Re: [PATCH RFC] bpf: Add support for reading user pointers
From: Alexei Starovoitov
Date: Sun May 05 2019 - 03:20:36 EST
On Thu, May 2, 2019 at 1:50 PM Joel Fernandes (Google)
<joel@xxxxxxxxxxxxxxxxx> wrote:
>
> The eBPF based opensnoop tool fails to read the file path string passed
> to the do_sys_open function. This is because it is a pointer to
> userspace address and causes an -EFAULT when read with
> probe_kernel_read. This is not an issue when running the tool on x86 but
> is an issue on arm64. This patch adds a new bpf function call based
> which calls the recently proposed probe_user_read function [1].
> Using this function call from opensnoop fixes the issue on arm64.
>
> [1] https://lore.kernel.org/patchwork/patch/1051588/
...
> +BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, const void *, unsafe_ptr)
> +{
> + int ret;
> +
> + ret = probe_user_read(dst, unsafe_ptr, size);
> + if (unlikely(ret < 0))
> + memset(dst, 0, size);
> +
> + return ret;
> +}
probe_user_read() doesn't exist in bpf-next
therefore this patch has to wait for the next merge window.
At the same time we would need to introduce
bpf_probe_read_kernel() and introduce a load time warning
for existing bpf_probe_read(), so we can deprecate it eventually.