Cannot create probe on symbols with duplicate entries in kallsyms (multiple addresses) in recent kernels #3653
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
I also got this with: Linux rugged 6.5.9-arch2-1 #1 SMP PREEMPT_DYNAMIC Thu, 26 Oct 2023 00:52:20 +0000 x86_64 GNU/Linux which makes me think it could be a kconfig related option (rather than a broken kernel or build). |
But it should log a warning if is a kconfig miss. |
This comment was marked as outdated.
This comment was marked as outdated.
rafaeldtinoco
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
Okay so the summary for this issue is the following, recent kernels have the following kernel commit: The commit was only introduced in v6.6 kernel, but since it was also sent to the stable list, it was applied in some older kernels (and distributions will start using it, and tracee would start having errors by the time those kernels are used). This commit changes the behavior for kprobe attachments. Whenever a kprobe is being created, if the symbols the kprobe attaches to isn't unique (meaning that /proc/kallsyms has multiple address for the same symbol, for example) then, instead of attaching to "one of them", up to this commit, the attachment won't occur, resulting in an error similar to: My proposed course of action here is the following:
switch p.probeType {
case KProbe:
link, err = prog.AttachKprobe(p.eventName)
case KretProbe:
link, err = prog.AttachKretprobe(p.eventName)
case Tracepoint:
tp := strings.Split(p.eventName, ":")
tpClass := tp[0]
tpEvent := tp[1]
link, err = prog.AttachTracepoint(tpClass, tpEvent)
case RawTracepoint:
tpEvent := strings.Split(p.eventName, ":")[1]
link, err = prog.AttachRawTracepoint(tpEvent)
}So, both the kprobe and kretprobe are affected. Both translate into a libbpfgo function that calls struct bpf_kprobe_opts {
/* size of this struct, for forward/backward compatibility */
size_t sz;
/* custom user-provided value fetchable through bpf_get_attach_cookie() */
__u64 bpf_cookie;
/* function's offset to install kprobe to */
size_t offset;
/* kprobe is return probe */
bool retprobe;
/* kprobe attach mode */
enum probe_attach_mode attach_mode;
size_t :0;
};
#define bpf_kprobe_opts__last_field attach_modeand that the "offset" here is the kernel symbol address. Example: Attach would fail for the eBPF Program that uses this hook because there are 2 addresses for it. Then, we can make libbpfgo call the This would make our eBPF program to run on both cases (whenever those 2 addresses are called as functions from the kernel). Nowadays, with the buggy kernels (all until this fix was done) our eBPF programs are running only in one of them (and we dont know which). |
|
I believe #3798 needs to be sorted out, and then I need a libbpfgo change adding the functions to attach the kpropes to specific offsets, and then the real fix for this issue. |
|
With aquasecurity/libbpfgo#399 merged I believe I can fix this issue in Tracee by giving the symbol offsets in the kprobe attachment. Ill be suggesting a PR soon. |
|
Addressed by #3802 |
Changes probes interface "tracing" type so kprobe and kretprobes can be attached using the kernel symbol addresses instead of names. This solves the problem when the symbol has multiple addresses and the kernel refuses the attachment (newer kernels) because of that. #3653 (comment) Fixes: #3653
Description
kprobe attachment fails in some "recent" (and LTS) kernels.
Output of
tracee version:Output of
uname -a:Additional details
The text was updated successfully, but these errors were encountered: