On 01-Apr 17:09, Alexei Starovoitov wrote:
> On Sat, Mar 28, 2020 at 5:44 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> > +int BPF_PROG(test_int_hook, struct vm_area_struct *vma,
> > + unsigned long reqprot, unsigned long prot, int ret)
> > +{
> > + if (ret != 0)
> > + return ret;
> > +
> > + __u32 pid = bpf_get_current_pid_tgid() >> 32;
> > + int is_heap = 0;
> > +
> > + is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
> > + vma->vm_end <= vma->vm_mm->brk);
>
> This test fails for me.
Trying this from bpf/master:
b9258a2cece4 ("slcan: Don't transmit uninitialized stack data in padding")
also from bpf-next/master:
1a323ea5356e ("x86: get rid of 'errret' argument to __get_user_xyz() macross")
and I am unable to reproduce the failure (the output when using bpf/master):
./test_progs -t test_lsm
#70 test_lsm:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
cat /sys/kernel/debug/tracing/trace
# tracer: nop
#
# entries-in-buffer/entries-written: 10/10 #P:4
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
true-322 [001] ...2 187.127231: 0: start 7fc7ffccc000 556a623be000
true-322 [001] ...2 187.127238: 0: end 7fc7ffe8c000 556a623be000
true-322 [001] ...2 187.128233: 0: start 7fc7ffe82000 556a623be000
true-322 [001] ...2 187.128237: 0: end 7fc7ffe88000 556a623be000
true-322 [001] ...2 187.128306: 0: start 556a604f7000 556a623be000
true-322 [001] ...2 187.128309: 0: end 556a604f9000 556a623be000
true-322 [001] ...2 187.128372: 0: start 7fc7ffebf000 556a623be000
true-322 [001] ...2 187.128375: 0: end 7fc7ffec1000 556a623be000
test_progs-321 [000] ...2 187.129952: 0: start 55dc6e8df000 55dc6e8df000
test_progs-321 [000] ...2 187.129955: 0: end 55dc6e906000 55dc6e906000
The full run also works for me:
./test_progs
[...]
#70 test_lsm:OK
#71 test_overhead:OK
#72 tp_attach_query:OK
My config is:
https://gist.githubusercontent.com/sinkap/cb24b955e1b6e6c1dc736054a774fb41/raw/
and the kernel commandline is (on a QEMU VM):
cat /proc/cmdline
console=ttyS0,115200 root=/dev/sda rw nokaslr
Could you share your config and cmdline?
Also, I am wondering if this happens just in the BPF program or also
in the kernel as the other variable I can think of is the compiled
bpf program itself which might be reading a different value thinking
it's vm->vma_start, possible something to do with BTF / CO RE due to a
compiler bug:
Here's the version of clang I am using:
clang version 10.0.0 (https://github.com/llvm/llvm-project.git 2026d7b80a1a5534b5e263683c85aa95e7593b98)
- KP
> I've added:
> bpf_printk("start %llx %llx\n", vma->vm_start, vma->vm_mm->start_brk);
> bpf_printk("end %llx %llx\n", vma->vm_end, vma->vm_mm->brk);
> and see
> cat /sys/kernel/debug/tracing/trace_pipe
> true-2285 [001] ...2 858.717432: 0: start 7f66470a2000 607000
> true-2285 [001] ...2 858.717440: 0: end 7f6647443000 607000
> true-2285 [001] ...2 858.717658: 0: start 7f6647439000 607000
> true-2285 [001] ...2 858.717659: 0: end 7f664743f000 607000
> true-2285 [001] ...2 858.717691: 0: start 605000 607000
> true-2285 [001] ...2 858.717692: 0: end 607000 607000
> true-2285 [001] ...2 858.717700: 0: start 7f6647666000 607000
> true-2285 [001] ...2 858.717701: 0: end 7f6647668000 607000
> test_progs-2283 [000] ...2 858.718030: 0: start 523000 39b9000
> test_progs-2283 [000] ...2 858.718033: 0: end 39e0000 39e0000
>
> 523000 is not >= 39b9000.
> 523000 is higher than vm_mm->end_data, but lower than vm_mm->start_brk.
> No idea why this addr is passed into security_file_mprotect().
> The address user space is passing to mprotect() is 0x39c0000 which is correct.
> Could you please help debug?
