Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses

From: Marco Elver
Date: Wed Sep 07 2022 - 03:41:33 EST

Next message: Maxime Ripard: "Re: [PATCH v2 36/41] drm/sun4i: tv: Merge mode_set into atomic_enable"
Previous message: kernel test robot: "Re: [PATCH] eventfd: check ida_simple_get() return value"
In reply to: Peter Zijlstra: "Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses"
Next in thread: Peter Zijlstra: "Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 6 Sept 2022 at 22:38, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>
> On Fri, Sep 02, 2022 at 12:00:57PM +0200, Marco Elver wrote:
> > Allow the creation of restricted breakpoint perf events that also fire
> > in the kernel (!exclude_kernel), if:
> >
> > 1. No sample information is requested; samples may contain IPs,
> > registers, or other information that may disclose kernel addresses.
> >
> > 2. The breakpoint (viz. data watchpoint) is on a user address.
> >
> > The rules constrain the allowable perf events such that no sensitive
> > kernel information can be disclosed.
> >
> > Despite no explicit kernel information disclosure, the following
> > questions may need answers:
> >
> > 1. Is obtaining information that the kernel accessed a particular
> > user's known memory location revealing new information?
> > Given the kernel's user space ABI, there should be no "surprise
> > accesses" to user space memory in the first place.
> >
> > 2. Does causing breakpoints on user memory accesses by the kernel
> > potentially impact timing in a sensitive way?
> > Since hardware breakpoints trigger regardless of the state of
> > perf_event_attr::exclude_kernel, but are filtered in the perf
> > subsystem, this possibility already exists independent of the
> > proposed change.
> >
>
> Changelog forgot to tell us why you want this :-)

Oops.

> I don't see any immediate concerns, but it's late so who knows..

Similar to motivation as
https://lore.kernel.org/all/20210408103605.1676875-1-elver@xxxxxxxxxx/:
Low-overhead error detectors that rely on detecting memory access via
breakpoints/watchpoints. For example for race detection, but also
things like data flow tracking.

By allowing in-kernel breakpoints on user addresses, we can detect
bugs that involve kernel accesses (e.g. for race detector, racy
read/write vs. syscall somewhere; or tracking data flow through
kernel).

Shall I go and send v2 with some motivation?

Thanks,
-- Marco

Next message: Maxime Ripard: "Re: [PATCH v2 36/41] drm/sun4i: tv: Merge mode_set into atomic_enable"
Previous message: kernel test robot: "Re: [PATCH] eventfd: check ida_simple_get() return value"
In reply to: Peter Zijlstra: "Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses"
Next in thread: Peter Zijlstra: "Re: [PATCH] perf: Allow restricted kernel breakpoints on user addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]