).

Hmm, I didn't realize that Linux allowed the same address to be
different depending on being in kernel or user space (learn something
new everyday). I guess it makes sense, and even easier with the switch
of cr3 from user to kernel. And I even knew of 4G:4G, but never used
it, nor put too much thought about its implementation.

>
> > Basically, a kprobe is mostly used for debugging what's happening in a
> > live kernel, to read any address.
>
> My point is that "any address" is not sufficient to begin with. You
> need "kernel or user".
>
> Having a flag for what _kind_ of kernel address is ok might then be
> required for other cases if they might not be ok with following page
> tables to IO space..
>

Good point. Looks like we should add a new flag for kprobe
trace parameters, that tell kprobes if the address is expected to be
user or kernel. That would be good regardless of the duplicate
meanings, as we could use copy_from_user without touching KERNEL_DS, if
the probe argument specifically states "this is user space". For
example, when probing do_sys_open, and you want to read what path string
was passed into the kernel.

Masami, thoughts?

-- Steve