Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1724058imw; Sat, 16 Jul 2022 13:21:05 -0700 (PDT) X-Google-Smtp-Source: AGRyM1t+NFMvmw/vOlE12BIZ6eIpOvhmVVdM+iwz05J2FartDLhA5PSlfOEuSXyHkmn++czUYN4w X-Received: by 2002:a17:902:6bc5:b0:16c:ea31:5934 with SMTP id m5-20020a1709026bc500b0016cea315934mr166474plt.172.1658002864862; Sat, 16 Jul 2022 13:21:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658002864; cv=none; d=google.com; s=arc-20160816; b=m+DcD8LhjansH8ELbFeNYXsPy+90zvYjV/+Vtyw789kKi1tBchc7pVj/3uegjMlm5m rTTNq+tmt7eOOdt8VJwqRA7a+er+Evsp0K4+cqbB0xb/NP9UjuRIiUv1zsDpOL3iyLZ5 L0yd0m57pMe2anMHCWX9bcz0InXv/KAFTK6datmZTMUDsh+s9zbtB65lyQw6F5McKw5H Cno1PaBVVrYLGo/UEG7Zh19d2fVIklDsXmT0VPmvstdmIsCzGxPDjjp8eeLUM0eU5qi+ KJIeKuk+mJqzYGd16Yx6PhWnM5Bf3iR4UO49mpSzddlSogwFYwthx8Cx7WOxNAsxj9G7 feNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Z4ccNBeWVPImDHLuhSMEUl7P2+XfQAkGMxLoWz9oAMs=; b=oHDjR5mkimrtfhGSpxR4bnEjelYG89pqZlg1HLrcMNti3xXRsYC8HtJQ6V14g0plld a21qy7x8OOoTzGGNUw3TeTeUR2NYn7dkLH8h2XS1QTheLLjYs78NnV3is5Uf/ubE+Oxc c6MjKlyfkp43pbAC9GqlDXsVtR8YefExElVVIOj5+kcU8hdMevQJ+oGh/LFOtLI6bKjy RKhTCEG7VvhjN5iwbjIp489mR5814ymwxt5OUEarlINgF+Kfe8AyyRPRE32/tB4brYrC c+msAvIHl53HHffHbQOZe+Sj8j2rjYhDsr8MjHv48V6IPiC54sABXHlECihiLCWNxNqy IC6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MUcMO0Hx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d17-20020a056a00245100b0050ad2c9d507si5823983pfj.170.2022.07.16.13.20.50; Sat, 16 Jul 2022 13:21:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MUcMO0Hx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232479AbiGPTsP (ORCPT + 99 others); Sat, 16 Jul 2022 15:48:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57342 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229457AbiGPTsO (ORCPT ); Sat, 16 Jul 2022 15:48:14 -0400 Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 786D81C101; Sat, 16 Jul 2022 12:48:13 -0700 (PDT) Received: by mail-io1-xd43.google.com with SMTP id q14so6355838iod.3; Sat, 16 Jul 2022 12:48:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z4ccNBeWVPImDHLuhSMEUl7P2+XfQAkGMxLoWz9oAMs=; b=MUcMO0HxCUG8TxgkJwIYYDjnnhga6jwBaNEk+33XIZA/VZBrDlaagvC7/mqfvpZPKY JwbKX4IYv+fLX4r6G7vMdsRPWxsAXAWhfBrb/8ILE1ao3wIRSypWUbIsSkOt1/6tO3qq d1h8Qqxreamtd2ofvtDs30XdLopmcGPSHmoYV08ZUMywF1/W5sNpQNrKt5HRADzVWGXa q40uqgT9rQIAAP/+B4ZsYiZFjkDcPRtejv+Vlq9HXsavSsA6OX+WgqU99QkiJ3J6WUFZ iYjqJwqy66cujVD2cX7q7sIrziw3eYnY4ahHXDU6hmiDGCM+NJ7l8s89orPQmgEFUmO9 jgDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z4ccNBeWVPImDHLuhSMEUl7P2+XfQAkGMxLoWz9oAMs=; b=8MXIKCegq2cXSg7b7hH/gxr59tjp6BEaeu7zvC9rymRabXBV/3hi/jj4u70TdSiBFh WUrBaS1EhoLF4MnKmTAY4ELG16Lsw/0ggoRy74sWqoGvzG3nLDZGdsO846eSHLTxDwDQ Ao7dSNN6Eayw/g5q87+vL/dDx9A8UAXi5bDRxyJyj4duQ3WGPutMNaMF4pfMPbBdqZ+5 9Mnu4n4dG2WgbFQjm8RoeEEVUqtOjPhZOrnwDVqnvicJNMchvFCGDWoB7W4Jt/LKy2By x+h99dQSYf4QlfwxbpYYowpAcnCtjflLqtVagTiLfK2D3Rrkda3junlPxBJF7MJQ995g 68cw== X-Gm-Message-State: AJIora/vUtQ7BUE7SumghXTLduI6qpyTfSlZtQ/lQ/wPFJxunWzCGOxG f/fGeOy5joQiDdxBraGxXtEG57YsOedHu8FB74U= X-Received: by 2002:a05:6602:2e8d:b0:64f:b683:c70d with SMTP id m13-20020a0566022e8d00b0064fb683c70dmr9534049iow.62.1658000892752; Sat, 16 Jul 2022 12:48:12 -0700 (PDT) MIME-Version: 1.0 References: <20220712145850.599666-1-benjamin.tissoires@redhat.com> <20220712145850.599666-3-benjamin.tissoires@redhat.com> In-Reply-To: <20220712145850.599666-3-benjamin.tissoires@redhat.com> From: Kumar Kartikeya Dwivedi Date: Sat, 16 Jul 2022 21:47:34 +0200 Message-ID: Subject: Re: [PATCH bpf-next v6 02/23] bpf/verifier: allow kfunc to read user provided context To: Benjamin Tissoires Cc: Greg KH , Jiri Kosina , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Shuah Khan , Dave Marchevsky , Joe Stringer , Jonathan Corbet , Tero Kristo , linux-kernel@vger.kernel.org, linux-input@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 12 Jul 2022 at 17:02, Benjamin Tissoires wrote: > > When a kfunc was trying to access data from context in a syscall eBPF > program, the verifier was rejecting the call. > This is because the syscall context is not known at compile time, and > so we need to check this when actually accessing it. > > Check for the valid memory access and allow such situation to happen. > > Signed-off-by: Benjamin Tissoires > > --- > > new in v6 > --- > kernel/bpf/verifier.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 328cfab3af60..f6af57a84247 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -248,6 +248,7 @@ struct bpf_call_arg_meta { > struct bpf_map *map_ptr; > bool raw_mode; > bool pkt_access; > + bool is_kfunc; > u8 release_regno; > int regno; > int access_size; > @@ -5170,6 +5171,7 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, > struct bpf_call_arg_meta *meta) > { > struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; > + enum bpf_prog_type prog_type = resolve_prog_type(env->prog); > u32 *max_access; > > switch (base_type(reg->type)) { > @@ -5223,6 +5225,19 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, > env, > regno, reg->off, access_size, > zero_size_allowed, ACCESS_HELPER, meta); > + case PTR_TO_CTX: > + /* in case of a kfunc called in a program of type SYSCALL, the context is > + * user supplied, so not computed statically. > + * Dynamically check it now > + */ > + if (prog_type == BPF_PROG_TYPE_SYSCALL && meta && meta->is_kfunc) { > + enum bpf_access_type access_t = meta->raw_mode ? BPF_WRITE : BPF_READ; small nit: _t suffix is used for types, so you could probably rename this. maybe atype? > + > + return check_mem_access(env, env->insn_idx, regno, access_size, BPF_B, > + access_t, -1, false); If I read the code correctly, this makes the max_ctx_offset of prog access_size + 1 (off + size_to_bytes(BPF_B)), which is 1 more than the actual size being accessed. This also messes up check_helper_mem_access when it allows NULL, 0 pair to pass (because check is against actual size + 1). We do allow passing NULL when size is 0 for kfuncs (see zero_size_allowed is true in check_mem_size_reg), so your hid_hw_request function is missing that NULL check for buf too. In the selftest that checks for failure in loading + bpf_kfunc_call_test_mem_len_pass1(&args->data, sizeof(*args) + 1); so it will still fail with just sizeof(*args). Also please add coverage for this case in the next version. > + } > + > + fallthrough; > default: /* scalar_value or invalid ptr */ > /* Allow zero-byte read from NULL, regardless of pointer type */ > if (zero_size_allowed && access_size == 0 && > @@ -5335,6 +5350,7 @@ int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state > WARN_ON_ONCE(regno < BPF_REG_2 || regno > BPF_REG_5); > > memset(&meta, 0, sizeof(meta)); > + meta.is_kfunc = true; > > if (may_be_null) { > saved_reg = *mem_reg; > -- > 2.36.1 >