Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp545869pxa; Fri, 21 Aug 2020 14:08:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTSw2fnkRIZH05KEz6umBnIxdlOIdtFoUUEIDMCo6JXw3q20yvGUqu3lb4Rz7NsXif44fD X-Received: by 2002:a05:6402:2037:: with SMTP id ay23mr4673411edb.48.1598044121058; Fri, 21 Aug 2020 14:08:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598044121; cv=none; d=google.com; s=arc-20160816; b=W7t8UwV49PfJyXosL5GYIYJTEl/JUTqVOd4Uvr0mhFT5gzC8OcAjIR0ztYb0yeaD4X B9YXL5yJCpIq6JCM3Ez9hFaLnadDzYYZMRxYEtY4s4+3mmR6J2+CDWyJZx4QH6F+q71L sN8jNvqm9wENllTkyHsaimnInohy4ixXc3Au/554k4uqiJ1jmKWt5HZ4Wktt2qPfWrin nVuvtyLapbJZZX4IynqzZhV/ZJS6lem/E5+ciPwCXegsIohkPuq1vq8/qZxBuYtNOZTW Ygz36Z2bLu/woJEAotAqIkPbbrXn8IUjmEsfDbqT050jYGAHYdLiE5TSakEl0A8CWKwJ rsMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=OQXCUp29lb6BqjJO2CJAZWNuIsyksrXiOIVbI4SnuhQ=; b=lCmcqT5d83vHLcnvmrgvSL3/wuScQEZFwjFJg+Q4R5KR3uD4jhjr0G5bg3xY7iMPCN NgjevFmC7vP0DfDMTB5YFDJVJ8pNStDK8wo/Z5wL09QD7n4qOb4UDPUKWnA3xPObjP9E t8xTqrWFbZr7iCdNSFizOhgR+Oc4N9PorvdqWCM3HmOLiwJfyMS/hfd7HGEY+ikweVw2 IrB+5qK+zDDAcrdVb9vhbpGTDQjos9XmvSZRnn3nAajvTEej5wNyD2E/Dc6cvLRbhNW6 5jbbhAbQlquHNJ5Sh29dfIq1WgS3X67tpXsKQUZliFIcNretJPHFpmex/QBKQTHFb3gx aQQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZkRrP7nn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z6si1867692ede.476.2020.08.21.14.08.02; Fri, 21 Aug 2020 14:08:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZkRrP7nn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726570AbgHUVFb (ORCPT + 99 others); Fri, 21 Aug 2020 17:05:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726243AbgHUVF1 (ORCPT ); Fri, 21 Aug 2020 17:05:27 -0400 Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D020C061573; Fri, 21 Aug 2020 14:05:27 -0700 (PDT) Received: by mail-lj1-x243.google.com with SMTP id t6so3307483ljk.9; Fri, 21 Aug 2020 14:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OQXCUp29lb6BqjJO2CJAZWNuIsyksrXiOIVbI4SnuhQ=; b=ZkRrP7nnSwu4H7WRZHwDY0FyeQx8taCAGN8U1bbJSDUf1hSWc3hA5TFEqucs6O/Hjt teaEDF6S8VznfC7i1/bP6wgoUPgTBf27tV+PYZ2iApilhyzR+eWVvCheAUdlDammD5Sn vM1fzGSQqoRtKeaQXZAnceSx+E4ThGH3nMM1Bzr68y9s0PICDu8b0C7/uAEE6reFAehT iX1Ek/vucYWPbUq2stzMEtZTNzUudctC4KZhOwuWsro40NHqPdfBrSFewkogFD8BHJ3L yDYrbfBh4cWd8IyyKdHuxOi9E8XMRSbmtGEgQxHDKlmFMZtuK75tMrQUZL12HWryInHY QDlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OQXCUp29lb6BqjJO2CJAZWNuIsyksrXiOIVbI4SnuhQ=; b=jcfP50OuLjmZ4K7KDwghas6A5tgaxAEC9qDw95YOLwl9yJ0cwKDq6lKC38NYmFaeX9 9ftgTatSasiMq0ZKJl/CvKiGXzdXueFMvm6X0uW4juDjzoDCbW4otK17Y6Sl5buB2xMz noPm0VaFE/zvJ3LOWoBW3s7tX9XgDa0WHW3mlesA47ui8ccKG7jsGm0TnjtO+zXRme+c XmQW55ECTfenhLZ+1avccb5PTnk2cSiP4L3BSqudV6hRW5bi/cQbaqSYYabjBg7motfv hfpuPUGQ1VIpGin63ZExbGr+PMfWbFJvFXsH0W/bcFb0HwZOHcx8UFEHANc1lFFl5T3p sMuA== X-Gm-Message-State: AOAM530P6JvIWGBJdOLykJtmbJZ8pFBCZTR9UXTIiGAAWnRUY6uXPA01 UDUDwbyej1/xRayXdzFTmM01iLxGnHBANazyAJk= X-Received: by 2002:a05:651c:82:: with SMTP id 2mr2380426ljq.2.1598043925659; Fri, 21 Aug 2020 14:05:25 -0700 (PDT) MIME-Version: 1.0 References: <20200821002804.546826-1-udippant@fb.com> <9e829756-e943-e9a8-82f2-1a27a55afeec@fb.com> <732c9be0-cccd-c180-1c18-e7cfce24ac88@fb.com> In-Reply-To: <732c9be0-cccd-c180-1c18-e7cfce24ac88@fb.com> From: Alexei Starovoitov Date: Fri, 21 Aug 2020 14:05:13 -0700 Message-ID: Subject: Re: [PATCH v2 bpf 1/2] bpf: verifier: check for packet data access based on target prog To: Yonghong Song Cc: Udip Pant , Alexei Starovoitov , Martin Lau , Song Liu , Andrii Nakryiko , "David S . Miller" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 21, 2020 at 1:53 PM Yonghong Song wrote: > > > > On 8/21/20 12:07 PM, Udip Pant wrote: > > > > > > =EF=BB=BF> On 8/20/20, 11:17 PM, "Yonghong Song" wrote: > >> > >> > >> > >> On 8/20/20 11:13 PM, Yonghong Song wrote: > >>> > >>> > >>> On 8/20/20 5:28 PM, Udip Pant wrote: > >>>> While using dynamic program extension (of type BPF_PROG_TYPE_EXT), w= e > >>>> need to check the program type of the target program to grant the re= ad / > >>>> write access to the packet data. > >>>> > >>>> The BPF_PROG_TYPE_EXT type can be used to extend types such as XDP, = SKB > >>>> and others. Since the BPF_PROG_TYPE_EXT program type on itself is ju= st a > >>>> placeholder for those, we need this extended check for those target > >>>> programs to actually work while using this option. > >>>> > >>>> Tested this with a freplace xdp program. Without this patch, the > >>>> verifier fails with error 'cannot write into packet'. > >>>> > >>>> Signed-off-by: Udip Pant > >>>> --- > >>>> kernel/bpf/verifier.c | 6 +++++- > >>>> 1 file changed, 5 insertions(+), 1 deletion(-) > >>>> > >>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > >>>> index ef938f17b944..4d7604430994 100644 > >>>> --- a/kernel/bpf/verifier.c > >>>> +++ b/kernel/bpf/verifier.c > >>>> @@ -2629,7 +2629,11 @@ static bool may_access_direct_pkt_data(struct > >>>> bpf_verifier_env *env, > >>>> const struct bpf_call_arg_meta *meta, > >>>> enum bpf_access_type t) > >>>> { > >>>> - switch (env->prog->type) { > >>>> + struct bpf_prog *prog =3D env->prog; > >>>> + enum bpf_prog_type prog_type =3D prog->aux->linked_prog ? > >>>> + prog->aux->linked_prog->type : prog->type; > >>> > >>> I checked the verifier code. There are several places where > >>> prog->type is checked and EXT program type will behave differently > >>> from the linked program. > >>> > >>> Maybe abstract the the above logic to one static function like > >>> > >>> static enum bpf_prog_type resolved_prog_type(struct bpf_prog *prog) > >>> { > >>> return prog->aux->linked_prog ? prog->aux->linked_prog->type > >>> : prog->type; > >>> } > >>> > > > > Sure. > > > >>> This function can then be used in different places to give the resolv= ed > >>> prog type. > >>> > >>> Besides here checking pkt access permission, > >>> another possible places to consider is return value > >>> in function check_return_code(). Currently, > >>> for EXT program, the result value can be anything. This may need to > >>> be enforced. Could you take a look? It could be others as well. > >>> You can take a look at verifier.c by searching "prog->type". > >> > > > > Yeah there are few other places in the verifier where it decides withou= t resolving for the 'extended' type. But I am not too sure if it makes sens= e to extend this logic as part of this commit. For example, as you mentione= d, in the check_return_code() it explicitly ignores the return type for the= EXT prog (kernel/bpf/verifier.c#L7446). Likewise, I noticed similar issue= inside the check_ld_abs(), where it checks for may_access_skb(env->prog->t= ype). > > > > I'm happy to extend this logic there as well if deemed appropriate. > > Thanks. I would like to see the verifier parity between original program > and replace program. That is, if the original program and the replace > program are the same, they should be both either accepted or rejected > by verifier. Yes, this may imply more changes e.g., check_return_code() > or check_ld_abs() than your original patch. > Alexei or Daniel, what is your opinion on this? The set was already marked as 'changes requested' in patchworks. That's an indication that maintainers agree with the feedback :) In this particular case it certainly makes sense to address all cases instead of doing them one at a time.