Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault

From: Steven Rostedt
Date: Wed Feb 20 2019 - 09:49:31 EST


On Wed, 20 Feb 2019 17:10:19 +0900
Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote:

> Let me ensure what you want. So you want to access a "string" in user-space,
> not a data structure? In that case, it is very easy to me. It is enough to
> add a "ustring" type to kprobe events. For example, do_sys_opsn's path
> variable is one example. That will be +0(+0(%si)):ustring, and fetcher
> finally copy the string using strncpy_from_user() instead of
> strncpy_from_unsafe(). (*)

ustring would be good.

>
> But if you consider to access a field in a data-structure in user space,
> it might need some more work (E.g. ioctl's parameter), becase if the __user
> pointer to the data structure is on the memory, we have to dereference
> the address inside kernel using probe_kernel_read(), but after getting
> the data strucutre address, we have to dereference the address with copy_from_user().
> At this moment, we have no such strong syntax...
>
> To solve that, maybe we need to introduce something like "back reference"
> of arguments in the event, e.g.
>
> p somewhere user_data=+0(%si) field_val=+8(\user_data):u32:user
>
> or
>
> p somewhere +0(%si) field_val=+8(\1):u32:user
>
> This ":user" additional suffix tells kprobe events to change fetching method
> to fetch the data by copy_from_user().

What about just adding 'u' to the end of the offset? Say you have a
data structure in kernel space that has a field in user space you want
to reference?


field_val=+8u(+0(%si))

Although, I would say having ways to access current parameters may also
be a nice touch ;-)

-- Steve