Commit 74bb0f0c authored by Andrii Nakryiko's avatar Andrii Nakryiko

Merge branch 'Fix the incorrect register read for syscalls on x86_64'

Kenta Tada says:

====================
Currently, rcx is read as the fourth parameter of syscall on x86_64.
But x86_64 Linux System Call convention uses r10 actually.
This commit adds the wrapper for users who want to access to
syscall params to analyze the user space.

Changelog:
----------
v1 -> v2:
- Rebase to current bpf-next
https://lore.kernel.org/bpf/20211222213924.1869758-1-andrii@kernel.org/

v2 -> v3:
- Modify the definition of SYSCALL macros for only targeted archs.
- Define __BPF_TARGET_MISSING variants for completeness.
- Remove CORE variants. These macros will not be used.
- Add a selftest.

v3 -> v4:
- Modify a selftest not to use serial tests.
- Modify a selftest to use ASSERT_EQ().
- Extract syscall wrapper for all the other tests.
- Add CORE variants.

v4 -> v5:
- Modify the CORE variant macro not to read memory directly.
- Remove the unnecessary comment.
- Add a selftest for the CORE variant.
====================
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parents fc763870 77fc0330
...@@ -70,6 +70,7 @@ ...@@ -70,6 +70,7 @@
#define __PT_PARM2_REG si #define __PT_PARM2_REG si
#define __PT_PARM3_REG dx #define __PT_PARM3_REG dx
#define __PT_PARM4_REG cx #define __PT_PARM4_REG cx
#define __PT_PARM4_REG_SYSCALL r10 /* syscall uses r10 */
#define __PT_PARM5_REG r8 #define __PT_PARM5_REG r8
#define __PT_RET_REG sp #define __PT_RET_REG sp
#define __PT_FP_REG bp #define __PT_FP_REG bp
...@@ -99,6 +100,7 @@ ...@@ -99,6 +100,7 @@
#define __PT_PARM2_REG rsi #define __PT_PARM2_REG rsi
#define __PT_PARM3_REG rdx #define __PT_PARM3_REG rdx
#define __PT_PARM4_REG rcx #define __PT_PARM4_REG rcx
#define __PT_PARM4_REG_SYSCALL r10 /* syscall uses r10 */
#define __PT_PARM5_REG r8 #define __PT_PARM5_REG r8
#define __PT_RET_REG rsp #define __PT_RET_REG rsp
#define __PT_FP_REG rbp #define __PT_FP_REG rbp
...@@ -263,6 +265,26 @@ struct pt_regs; ...@@ -263,6 +265,26 @@ struct pt_regs;
#endif #endif
#define PT_REGS_PARM1_SYSCALL(x) PT_REGS_PARM1(x)
#define PT_REGS_PARM2_SYSCALL(x) PT_REGS_PARM2(x)
#define PT_REGS_PARM3_SYSCALL(x) PT_REGS_PARM3(x)
#ifdef __PT_PARM4_REG_SYSCALL
#define PT_REGS_PARM4_SYSCALL(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG_SYSCALL)
#else /* __PT_PARM4_REG_SYSCALL */
#define PT_REGS_PARM4_SYSCALL(x) PT_REGS_PARM4(x)
#endif
#define PT_REGS_PARM5_SYSCALL(x) PT_REGS_PARM5(x)
#define PT_REGS_PARM1_CORE_SYSCALL(x) PT_REGS_PARM1_CORE(x)
#define PT_REGS_PARM2_CORE_SYSCALL(x) PT_REGS_PARM2_CORE(x)
#define PT_REGS_PARM3_CORE_SYSCALL(x) PT_REGS_PARM3_CORE(x)
#ifdef __PT_PARM4_REG_SYSCALL
#define PT_REGS_PARM4_CORE_SYSCALL(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM4_REG_SYSCALL)
#else /* __PT_PARM4_REG_SYSCALL */
#define PT_REGS_PARM4_CORE_SYSCALL(x) PT_REGS_PARM4_CORE(x)
#endif
#define PT_REGS_PARM5_CORE_SYSCALL(x) PT_REGS_PARM5_CORE(x)
#else /* defined(bpf_target_defined) */ #else /* defined(bpf_target_defined) */
#define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) #define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
...@@ -290,6 +312,18 @@ struct pt_regs; ...@@ -290,6 +312,18 @@ struct pt_regs;
#define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM1_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM2_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM3_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM4_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM5_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM1_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM2_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM3_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM4_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#define PT_REGS_PARM5_CORE_SYSCALL(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
#endif /* defined(bpf_target_defined) */ #endif /* defined(bpf_target_defined) */
#ifndef ___bpf_concat #ifndef ___bpf_concat
......
// SPDX-License-Identifier: GPL-2.0
/* Copyright 2022 Sony Group Corporation */
#include <sys/prctl.h>
#include <test_progs.h>
#include "bpf_syscall_macro.skel.h"
void test_bpf_syscall_macro(void)
{
struct bpf_syscall_macro *skel = NULL;
int err;
int exp_arg1 = 1001;
unsigned long exp_arg2 = 12;
unsigned long exp_arg3 = 13;
unsigned long exp_arg4 = 14;
unsigned long exp_arg5 = 15;
/* check whether it can open program */
skel = bpf_syscall_macro__open();
if (!ASSERT_OK_PTR(skel, "bpf_syscall_macro__open"))
return;
skel->rodata->filter_pid = getpid();
/* check whether it can load program */
err = bpf_syscall_macro__load(skel);
if (!ASSERT_OK(err, "bpf_syscall_macro__load"))
goto cleanup;
/* check whether it can attach kprobe */
err = bpf_syscall_macro__attach(skel);
if (!ASSERT_OK(err, "bpf_syscall_macro__attach"))
goto cleanup;
/* check whether args of syscall are copied correctly */
prctl(exp_arg1, exp_arg2, exp_arg3, exp_arg4, exp_arg5);
ASSERT_EQ(skel->bss->arg1, exp_arg1, "syscall_arg1");
ASSERT_EQ(skel->bss->arg2, exp_arg2, "syscall_arg2");
ASSERT_EQ(skel->bss->arg3, exp_arg3, "syscall_arg3");
/* it cannot copy arg4 when uses PT_REGS_PARM4 on x86_64 */
#ifdef __x86_64__
ASSERT_NEQ(skel->bss->arg4_cx, exp_arg4, "syscall_arg4_from_cx");
#else
ASSERT_EQ(skel->bss->arg4_cx, exp_arg4, "syscall_arg4_from_cx");
#endif
ASSERT_EQ(skel->bss->arg4, exp_arg4, "syscall_arg4");
ASSERT_EQ(skel->bss->arg5, exp_arg5, "syscall_arg5");
/* check whether args of syscall are copied correctly for CORE variants */
ASSERT_EQ(skel->bss->arg1_core, exp_arg1, "syscall_arg1_core_variant");
ASSERT_EQ(skel->bss->arg2_core, exp_arg2, "syscall_arg2_core_variant");
ASSERT_EQ(skel->bss->arg3_core, exp_arg3, "syscall_arg3_core_variant");
/* it cannot copy arg4 when uses PT_REGS_PARM4_CORE on x86_64 */
#ifdef __x86_64__
ASSERT_NEQ(skel->bss->arg4_core_cx, exp_arg4, "syscall_arg4_from_cx_core_variant");
#else
ASSERT_EQ(skel->bss->arg4_core_cx, exp_arg4, "syscall_arg4_from_cx_core_variant");
#endif
ASSERT_EQ(skel->bss->arg4_core, exp_arg4, "syscall_arg4_core_variant");
ASSERT_EQ(skel->bss->arg5_core, exp_arg5, "syscall_arg5_core_variant");
cleanup:
bpf_syscall_macro__destroy(skel);
}
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __BPF_MISC_H__
#define __BPF_MISC_H__
#if defined(__TARGET_ARCH_x86)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__x64_"
#elif defined(__TARGET_ARCH_s390)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__s390x_"
#elif defined(__TARGET_ARCH_arm64)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__arm64_"
#else
#define SYSCALL_WRAPPER 0
#define SYS_PREFIX ""
#endif
#endif
// SPDX-License-Identifier: GPL-2.0
/* Copyright 2022 Sony Group Corporation */
#include <vmlinux.h>
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include "bpf_misc.h"
int arg1 = 0;
unsigned long arg2 = 0;
unsigned long arg3 = 0;
unsigned long arg4_cx = 0;
unsigned long arg4 = 0;
unsigned long arg5 = 0;
int arg1_core = 0;
unsigned long arg2_core = 0;
unsigned long arg3_core = 0;
unsigned long arg4_core_cx = 0;
unsigned long arg4_core = 0;
unsigned long arg5_core = 0;
const volatile pid_t filter_pid = 0;
SEC("kprobe/" SYS_PREFIX "sys_prctl")
int BPF_KPROBE(handle_sys_prctl)
{
struct pt_regs *real_regs;
pid_t pid = bpf_get_current_pid_tgid() >> 32;
if (pid != filter_pid)
return 0;
real_regs = (struct pt_regs *)PT_REGS_PARM1(ctx);
/* test for PT_REGS_PARM */
bpf_probe_read_kernel(&arg1, sizeof(arg1), &PT_REGS_PARM1_SYSCALL(real_regs));
bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs));
bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
/* test for the CORE variant of PT_REGS_PARM */
arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
return 0;
}
char _license[] SEC("license") = "GPL";
...@@ -7,20 +7,7 @@ ...@@ -7,20 +7,7 @@
#include <bpf/bpf_helpers.h> #include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h> #include <bpf/bpf_tracing.h>
#include "bpf_misc.h"
#if defined(__TARGET_ARCH_x86)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__x64_"
#elif defined(__TARGET_ARCH_s390)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__s390x_"
#elif defined(__TARGET_ARCH_arm64)
#define SYSCALL_WRAPPER 1
#define SYS_PREFIX "__arm64_"
#else
#define SYSCALL_WRAPPER 0
#define SYS_PREFIX ""
#endif
static struct sockaddr_in old; static struct sockaddr_in old;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment