ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 其他分享> 文章详细

ebpf: 如果kprobe_probe_read函数恶意读取更多的size会发生什么

2022-02-19 15:02:14  阅读:253  来源: 互联网

标签:bf r1 r10 16 read probe ebpf idx b7


内核samples/bpf代码中tracex1_kernel中把bpr_probe_read中的第二个参数变成*2,相当于恶意读取字段数值,编译没有错误,但是在load bpf的时候verfify checker会有大量的错误

        /* non-portable! works for the given kernel only */
        skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
        dev = _(skb->dev);
        len = _(skb->len);

        bpf_probe_read(devname, sizeof(devname)*2, dev->name);

 

verify会发生大量的错误,这里是verfiyer会去检查相关的逻辑

bpf_load_program() err=13
0: (79) r6 = *(u64 *)(r1 +112)
1: (b7) r7 = 0
2: (7b) *(u64 *)(r10 -16) = r7
last_idx 2 first_idx 0
regs=80 stack=0 before 1: (b7) r7 = 0
3: (bf) r3 = r6
4: (07) r3 += 16
5: (bf) r1 = r10
6: (07) r1 += -16
7: (b7) r2 = 8
8: (85) call bpf_probe_read#4
last_idx 8 first_idx 0
regs=4 stack=0 before 7: (b7) r2 = 8
9: (79) r8 = *(u64 *)(r10 -16)
10: (63) *(u32 *)(r10 -16) = r7
11: (bf) r3 = r6
12: (07) r3 += 112
13: (bf) r1 = r10
14: (07) r1 += -16
15: (b7) r2 = 4
16: (85) call bpf_probe_read#4
last_idx 16 first_idx 0
regs=4 stack=0 before 15: (b7) r2 = 4
17: (61) r7 = *(u32 *)(r10 -16)
18: (bf) r1 = r10
19: (07) r1 += -16
20: (b7) r2 = 32
21: (bf) r3 = r8
22: (85) call bpf_probe_read#4
invalid stack type R1 off=-16 access_size=32
processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
0: (79) r6 = *(u64 *)(r1 +112)
1: (b7) r7 = 0
2: (7b) *(u64 *)(r10 -16) = r7
last_idx 2 first_idx 0
regs=80 stack=0 before 1: (b7) r7 = 0
3: (bf) r3 = r6
4: (07) r3 += 16
5: (bf) r1 = r10
6: (07) r1 += -16
7: (b7) r2 = 8
8: (85) call bpf_probe_read#4
last_idx 8 first_idx 0
regs=4 stack=0 before 7: (b7) r2 = 8
9: (79) r8 = *(u64 *)(r10 -16)
10: (63) *(u32 *)(r10 -16) = r7
11: (bf) r3 = r6
12: (07) r3 += 112
13: (bf) r1 = r10
14: (07) r1 += -16
15: (b7) r2 = 4
16: (85) call bpf_probe_read#4
last_idx 16 first_idx 0
regs=4 stack=0 before 15: (b7) r2 = 4
17: (61) r7 = *(u32 *)(r10 -16)
18: (bf) r1 = r10
19: (07) r1 += -16
20: (b7) r2 = 32
21: (bf) r3 = r8
22: (85) call bpf_probe_read#4
invalid stack type R1 off=-16 access_size=32
processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1

  

标签:bf,r1,r10,16,read,probe,ebpf,idx,b7
来源: https://www.cnblogs.com/honpey/p/15912594.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有