!68 [sync] PR-61: 回合补丁，修复ttysnoop.py执行失败问题。

From: @openeuler-sync-bot Reviewed-by: @bitcoffee Signed-off-by: @bitcoffee
2024-12-02 11:11:36 +00:00 · 2024-12-02 11:11:36 +00:00 · b8a53e1c1e
commit b8a53e1c1e
parent 93966f7569 ad5470d3e1
2 changed files with 138 additions and 1 deletions
--- a/backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch
+++ b/backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch
@ -0,0 +1,132 @@
+From ce5c8938c494eb03f0784c6e4ae81507139ca779 Mon Sep 17 00:00:00 2001
+From: yonghong-song <ys114321@gmail.com>
+Date: Tue, 30 Jan 2024 09:13:04 -0800
+Subject: [PATCH 1/1] Fix ttysnoop.py with newer kernels (#4888)
+
+Jerome Marchand reported that ttysnoop.py won't work properly
+with newer kernels (#4884). I did some investigation and found
+that some kernel data structure change caused verification failure.
+The failure is caused by the following:
+  ; kvec  = from->kvec;
+  // R1=ptr_iov_iter()
+  15: (79) r1 = *(u64 *)(r1 +16)        ; R1_w=scalar()
+  ; count = kvec->iov_len;
+  16: (bf) r2 = r1                      ; R1_w=scalar(id=1) R2_w=scalar(id=1)
+  17: (07) r2 += 8                      ; R2_w=scalar()
+  18: (05) goto pc+3
+  ;
+  22: (79) r2 = *(u64 *)(r2 +0)
+  R2 invalid mem access 'scalar'
+
+So basically, loading 'iov_iter + 16' returns a scalar but verifier
+expects it to be a pointer.
+
+In v6.4, we have
+    struct iovec
+    {
+        void __user *iov_base;  /* BSD uses caddr_t (1003.1g requires void *) */
+        __kernel_size_t iov_len; /* Must be size_t (1003.1g) */
+    };
+    struct iov_iter {
+        u8 iter_type;
+        bool copy_mc;
+        bool nofault;
+        bool data_source;
+        bool user_backed;
+        union {
+                size_t iov_offset;
+                int last_offset;
+        };
+        union {
+                struct iovec __ubuf_iovec;
+                struct {
+                        union {
+                                const struct iovec *__iov;
+                                const struct kvec *kvec;
+                                const struct bio_vec *bvec;
+                                struct xarray *xarray;
+                                struct pipe_inode_info *pipe;
+                                void __user *ubuf;
+                        };
+                        size_t count;
+                };
+        };
+        union {
+                unsigned long nr_segs;
+                struct {
+                        unsigned int head;
+                        unsigned int start_head;
+                };
+                loff_t xarray_start;
+        };
+    };
+
+The kernel traversal chain will be
+   "struct iov_iter" -> "struct iovec __ubuf_iovec" -> "void __user *iov_base".
+Since the "iov_base" type is a ptr to void, the kernel considers the
+loaded value as a scalar which caused verification failure.
+
+But for old kernel like 5.19, we do not have this issue.
+    struct iovec
+    {
+        void __user *iov_base;  /* BSD uses caddr_t (1003.1g requires void *) */
+        __kernel_size_t iov_len; /* Must be size_t (1003.1g) */
+    };
+    struct iov_iter {
+        u8 iter_type;
+        bool nofault;
+        bool data_source;
+        bool user_backed;
+        size_t iov_offset;
+        size_t count;
+        union {
+                const struct iovec *iov;
+                const struct kvec *kvec;
+                const struct bio_vec *bvec;
+                struct xarray *xarray;
+                struct pipe_inode_info *pipe;
+                void __user *ubuf;
+        };
+        union {
+                unsigned long nr_segs;
+                struct {
+                        unsigned int head;
+                        unsigned int start_head;
+                };
+                loff_t xarray_start;
+        };
+    };
+
+The kernel traversal chain will be
+    "struct iov_iter" -> "const struct iovec *iov"
+Note that "const struct iovec *iov" is used since it is the *first* member
+inside the union. The traversal stops once we hit a pointer.
+So the kernel verifier returns a 'struct iovec' object (untrusted, cannot
+be used as a parameter to a call) and verifier can proceed.
+
+To fix the problem, let us use bpf_probe_read_kernel() instead
+so ttysnoop.py can continue to work with newer kernel.
+
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+---
+ tools/ttysnoop.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/ttysnoop.py b/tools/ttysnoop.py
+index 77f97b7c..aca09db4 100755
+--- a/tools/ttysnoop.py
+++ b/tools/ttysnoop.py
+@@ -162,8 +162,8 @@ PROBE_TTY_WRITE
+      */
+     case CASE_ITER_IOVEC_NAME:
+         kvec  = from->kvec;
+-        buf   = kvec->iov_base;
+-        count = kvec->iov_len;
+        bpf_probe_read_kernel(&buf, sizeof(buf), &kvec->iov_base);
+        bpf_probe_read_kernel(&count, sizeof(count), &kvec->iov_len);
+         break;
+     CASE_ITER_UBUF_TEXT
+     /* TODO: Support more type */
+-- 
+2.27.0
+
--- a/bcc.spec
+++ b/bcc.spec
@ -2,13 +2,14 @@

 Name:           bcc
 Version:        0.29.1
-Release:        1
+Release:        2
 Summary:        BPF Compiler Collection (BCC)
 License:        ASL 2.0
 URL:            https://github.com/iovisor/bcc
 # Upstream now provides a release with the git submodule embedded in it
 Source0:        %{url}/releases/download/v%{version}/%{name}-src-with-submodule.tar.gz

+Patch0001:	backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch

 # Arches will be included as upstream support is added and dependencies are
 # satisfied in the respective arches
@ -163,6 +164,10 @@ rm -rf %{buildroot}%{_datadir}/%{name}/tools/old/


 %changelog
+* Thu May 09 2024 jinzhiguang <jinzhiguang@kylinos.cn> - 0.29.1-2
+- backport patch from upstream
+  backport-Fix-ttysnoop.py-with-newer-kernels-4888.patch
+
 * Mon Feb 19 2024 liweigang <izmirvii@gmail.com> - 0.29.1-1
 - update to version 0.29.1