Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4173252pxb; Mon, 1 Feb 2021 14:41:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJw9zOLlUj0qVffLkRpTj0pJOtYjZLZb32C3/5kxgByVnLGDh71A664dY91fq5l7RetSHfsK X-Received: by 2002:aa7:c9c9:: with SMTP id i9mr20976659edt.160.1612219264107; Mon, 01 Feb 2021 14:41:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612219264; cv=none; d=google.com; s=arc-20160816; b=UYtUWjhNlB6GoXz5iYeWjJ9cohbXdfNqkZTR0nkcU03Mgt0/yFye87r/+1g6QkslGq g84jliPF+mAsWTLPUT/8gMeny03CYRYyc25EMHRSC+PIMb4eMWbj0MIOo4F65f8+VOT+ IQfGf0JR6r6QA25JLH0iqrJA3kcOoNegF5ElKtbQ5ZATtoFN2C2VwosmWhcoFi3vwaaz uKAS1oT22uNt7Am3qpfbl2wrIkDN97urP5WA7LTY9+uFOPsxhj7G5ITsvYQxNjrEbKou 9EP0wDffZs11Z5cFKhRzyoymw+2mmqGdyJDqnAc/zRGv2Fk0wKzkcJaHIzLLKojs2zWZ EDRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Yaf/PbHaKhyaUlJ6/h7O8e3W3T0WaHrqUBRfhzHRqnk=; b=bwsgx87EcUjSqvmd05ctCsrQrE0m10FR5p2SVGB/qhIjv71cCvVR+/bQT4W1kfBTXq 9GEocIzU5z0rKMgJR9+dYznExt4Pqw85ULhClCOPQH8PtLeLySe77Ru3SKjKn39qnQTo gps5DtsudXRGjbc+ZrBC/kPBNGCnhClS1433z3qtmpf0pGTyTE7YyDaHOlVVRdFI/54L 2mRzZIUHCtTyqIeGkX7Xp5WhaMiZKcW9OHeubcJQXTgdyqnDC0omL2FNxNnqWPFr8QF8 XDYNo1rlTVxKrBJiARy8Qg2EqQI1itIy3qYbyW48STwVJSOadY7C4d3ixUO02pOZ+D5D ZssQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ed9yau0e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hd10si5446776ejc.208.2021.02.01.14.40.33; Mon, 01 Feb 2021 14:41:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ed9yau0e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229542AbhBAWig (ORCPT + 99 others); Mon, 1 Feb 2021 17:38:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229525AbhBAWie (ORCPT ); Mon, 1 Feb 2021 17:38:34 -0500 Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D103C061573; Mon, 1 Feb 2021 14:37:54 -0800 (PST) Received: by mail-lf1-x134.google.com with SMTP id a12so25138456lfb.1; Mon, 01 Feb 2021 14:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Yaf/PbHaKhyaUlJ6/h7O8e3W3T0WaHrqUBRfhzHRqnk=; b=ed9yau0eCnDK4UrQGHRXItQoXpy8L1KvnsxvE/hurkjjLXm4Z5uqk9NXqcGWhcte1U 7pB6a/Sw/XOMfEX5T2Si3jmmVIWG/v2HdQcM4hQjo5UoY5c/VKbIx3cSpS5riZu3hnVQ dWAYeaaWZMl3OMmOgTAEPmdX+L0A81Cfcc+2ePaugkP79s+F1azZzohi4E8nEDg8Lwd0 eY23wQthXxJCnw7Bt7OxRxwOhoOY1zO5nfwN9UUrDLRPd0qdo9zInTk+aofAtjZa8l3Q xK3ET0ZG+te0sYQ6FxWX502xFlONpJF7IJ8U+34nduSwBOyygINoLdsdZMctrJfOfkH3 ZF+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yaf/PbHaKhyaUlJ6/h7O8e3W3T0WaHrqUBRfhzHRqnk=; b=Bl+f5mxjYCtwtOFY3vgjlBq7fzuKs0ZmFs+2GcMPAAkMT6jP84/vMJwB26XVqEYW50 cBX3M9XXmmRvvMV7L+usW20Om8ITGb4QzMTP4arXotAY7nEObnzyvJ9FFsdGnxGQlnje we28liEkozdPt/zkSTJhVWLFpYVTXOVgCBHIfYX9CnQLxNBn3iRRZm/1I4ewUP8jAhl8 R9k+EwqPFoekGAyBML7kLxwHXoI4chcQdC3FkR9BnoL+no7kv73fRf9ZKl0DnD+mQb2k Z7Nn8hzZwblvLwesxLJwItaS6tCFTLOlJRCubzBpILOxxkapg+taMk6i7zCMOy7HY8pi l/Iw== X-Gm-Message-State: AOAM5308FOu/qpzjTHFaqiy/4sxA0GfHFwJZ/fTp2K41fRhDNlswxye3 OmccYKjejarHtfh/8RtRl+ii1PlKRwwB007ubZM= X-Received: by 2002:a19:787:: with SMTP id 129mr10258830lfh.540.1612219072752; Mon, 01 Feb 2021 14:37:52 -0800 (PST) MIME-Version: 1.0 References: <20210126183559.1302406-1-revest@chromium.org> <20210126183559.1302406-2-revest@chromium.org> <4a8ceab1-6eef-9fda-0502-5a0550f53ddc@iogearbox.net> <37730136-2c33-589c-a749-4221b60b9751@iogearbox.net> <3f850e85-72ee-5a69-a6f4-7a2daab3af67@iogearbox.net> In-Reply-To: <3f850e85-72ee-5a69-a6f4-7a2daab3af67@iogearbox.net> From: Alexei Starovoitov Date: Mon, 1 Feb 2021 14:37:41 -0800 Message-ID: Subject: Re: [PATCH bpf-next v6 2/5] bpf: Expose bpf_get_socket_cookie to tracing programs To: Daniel Borkmann Cc: Florent Revest , Andrii Nakryiko , bpf , Alexei Starovoitov , Andrii Nakryiko , KP Singh , open list , KP Singh , John Fastabend , Yonghong Song Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 1, 2021 at 2:32 PM Daniel Borkmann wrote: > > On 1/30/21 12:45 PM, Florent Revest wrote: > > On Fri, Jan 29, 2021 at 1:49 PM Daniel Borkmann wrote: > >> On 1/29/21 11:57 AM, Daniel Borkmann wrote: > >>> On 1/27/21 10:01 PM, Andrii Nakryiko wrote: > >>>> On Tue, Jan 26, 2021 at 10:36 AM Florent Revest wrote: > >>>>> > >>>>> This needs a new helper that: > >>>>> - can work in a sleepable context (using sock_gen_cookie) > >>>>> - takes a struct sock pointer and checks that it's not NULL > >>>>> > >>>>> Signed-off-by: Florent Revest > >>>>> Acked-by: KP Singh > >>>>> --- > >>>>> include/linux/bpf.h | 1 + > >>>>> include/uapi/linux/bpf.h | 8 ++++++++ > >>>>> kernel/trace/bpf_trace.c | 2 ++ > >>>>> net/core/filter.c | 12 ++++++++++++ > >>>>> tools/include/uapi/linux/bpf.h | 8 ++++++++ > >>>>> 5 files changed, 31 insertions(+) > >>>>> > >>>>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h > >>>>> index 1aac2af12fed..26219465e1f7 100644 > >>>>> --- a/include/linux/bpf.h > >>>>> +++ b/include/linux/bpf.h > >>>>> @@ -1874,6 +1874,7 @@ extern const struct bpf_func_proto bpf_per_cpu_ptr_proto; > >>>>> extern const struct bpf_func_proto bpf_this_cpu_ptr_proto; > >>>>> extern const struct bpf_func_proto bpf_ktime_get_coarse_ns_proto; > >>>>> extern const struct bpf_func_proto bpf_sock_from_file_proto; > >>>>> +extern const struct bpf_func_proto bpf_get_socket_ptr_cookie_proto; > >>>>> > >>>>> const struct bpf_func_proto *bpf_tracing_func_proto( > >>>>> enum bpf_func_id func_id, const struct bpf_prog *prog); > >>>>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > >>>>> index 0b735c2729b2..5855c398d685 100644 > >>>>> --- a/include/uapi/linux/bpf.h > >>>>> +++ b/include/uapi/linux/bpf.h > >>>>> @@ -1673,6 +1673,14 @@ union bpf_attr { > >>>>> * Return > >>>>> * A 8-byte long unique number. > >>>>> * > >>>>> + * u64 bpf_get_socket_cookie(void *sk) > >>>> > >>>> should the type be `struct sock *` then? > >>> > >>> Checking libbpf's generated bpf_helper_defs.h it generates: > >>> > >>> /* > >>> * bpf_get_socket_cookie > >>> * > >>> * If the **struct sk_buff** pointed by *skb* has a known socket, > >>> * retrieve the cookie (generated by the kernel) of this socket. > >>> * If no cookie has been set yet, generate a new cookie. Once > >>> * generated, the socket cookie remains stable for the life of the > >>> * socket. This helper can be useful for monitoring per socket > >>> * networking traffic statistics as it provides a global socket > >>> * identifier that can be assumed unique. > >>> * > >>> * Returns > >>> * A 8-byte long non-decreasing number on success, or 0 if the > >>> * socket field is missing inside *skb*. > >>> */ > >>> static __u64 (*bpf_get_socket_cookie)(void *ctx) = (void *) 46; > >>> > >>> So in terms of helper comment it's picking up the description from the > >>> `u64 bpf_get_socket_cookie(struct sk_buff *skb)` signature. With that > >>> in mind it would likely make sense to add the actual `struct sock *` type > >>> to the comment to make it more clear in here. > >> > >> One thought that still came to mind when looking over the series again, do > >> we need to blacklist certain functions from bpf_get_socket_cookie() under > >> tracing e.g. when attaching to, say fexit? For example, if sk_prot_free() > >> would be temporary uninlined/exported for testing and bpf_get_socket_cookie() > >> was invoked from a prog upon fexit where sock was already passed back to > >> allocator, I presume there's risk of mem corruption, no? > > > > Mh, this is interesting. I can try to add a deny list in v7 but I'm > > not sure whether I'll be able to catch them all. I'm assuming that > > __sk_destruct, sk_destruct, __sk_free, sk_free would be other > > problematic functions but potentially there would be more. > > I was just looking at bpf_skb_output() from a7658e1a4164 ("bpf: Check types of > arguments passed into helpers") which afaiu has similar issue, back at the time > this was introduced there was no fentry/fexit but rather raw tp progs, so you > could still safely dump skb this way including for kfree_skb() tp. Presumably if > you bpf_skb_output() at 'fexit/kfree_skb' you might be able to similarly crash the verifier cannot check absolutely everything. Whitelisting and blacklisting all combinations is not practical. > your kernel which I don't think is intentional (also given we go above and beyond > in other areas to avoid crashing or destabilizing e.g. [0] to mention one). Maybe > these should really only be for BPF_TRACE_RAW_TP (or BPF_PROG_TYPE_LSM) where it > can be audited that it's safe to use like a7658e1a4164's original intention ... > or have some sort of function annotation like __acquires/__releases but for tracing > e.g. __frees(skb) where use would then be blocked (not sure iff feasible). I think this set is useful and corner cases like fexit in sk_free are not worth the hassle. One can install xdp prog that drops all packets. The server is dead at this point.