On Sat, Mar 28, 2020 at 5:44 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> +int BPF_PROG(test_int_hook, struct vm_area_struct *vma,
> + unsigned long reqprot, unsigned long prot, int ret)
> +{
> + if (ret != 0)
> + return ret;
> +
> + __u32 pid = bpf_get_current_pid_tgid() >> 32;
> + int is_heap = 0;
> +
> + is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
> + vma->vm_end <= vma->vm_mm->brk);
This test fails for me.
I've added:
bpf_printk("start %llx %llx\n", vma->vm_start, vma->vm_mm->start_brk);
bpf_printk("end %llx %llx\n", vma->vm_end, vma->vm_mm->brk);
and see
cat /sys/kernel/debug/tracing/trace_pipe
true-2285 [001] ...2 858.717432: 0: start 7f66470a2000 607000
true-2285 [001] ...2 858.717440: 0: end 7f6647443000 607000
true-2285 [001] ...2 858.717658: 0: start 7f6647439000 607000
true-2285 [001] ...2 858.717659: 0: end 7f664743f000 607000
true-2285 [001] ...2 858.717691: 0: start 605000 607000
true-2285 [001] ...2 858.717692: 0: end 607000 607000
true-2285 [001] ...2 858.717700: 0: start 7f6647666000 607000
true-2285 [001] ...2 858.717701: 0: end 7f6647668000 607000
test_progs-2283 [000] ...2 858.718030: 0: start 523000 39b9000
test_progs-2283 [000] ...2 858.718033: 0: end 39e0000 39e0000
523000 is not >= 39b9000.
523000 is higher than vm_mm->end_data, but lower than vm_mm->start_brk.
No idea why this addr is passed into security_file_mprotect().
The address user space is passing to mprotect() is 0x39c0000 which is correct.
Could you please help debug?
