From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 978C5C433FE
	for <linux-mm@archiver.kernel.org>; Thu, 24 Feb 2022 14:15:56 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 14AE88D0002; Thu, 24 Feb 2022 09:15:56 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0FB458D0001; Thu, 24 Feb 2022 09:15:56 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F2B908D0002; Thu, 24 Feb 2022 09:15:55 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.25])
	by kanga.kvack.org (Postfix) with ESMTP id E42828D0001
	for <linux-mm@kvack.org>; Thu, 24 Feb 2022 09:15:55 -0500 (EST)
Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id ACA4720DD4
	for <linux-mm@kvack.org>; Thu, 24 Feb 2022 14:15:55 +0000 (UTC)
X-FDA: 79177872270.03.A09CA2D
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf01.hostedemail.com (Postfix) with ESMTP id E371B4001A
	for <linux-mm@kvack.org>; Thu, 24 Feb 2022 14:15:54 +0000 (UTC)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id E9D8B61ADD;
	Thu, 24 Feb 2022 14:15:53 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46281C340E9;
	Thu, 24 Feb 2022 14:15:52 +0000 (UTC)
Date: Thu, 24 Feb 2022 09:15:50 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: Kees Cook <keescook@chromium.org>
Cc: Daniel Latypov <dlatypov@google.com>, Eric Biederman
 <ebiederm@xmission.com>, David Gow <davidgow@google.com>, Alexey Dobriyan
 <adobriyan@gmail.com>, Magnus =?UTF-8?B?R3Jvw58=?=
 <magnus.gross@rwth-aachen.de>, kunit-dev@googlegroups.com,
 linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-mm@kvack.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] binfmt_elf: Introduce KUnit test
Message-ID: <20220224091550.2b7e8784@gandalf.local.home>
In-Reply-To: <202202232208.B416701@keescook>
References: <20220224054332.1852813-1-keescook@chromium.org>
	<CAGS_qxp8cjG5jCX-7ziqHcy2gq_MqL8kU01-joFD_W9iPG08EA@mail.gmail.com>
	<202202232208.B416701@keescook>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Stat-Signature: jckzhas5jrz31ikb68kd9h9i3sd8gatd
X-Rspam-User: 
Authentication-Results: imf01.hostedemail.com;
	dkim=none;
	spf=pass (imf01.hostedemail.com: domain of "SRS0=lAO5=TH=goodmis.org=rostedt@kernel.org" designates 139.178.84.217 as permitted sender) smtp.mailfrom="SRS0=lAO5=TH=goodmis.org=rostedt@kernel.org";
	dmarc=none
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: E371B4001A
X-HE-Tag: 1645712154-502870
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, 23 Feb 2022 22:13:25 -0800
Kees Cook <keescook@chromium.org> wrote:

> Steven, I want to do fancy live-patch kind or things to replace functions,
> but it doesn't need to be particularly fancy because KUnit tests (usually)
> run single-threaded, etc. It looks like kprobes could almost do it, but
> I don't see a way to have it _avoid_ making a function call.


// This is called just before the hijacked function is called
static void notrace my_tramp(unsigned long ip, unsigned long parent_ip,
			     struct ftrace_ops *ops,
			     struct ftrace_regs *fregs)
{
	int bit;

        bit = ftrace_test_recursion_trylock(ip, parent_ip);
        if (WARN_ON_ONCE(bit < 0))
                return;

	/*
	 * This uses the live kernel patching arch code to now return
	 * to new_function() instead of the one that was called.
	 * If you want to do a lookup, you can look at the "ip"
	 * which will give you the function you are about to replace.
	 * Note, it may not be equal to the function address,
	 * but for that, you can have this:
	 *   ip = ftrace_location(function_ip);
	 * which will give the ip that is passed here.
	 */
	klp_arch_set_pc(fregs, new_function);

	ftrace_test_recursion_unlock(bit);	
}

static struct ftrace_ops my_ops = {
	.func		= my_tramp;
	.flags		= FTRACE_OPS_FL_IPMODIFY |
#ifndef CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS
			  FTRACE_OPS_FL_SAVE_REGS |
#endif
			  FTRACE_OPS_FL_DYNAMIC;
};

// Assuming you know the function ip you want to hijack
register_my_kutest_ip(unsigned long func_ip)
{
	unsigned long ip;
	int ret;

	ip = ftrace_location(func_ip);
	if (!ip) // not a ftrace function?
		return;

	ret = ftrace_set_filter_ip(&my_ops, ip, 0, 0);
	if (ret < 0)
		return;

	// you can register more than one ip if the last parameter
	// is zero (1 means to reset the list)

	ret = register_ftrace_function(&my_ops);
	if (ret < 0)
		return;
}

That's pretty much it. Note, I did not compile nor test the above, so there
may be some mistakes.

For more information about how to use ftrace, see

  Documentation/trace/ftrace-uses.rst

Which should probably get a section on how to do kernel patching.

-- Steve