mathieu.desnoyers at efficios.com
Mon Mar 27 08:27:01 EDT 2023
On 2023-03-26 11:00, yashvardhan kukreti wrote:
> Hi Mathew,
> I have a question about this patch for lttng-modules and the use of
> register_kprobe() to fetch the function ptr.
> The question in this regard is especially from PPC64 ELF_ABI_v1
> The functions on PPC64 are accessed via the Function descriptor
> while what register_kprobes returns is the entry point of the function.
> Hence using the return pointer tends to interpret the addr as the
> address of the function descriptor and dereferences the ppc_inst as
> the function entry point and crashes
> [ 4145.483594] kernel tried to execute exec-protected page
> (7c0802a6fb81ffe0) - exploit attempt? (uid: 0)
> here 7c0802a6 is the mfspr instruction from the code text section of
> the kallsyms_lookup_name()
> note for PPC_ELF_ABI_v1 the register_kprobes() searches for the dot
> variant of the symbol and only in case if cannot find the dot
> variant looks for the normal symbol.
> register_kprobe() -> kprobe_addr() -> kprobe_lookup_name() [arch
> variant replaces weak symbol]
> https://elixir.bootlin.com/linux/v5.10.174/C/ident/kprobe_lookup_name <https://elixir.bootlin.com/linux/v5.10.174/C/ident/kprobe_lookup_name>
> Please let me know if i make sense or that i may have missed something.
> I have looked at the code of 2.12.8 as well and 2.12.3 verstion of
Please have a look at commits (from stable-2.12 branch of lttng-modules):
Author: He Zhe <zhe.he at windriver.com>
Date: Tue Sep 27 15:59:42 2022 +0800
wrapper: powerpc64: fix kernel crash caused by do_get_kallsyms
Author: Michael Jeanson <mjeanson at efficios.com>
Date: Thu Nov 24 14:25:33 2022 -0500
fix: kallsyms wrapper on ppc64el
I suspect you'll also need this change currently in review:
Please let us know if especially this last change fixes things on your side.
More information about the lttng-dev