3

I am reading about kprobes BPF program type, and am wondering if it is possible to not just intercept a function call for tracing purposes or collect some low-level information (registers, stack etc.), but substitute a call and execute instead of the actual function?

Does kprobe provide this capability or I'm looking at the wrong tool?

pchaigno
  • 11,313
  • 2
  • 29
  • 54
Mark
  • 6,052
  • 8
  • 61
  • 129
  • You could also take a look at [Ftrace](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/trace/ftrace-uses.rst) and how it is used in [Livepatch](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/livepatch/livepatch.txt) to replace the kernel functions. – Eugene Mar 17 '18 at 14:29

1 Answers1

6

No, kprobes BPF programs have only read access to the syscall parameters and return value, they cannot modify registers and therefore cannot intercept function calls. This is a limitation imposed by the BPF verifier.

Kernel modules, however, can intercept function calls using kprobes.

pchaigno
  • 11,313
  • 2
  • 29
  • 54
  • thanks for feedback! So I guess https://www.kernel.org/doc/Documentation/kprobes.txt is the starting point. – Mark Mar 16 '18 at 13:09
  • 3
    Yep. You might be interested in [this StackOverflow answer](https://stackoverflow.com/a/43268462/6884590) too. – pchaigno Mar 16 '18 at 14:00
  • 1
    Well, yes, one could change IP register in a kprobe's pre-handler to redirect execution to your function instead of the original one, However, I would also take a look at [Ftrace](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/trace/ftrace-uses.rst), which can also be used to substitute the functions. Perhaps, this could be easier to use, but that is a matter of taste. In fact, [live patching](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/livepatch/livepatch.txt) already does this with Ftrace. – Eugene Mar 17 '18 at 14:27
  • This is inaccurate today. “uprobes” feature in eBPF doesn’t exactly that. – shadyabhi Jul 10 '21 at 07:29