Currently, verifier does not reject XDP programs that pass NULL pointer to
hints functions. At the same time, this case is not handled in any driver
implementation (including veth). For example, changing
bpf_xdp_metadata_rx_timestamp(ctx, ×tamp);
to
bpf_xdp_metadata_rx_timestamp(ctx, NULL);
in xdp_metadata test successfully crashes the system.
Add KF_TRUSTED_ARGS flag to hints kfunc definitions, so driver code
does not have to worry about getting invalid pointers.
Fixes: 3d76a4d3d4e5 ("bpf: XDP metadata RX kfuncs")
Reported-by: Stanislav Fomichev <[email protected]>
Closes: https://lore.kernel.org/bpf/[email protected]/
Signed-off-by: Larysa Zaremba <[email protected]>
---
net/core/xdp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/xdp.c b/net/core/xdp.c
index 41e5ca8643ec..8362130bf085 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c
@@ -741,7 +741,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_hash(const struct xdp_md *ctx, u32 *hash,
__diag_pop();
BTF_SET8_START(xdp_metadata_kfunc_ids)
-#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, 0)
+#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
XDP_METADATA_KFUNC_xxx
#undef XDP_METADATA_KFUNC
BTF_SET8_END(xdp_metadata_kfunc_ids)
--
2.41.0
On 11/07/2023 12.59, Larysa Zaremba wrote:
> Currently, verifier does not reject XDP programs that pass NULL pointer to
> hints functions. At the same time, this case is not handled in any driver
> implementation (including veth). For example, changing
>
> bpf_xdp_metadata_rx_timestamp(ctx, ×tamp);
>
> to
>
> bpf_xdp_metadata_rx_timestamp(ctx, NULL);
>
> in xdp_metadata test successfully crashes the system.
>
> Add KF_TRUSTED_ARGS flag to hints kfunc definitions, so driver code
> does not have to worry about getting invalid pointers.
>
Looks good to me, assuming this means verifier will reject BPF-prog's
supplying NULL.
Acked-by: Jesper Dangaard Brouer <[email protected]>
> Fixes: 3d76a4d3d4e5 ("bpf: XDP metadata RX kfuncs")
> Reported-by: Stanislav Fomichev <[email protected]>
> Closes: https://lore.kernel.org/bpf/[email protected]/
> Signed-off-by: Larysa Zaremba <[email protected]>
> ---
> net/core/xdp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/xdp.c b/net/core/xdp.c
> index 41e5ca8643ec..8362130bf085 100644
> --- a/net/core/xdp.c
> +++ b/net/core/xdp.c
> @@ -741,7 +741,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_hash(const struct xdp_md *ctx, u32 *hash,
> __diag_pop();
>
> BTF_SET8_START(xdp_metadata_kfunc_ids)
> -#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, 0)
> +#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
> XDP_METADATA_KFUNC_xxx
> #undef XDP_METADATA_KFUNC
> BTF_SET8_END(xdp_metadata_kfunc_ids)
On Tue, Jul 11, 2023 at 7:21 AM Jesper Dangaard Brouer
<[email protected]> wrote:
>
>
> On 11/07/2023 12.59, Larysa Zaremba wrote:
> > Currently, verifier does not reject XDP programs that pass NULL pointer to
> > hints functions. At the same time, this case is not handled in any driver
> > implementation (including veth). For example, changing
> >
> > bpf_xdp_metadata_rx_timestamp(ctx, ×tamp);
> >
> > to
> >
> > bpf_xdp_metadata_rx_timestamp(ctx, NULL);
> >
> > in xdp_metadata test successfully crashes the system.
> >
> > Add KF_TRUSTED_ARGS flag to hints kfunc definitions, so driver code
> > does not have to worry about getting invalid pointers.
> >
>
> Looks good to me, assuming this means verifier will reject BPF-prog's
> supplying NULL.
>
> Acked-by: Jesper Dangaard Brouer <[email protected]>
>
> > Fixes: 3d76a4d3d4e5 ("bpf: XDP metadata RX kfuncs")
> > Reported-by: Stanislav Fomichev <[email protected]>
> > Closes: https://lore.kernel.org/bpf/[email protected]/
> > Signed-off-by: Larysa Zaremba <[email protected]>
Acked-by: Stanislav Fomichev <[email protected]>
Thank you for the fix!
> > ---
> > net/core/xdp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/core/xdp.c b/net/core/xdp.c
> > index 41e5ca8643ec..8362130bf085 100644
> > --- a/net/core/xdp.c
> > +++ b/net/core/xdp.c
> > @@ -741,7 +741,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_hash(const struct xdp_md *ctx, u32 *hash,
> > __diag_pop();
> >
> > BTF_SET8_START(xdp_metadata_kfunc_ids)
> > -#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, 0)
> > +#define XDP_METADATA_KFUNC(_, name) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
> > XDP_METADATA_KFUNC_xxx
> > #undef XDP_METADATA_KFUNC
> > BTF_SET8_END(xdp_metadata_kfunc_ids)
>
On Tue, Jul 11, 2023 at 10:00 AM Stanislav Fomichev <[email protected]> wrote:
>
> On Tue, Jul 11, 2023 at 7:21 AM Jesper Dangaard Brouer
> <[email protected]> wrote:
> >
> >
> > On 11/07/2023 12.59, Larysa Zaremba wrote:
> > > Currently, verifier does not reject XDP programs that pass NULL pointer to
> > > hints functions. At the same time, this case is not handled in any driver
> > > implementation (including veth). For example, changing
> > >
> > > bpf_xdp_metadata_rx_timestamp(ctx, ×tamp);
> > >
> > > to
> > >
> > > bpf_xdp_metadata_rx_timestamp(ctx, NULL);
> > >
> > > in xdp_metadata test successfully crashes the system.
> > >
> > > Add KF_TRUSTED_ARGS flag to hints kfunc definitions, so driver code
> > > does not have to worry about getting invalid pointers.
> > >
> >
> > Looks good to me, assuming this means verifier will reject BPF-prog's
> > supplying NULL.
> >
> > Acked-by: Jesper Dangaard Brouer <[email protected]>
> >
> > > Fixes: 3d76a4d3d4e5 ("bpf: XDP metadata RX kfuncs")
> > > Reported-by: Stanislav Fomichev <[email protected]>
> > > Closes: https://lore.kernel.org/bpf/[email protected]/
> > > Signed-off-by: Larysa Zaremba <[email protected]>
>
> Acked-by: Stanislav Fomichev <[email protected]>
>
> Thank you for the fix!
Applied. Thanks