[lttng-dev] https://lists.lttng.org/pipermail/lttng-dev/2020-May/029631.html

Mathieu Desnoyers mathieu.desnoyers at efficios.com
Mon Mar 27 08:27:01 EDT 2023 

On 2023-03-26 11:00, yashvardhan kukreti wrote:
> 
>     Hi Mathew,
> 
>     I have a question about this patch for lttng-modules and the use of
>     register_kprobe() to fetch the function ptr.
>     The question in this regard is especially from PPC64 ELF_ABI_v1
>     perspective.
> 
>     The functions on PPC64 are accessed via the Function descriptor
>     while what register_kprobes returns is the entry point of the function.
>     Hence using the return pointer tends to interpret the addr as the
>     address of the function descriptor and dereferences the ppc_inst as
>     the function entry point and crashes
> 
>     [ 4145.483594] kernel tried to execute exec-protected page
>     (7c0802a6fb81ffe0) - exploit attempt? (uid: 0)
>     here 7c0802a6 is the mfspr instruction from the code text section of
>     the kallsyms_lookup_name()
> 
>     note for PPC_ELF_ABI_v1 the register_kprobes() searches for the dot
>     variant of the symbol and only in case if cannot find the dot
>     variant looks for the normal symbol.
>     register_kprobe() -> kprobe_addr() -> kprobe_lookup_name() [arch
>     variant replaces weak symbol]
>     https://elixir.bootlin.com/linux/v5.10.174/C/ident/kprobe_lookup_name <https://elixir.bootlin.com/linux/v5.10.174/C/ident/kprobe_lookup_name>
> 
>     Please let me know if i make sense or that i may have missed something.
> 
>     I have looked at the code of 2.12.8 as well and 2.12.3 verstion of
>     lttng-modules.

Please have a look at commits (from stable-2.12 branch of lttng-modules):

commit 53772db24facd84f1f3ddcf21a1ef5f162608721
Author: He Zhe <zhe.he at windriver.com>
Date:   Tue Sep 27 15:59:42 2022 +0800

     wrapper: powerpc64: fix kernel crash caused by do_get_kallsyms

commit 8fe888d86ccad4226b05a536efb73d71bb091062
Author: Michael Jeanson <mjeanson at efficios.com>
Date:   Thu Nov 24 14:25:33 2022 -0500

     fix: kallsyms wrapper on ppc64el

I suspect you'll also need this change currently in review:

https://review.lttng.org/c/lttng-modules/+/9113

Please let us know if especially this last change fixes things on your side.

Thanks,

Mathieu


> 
>     Regards,
>     Shashank
> 

-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

More information about the lttng-dev mailing list