Re: [PATCH RFC] bpf: Add support for reading user pointers

From: Joel Fernandes
Date: Sun May 05 2019 - 09:34:22 EST


On Sun, May 05, 2019 at 12:19:42AM -0700, Alexei Starovoitov wrote:
> On Thu, May 2, 2019 at 1:50 PM Joel Fernandes (Google)
> <joel@xxxxxxxxxxxxxxxxx> wrote:
> >
> > The eBPF based opensnoop tool fails to read the file path string passed
> > to the do_sys_open function. This is because it is a pointer to
> > userspace address and causes an -EFAULT when read with
> > probe_kernel_read. This is not an issue when running the tool on x86 but
> > is an issue on arm64. This patch adds a new bpf function call based
> > which calls the recently proposed probe_user_read function [1].
> > Using this function call from opensnoop fixes the issue on arm64.
> >
> > [1] https://lore.kernel.org/patchwork/patch/1051588/
> ...
> > +BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, const void *, unsafe_ptr)
> > +{
> > + int ret;
> > +
> > + ret = probe_user_read(dst, unsafe_ptr, size);
> > + if (unlikely(ret < 0))
> > + memset(dst, 0, size);
> > +
> > + return ret;
> > +}
>
> probe_user_read() doesn't exist in bpf-next
> therefore this patch has to wait for the next merge window.
> At the same time we would need to introduce
> bpf_probe_read_kernel() and introduce a load time warning
> for existing bpf_probe_read(), so we can deprecate it eventually.

Ok I will update it accordingly. Agreed. thanks,

- Joel