ebpf: 如果kprobe_probe_read函数恶意读取更多的size会发生什么

内核samples/bpf代码中tracex1_kernel中把bpr_probe_read中的第二个参数变成*2,相当于恶意读取字段数值,编译没有错误,但是在load bpf的时候verfify checker会有大量的错误

        /* non-portable! works for the given kernel only */
        skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
        dev = _(skb->dev);
        len = _(skb->len);

        bpf_probe_read(devname, sizeof(devname)*2, dev->name);

 

verify会发生大量的错误,这里是verfiyer会去检查相关的逻辑

bpf_load_program() err=13
0: (79) r6 = *(u64 *)(r1 +112)
1: (b7) r7 = 0
2: (7b) *(u64 *)(r10 -16) = r7
last_idx 2 first_idx 0
regs=80 stack=0 before 1: (b7) r7 = 0
3: (bf) r3 = r6
4: (07) r3 += 16
5: (bf) r1 = r10
6: (07) r1 += -16
7: (b7) r2 = 8
8: (85) call bpf_probe_read#4
last_idx 8 first_idx 0
regs=4 stack=0 before 7: (b7) r2 = 8
9: (79) r8 = *(u64 *)(r10 -16)
10: (63) *(u32 *)(r10 -16) = r7
11: (bf) r3 = r6
12: (07) r3 += 112
13: (bf) r1 = r10
14: (07) r1 += -16
15: (b7) r2 = 4
16: (85) call bpf_probe_read#4
last_idx 16 first_idx 0
regs=4 stack=0 before 15: (b7) r2 = 4
17: (61) r7 = *(u32 *)(r10 -16)
18: (bf) r1 = r10
19: (07) r1 += -16
20: (b7) r2 = 32
21: (bf) r3 = r8
22: (85) call bpf_probe_read#4
invalid stack type R1 off=-16 access_size=32
processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
0: (79) r6 = *(u64 *)(r1 +112)
1: (b7) r7 = 0
2: (7b) *(u64 *)(r10 -16) = r7
last_idx 2 first_idx 0
regs=80 stack=0 before 1: (b7) r7 = 0
3: (bf) r3 = r6
4: (07) r3 += 16
5: (bf) r1 = r10
6: (07) r1 += -16
7: (b7) r2 = 8
8: (85) call bpf_probe_read#4
last_idx 8 first_idx 0
regs=4 stack=0 before 7: (b7) r2 = 8
9: (79) r8 = *(u64 *)(r10 -16)
10: (63) *(u32 *)(r10 -16) = r7
11: (bf) r3 = r6
12: (07) r3 += 112
13: (bf) r1 = r10
14: (07) r1 += -16
15: (b7) r2 = 4
16: (85) call bpf_probe_read#4
last_idx 16 first_idx 0
regs=4 stack=0 before 15: (b7) r2 = 4
17: (61) r7 = *(u32 *)(r10 -16)
18: (bf) r1 = r10
19: (07) r1 += -16
20: (b7) r2 = 32
21: (bf) r3 = r8
22: (85) call bpf_probe_read#4
invalid stack type R1 off=-16 access_size=32
processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1

  

posted @ 2022-02-19 14:51  honpey  阅读(407)  评论(0编辑  收藏  举报