Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp140589pxa; Fri, 21 Aug 2020 03:34:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcUnh7j3Q+mJH+O4lSoebWCwXPGQ/1byvmhN/AxRbCrqPP/3lcHgPwVJcF0+OnSNezP8wP X-Received: by 2002:a05:6402:c84:: with SMTP id cm4mr2122042edb.20.1598006055114; Fri, 21 Aug 2020 03:34:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598006055; cv=none; d=google.com; s=arc-20160816; b=UIk83ff1qNKqSmtP4e+GyKpwAYiyUoFL2JuXosHXjzESmpkdaHgbjf/eYHE0Bp9Mj3 wYhbaTyT4BO0ol6cJlGq2NeNJQaiv2j5o4Neyp3kXMFtYg4bdtp4xh/YrNPZvgJMtVQH ya3H7kTdLGyz5pV7CSM5+VS1D4fleTFELKCINaohI4z4KxIADx09RGGODpLqZO9Z/8/J efXwzLyMDay7uk7u4WB+o9PcVsYpA43noB5xN0fHdhJcLcQk2CJmm2EFzO5gctko8nHZ L7zOVsTI4ZONx9Em+zM7j71SaPSR+38ebLI9l2s+psj+ZiKt2TGjj1HAgwMXW+dYR9cM oRrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=xrkad1dT1PqnIAHvf/9uKqIEtr9fqQIFC7z/xBajrtk=; b=iUwr5taHg+ILB7YvFJs28TxlnR1Haq3qbn241X/tkJ5LHTp/ZImLTDXLeHRcRqx9jI q4APR2fhznFzfbPezs4K4rhVAAMy96OEWPfWqRMb1bJDexe1urPAaob5j02wS2tzJu8x MKWDuMuZ1Td0IsrNYATuu20dmXLnBJYk/8jZHIdGFbsnjNM0Xif5I2sDQ4gOZqqxT3bp kPnKJbmjRA+0oOvOhEYhXNeGWREXVJ8tpp9wbdw16xL2r2q3oKZgLq+aZy7heYkzkEuR 8fxSXdseri+qcOJHUPIGdmpgQo0YHjDEDnwbnVyupnohJ1V7kP3LBCk4NfUKzku2L0SZ DDcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=JCLUg5q3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x6si903475edr.497.2020.08.21.03.33.51; Fri, 21 Aug 2020 03:34:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=JCLUg5q3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728727AbgHUKbG (ORCPT + 99 others); Fri, 21 Aug 2020 06:31:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728585AbgHUKaT (ORCPT ); Fri, 21 Aug 2020 06:30:19 -0400 Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75650C061349 for ; Fri, 21 Aug 2020 03:30:15 -0700 (PDT) Received: by mail-wr1-x442.google.com with SMTP id f7so1492217wrw.1 for ; Fri, 21 Aug 2020 03:30:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xrkad1dT1PqnIAHvf/9uKqIEtr9fqQIFC7z/xBajrtk=; b=JCLUg5q3TNl+zUrInUVsJb9rfRTarwsabzIEn4Tk/CwtmbS/lp3Ou6S1BfWrBAUTJ7 fws8rOT5/BjFv0fYuXRPPRRIlHmY3Un0j0LVVLnLcP2cEbTHgobtoDWS6tB0dXEQub8S z4XoKPVmyjyx5YlR9mxAGJYliSpvHRSmBlMXk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xrkad1dT1PqnIAHvf/9uKqIEtr9fqQIFC7z/xBajrtk=; b=jDEvJeMzhokY44e54mB0whYD5V/4PPeNRJ+nnyRDT0FwSV84yRDqeRO6WMLS2iTA1g +LVzDI0QzTvJ6Z0+zF65WunAMlfhywum1t1q8cN9y+VHs/rMdRbW98X1rsEArOFZ8QQ8 QMgp0g/FTj1jM6iG2o/j3NJkKUnJ82jQ4r8Ds5Zv0LxHcVykyNnsC9oZh45Y+FW/JIB3 u38Dmx1oqS/f7lRlHDD6FltQbtXRA6tkvW4NCTJQGW9Q5QgDc5KiaoriPMA07bN95GYn UzeYU8PE0gy7u6RtoKIAtFCmZXMyHcwd3EiE55u4i3qgRipVyhVhwcBNhQb8hnvtKzLw tBtg== X-Gm-Message-State: AOAM5308ivw4fbfwDq929ip4SO0c07ZC64obLQ0h5uV14eqssunNLuzq BT0q6Ed4Y3haHgepMWwScS5wXg== X-Received: by 2002:adf:efcc:: with SMTP id i12mr2169405wrp.308.1598005814012; Fri, 21 Aug 2020 03:30:14 -0700 (PDT) Received: from antares.lan (2.2.9.a.d.9.4.f.6.1.8.9.f.9.8.5.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:7a5a:26ff:589f:9816:f49d:a922]) by smtp.gmail.com with ESMTPSA id o2sm3296885wrj.21.2020.08.21.03.30.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Aug 2020 03:30:13 -0700 (PDT) From: Lorenz Bauer To: jakub@cloudflare.com, john.fastabend@gmail.com, yhs@fb.com, Alexei Starovoitov , Daniel Borkmann Cc: kernel-team@cloudflare.com, Lorenz Bauer , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH bpf-next v3 4/6] bpf: override the meaning of ARG_PTR_TO_MAP_VALUE for sockmap and sockhash Date: Fri, 21 Aug 2020 11:29:46 +0100 Message-Id: <20200821102948.21918-5-lmb@cloudflare.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821102948.21918-1-lmb@cloudflare.com> References: <20200821102948.21918-1-lmb@cloudflare.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The verifier assumes that map values are simple blobs of memory, and therefore treats ARG_PTR_TO_MAP_VALUE, etc. as such. However, there are map types where this isn't true. For example, sockmap and sockhash store sockets. In general this isn't a big problem: we can just write helpers that explicitly requests PTR_TO_SOCKET instead of ARG_PTR_TO_MAP_VALUE. The one exception are the standard map helpers like map_update_elem, map_lookup_elem, etc. Here it would be nice we could overload the function prototype for different kinds of maps. Unfortunately, this isn't entirely straight forward: We only know the type of the map once we have resolved meta->map_ptr in check_func_arg. This means we can't swap out the prototype in check_helper_call until we're half way through the function. Instead, modify check_func_arg to treat ARG_PTR_TO_MAP_VALUE to mean "the native type for the map" instead of "pointer to memory" for sockmap and sockhash. This means we don't have to modify the function prototype at all Signed-off-by: Lorenz Bauer --- kernel/bpf/verifier.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index b6ccfce3bf4c..7e15866c5184 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3872,6 +3872,33 @@ static int int_ptr_type_to_size(enum bpf_arg_type type) return -EINVAL; } +static int resolve_map_arg_type(struct bpf_verifier_env *env, + const struct bpf_call_arg_meta *meta, + enum bpf_arg_type *arg_type) +{ + if (!meta->map_ptr) { + /* kernel subsystem misconfigured verifier */ + verbose(env, "invalid map_ptr to access map->type\n"); + return -EACCES; + } + + switch (meta->map_ptr->map_type) { + case BPF_MAP_TYPE_SOCKMAP: + case BPF_MAP_TYPE_SOCKHASH: + if (*arg_type == ARG_PTR_TO_MAP_VALUE) { + *arg_type = ARG_PTR_TO_SOCKET; + } else { + verbose(env, "invalid arg_type for sockmap/sockhash\n"); + return -EINVAL; + } + break; + + default: + break; + } + return 0; +} + static int check_func_arg(struct bpf_verifier_env *env, u32 arg, struct bpf_call_arg_meta *meta, const struct bpf_func_proto *fn) @@ -3904,6 +3931,14 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, return -EACCES; } + if (arg_type == ARG_PTR_TO_MAP_VALUE || + arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE || + arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) { + err = resolve_map_arg_type(env, meta, &arg_type); + if (err) + return err; + } + if (arg_type == ARG_PTR_TO_MAP_KEY || arg_type == ARG_PTR_TO_MAP_VALUE || arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE || -- 2.25.1