| Message ID | 20200927211531.1380577-1-daniel.thompson@linaro.org |
|---|---|
| Headers | show |
| Series | kgdb: Honour the kprobe blocklist when setting breakpoints | expand |
On Sun, Sep 27, 2020 at 10:15:28PM +0100, Daniel Thompson wrote: > kgdb has traditionally adopted a no safety rails approach to breakpoint > placement. If the debugger is commanded to place a breakpoint at an > address then it will do so even if that breakpoint results in kgdb > becoming inoperable. > > A stop-the-world debugger with memory peek/poke intrinsically provides > its operator with the means to hose their system in all manner of > exciting ways (not least because stopping-the-world is already a DoS > attack ;-) ). Nevertheless the current no safety rail approach is > difficult to defend, especially given kprobes can provide us with plenty > of machinery to mark the parts of the kernel where breakpointing is > discouraged. > > This patchset introduces some safety rails by using the existing kprobes > infrastructure and ensures this will be enabled by default on > architectures that implement kprobes. At present it does not cover > absolutely all locations where breakpoints can cause trouble but it will > block off several avenues, including the architecture specific parts > that are handled by arch_within_kprobe_blacklist(). > > v4: > * Fixed KConfig dependencies for HONOUR_KPROBE_BLOCKLIST on kernels > where MODULES=n > * Add additional debug_core.c functions to the blocklist (thanks Doug) > * Collected a few tags Looks like I neglected to bump the version number in the subject. For the avoidance of doubt, this comment is correct and the subject line is broken. Sorry! Daniel. > > v3: > * Dropped the single step blocklist checks. It is not proven that the > code was actually reachable without triggering the catastrophic > failure flag (which inhibits resume already). > * Update patch description for ("kgdb: Add NOKPROBE labels...") and > added symbols that are called during trap exit > * Added a new patch to push the breakpoint activation later in the > flow and ensure the I/O functions are not called with breakpoints > activated. > > v2: > * Reworked after initial RFC to make honouring the blocklist require > CONFIG_KPROBES. It is now optional but the blocklist will be enabled > by default for architectures that CONFIG_HAVE_KPROBES > > Daniel Thompson (3): > kgdb: Honour the kprobe blocklist when setting breakpoints > kgdb: Add NOKPROBE labels on the trap handler functions > kernel: debug: Centralize dbg_[de]activate_sw_breakpoints > > include/linux/kgdb.h | 18 ++++++++++++++++++ > kernel/debug/debug_core.c | 22 ++++++++++++++++++++++ > kernel/debug/gdbstub.c | 1 - > kernel/debug/kdb/kdb_bp.c | 9 +++++++++ > kernel/debug/kdb/kdb_debugger.c | 2 -- > lib/Kconfig.kgdb | 15 +++++++++++++++ > 6 files changed, 64 insertions(+), 3 deletions(-) > > -- > 2.25.4 >
kgdb has traditionally adopted a no safety rails approach to breakpoint placement. If the debugger is commanded to place a breakpoint at an address then it will do so even if that breakpoint results in kgdb becoming inoperable. A stop-the-world debugger with memory peek/poke intrinsically provides its operator with the means to hose their system in all manner of exciting ways (not least because stopping-the-world is already a DoS attack ;-) ). Nevertheless the current no safety rail approach is difficult to defend, especially given kprobes can provide us with plenty of machinery to mark the parts of the kernel where breakpointing is discouraged. This patchset introduces some safety rails by using the existing kprobes infrastructure and ensures this will be enabled by default on architectures that implement kprobes. At present it does not cover absolutely all locations where breakpoints can cause trouble but it will block off several avenues, including the architecture specific parts that are handled by arch_within_kprobe_blacklist(). v4: * Fixed KConfig dependencies for HONOUR_KPROBE_BLOCKLIST on kernels where MODULES=n * Add additional debug_core.c functions to the blocklist (thanks Doug) * Collected a few tags v3: * Dropped the single step blocklist checks. It is not proven that the code was actually reachable without triggering the catastrophic failure flag (which inhibits resume already). * Update patch description for ("kgdb: Add NOKPROBE labels...") and added symbols that are called during trap exit * Added a new patch to push the breakpoint activation later in the flow and ensure the I/O functions are not called with breakpoints activated. v2: * Reworked after initial RFC to make honouring the blocklist require CONFIG_KPROBES. It is now optional but the blocklist will be enabled by default for architectures that CONFIG_HAVE_KPROBES Daniel Thompson (3): kgdb: Honour the kprobe blocklist when setting breakpoints kgdb: Add NOKPROBE labels on the trap handler functions kernel: debug: Centralize dbg_[de]activate_sw_breakpoints include/linux/kgdb.h | 18 ++++++++++++++++++ kernel/debug/debug_core.c | 22 ++++++++++++++++++++++ kernel/debug/gdbstub.c | 1 - kernel/debug/kdb/kdb_bp.c | 9 +++++++++ kernel/debug/kdb/kdb_debugger.c | 2 -- lib/Kconfig.kgdb | 15 +++++++++++++++ 6 files changed, 64 insertions(+), 3 deletions(-) -- 2.25.4