суббота, 25 июня 2022 г.

pmu events

Some details

pmu stored in tree pmu_idr and synced with mutex pmus_lock. and as usually can be used to blind EBPF. How? Lets see:

General speaking there are usually four steps involved to attach an eBPF program to a perf event:

  1. Open the perf event
  2. Load the eBPF program
  3. Set the eBPF program on the perf event
  4. Enable the perf event
We interested in point 4 - enabling of the perf event involves calling of pmu->event_init & pmu->add methods. And worse - all pmu structures located in .data section and thus writable. So I add today some code to dump them:

lkmem -c -t -d
pmus at 0xffffffffb4a081b0: 6
 [0] type 2 capabilities 0 at  0xffffffffb43c2a20 - kernel!perf_tracepoint
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffb2639e50 - kernel!perf_tp_event_init
   add: 0xffffffffb25d3600 - kernel!perf_trace_add
   del: 0xffffffffb25d3680 - kernel!perf_trace_del
   start: 0xffffffffb2639340 - kernel!perf_swevent_start
   stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
   read: 0xffffffffb2639300 - kernel!perf_swevent_read
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
 [1] type 5 capabilities 0 at  0xffffffffb43c2da0 - kernel!perf_breakpoint
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffb264e010 - kernel!hw_breakpoint_event_init
   add: 0xffffffffb264d810 - kernel!hw_breakpoint_add
   del: 0xffffffffb264d800 - kernel!hw_breakpoint_del
   start: 0xffffffffb264d7c0 - kernel!hw_breakpoint_start
   stop: 0xffffffffb264d7e0 - kernel!hw_breakpoint_stop
   read: 0xffffffffb2440e10 - kernel!hw_breakpoint_pmu_read
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
 [2] type 6 capabilities 0 at  0xffffffffb43c2880 - kernel!perf_kprobe
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffb263db00 - kernel!perf_kprobe_event_init
   add: 0xffffffffb25d3600 - kernel!perf_trace_add
   del: 0xffffffffb25d3680 - kernel!perf_trace_del
   start: 0xffffffffb2639340 - kernel!perf_swevent_start
   stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
   read: 0xffffffffb2639300 - kernel!perf_swevent_read
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
 [3] type 7 capabilities 0 at  0xffffffffb43c26c0 - kernel!perf_uprobe
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffb263db80 - kernel!perf_uprobe_event_init
   add: 0xffffffffb25d3600 - kernel!perf_trace_add
   del: 0xffffffffb25d3680 - kernel!perf_trace_del
   start: 0xffffffffb2639340 - kernel!perf_swevent_start
   stop: 0xffffffffb2639350 - kernel!perf_swevent_stop
   read: 0xffffffffb2639300 - kernel!perf_swevent_read
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
 [4] type 8 capabilities 81 at  0xffffffffb421f740 - kernel!pmu_msr
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffb240c3e0 - kernel!msr_event_init
   add: 0xffffffffb240c550 - kernel!msr_event_add
   del: 0xffffffffb240c670 - kernel!msr_event_del
   start: 0xffffffffb240c680 - kernel!msr_event_start
   stop: 0xffffffffb240c660 - kernel!msr_event_stop
   read: 0xffffffffb240c5a0 - kernel!msr_event_update
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int
 [5] type 9 capabilities 80 at  0xffff8ccc42814400 UNKNOWN
   pmu_enable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   pmu_disable: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_init: 0xffffffffc0587000 - rapl
   add: 0xffffffffc0587390 - rapl
   del: 0xffffffffc0587290 - rapl
   start: 0xffffffffc0587340 - rapl
   stop: 0xffffffffc05871c0 - rapl
   read: 0xffffffffc05871b0 - rapl
   start_txn: 0xffffffffb2639360 - kernel!perf_pmu_nop_txn
   commit_txn: 0xffffffffb2639370 - kernel!perf_pmu_nop_int
   cancel_txn: 0xffffffffb263d210 - kernel!perf_pmu_nop_void
   event_idx: 0xffffffffb263d200 - kernel!perf_event_idx_default
   check_period: 0xffffffffb2639380 - kernel!perf_event_nop_int

Автор: redp на 16:42
Ярлыки: , ,

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)