From 8e4e71ae23a4d19c024f959445d207d06a795f56 Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Mon, 2 Oct 2023 11:56:01 +0200 Subject: sys/linux: describe full call to bpf_trace_printk helper This commit describes the full snippet of BPF bytecode necessary to successfully call the bpf_trace_printk helper. That helper has the following prototype: long bpf_trace_printk(const char *fmt, u32 fmt_size, ...) We thus need to initialize the fmt string on the stack, then prepare the arguments (pointer to the stack & size), before actually calling the helper. To that end, we rely on previously defined templates to express the specific instructions we need (e.g., init register with imm, perform ALU operation on register with imm). The corresponding eBPF bytecode is kept in comment as that is much easier to parse for anyone familiar with the bytecode. In addition to the test case introduced in the next commit, this new description was tested by focusing fuzzing on bpf_trace_printk. That is, a new syscall description PROG_LOAD_FOCUS was added to cover only programs with bpf_trace_printk. Syzkaller was then executed on 16 VMs (2 logical cores each) with only the bpf$PROG_LOAD_FOCUS and bpf$BPF_PROG_TEST_RUN syscalls enabled. It was able to reach the definition of this helper [1] within a few minutes. 1 - https://github.com/torvalds/linux/blob/v6.5/kernel/trace/bpf_trace.c#L375 Signed-off-by: Paul Chaignon --- sys/linux/bpf.txt.const | 1 + 1 file changed, 1 insertion(+) (limited to 'sys/linux/bpf.txt.const') diff --git a/sys/linux/bpf.txt.const b/sys/linux/bpf.txt.const index c3ccf7bfe..e6eff547d 100644 --- a/sys/linux/bpf.txt.const +++ b/sys/linux/bpf.txt.const @@ -61,6 +61,7 @@ BPF_EXIST = 2 BPF_EXIT0 = 9 BPF_FLOW_DISSECTOR = 17 BPF_FUNC_INFO_SIZE = 8 +BPF_FUNC_trace_printk = 6 BPF_F_AFTER = 16 BPF_F_ALLOW_MULTI = 2 BPF_F_ALLOW_OVERRIDE = 1 -- cgit mrf-deployment