Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp4325154rwe; Tue, 30 Aug 2022 08:13:19 -0700 (PDT) X-Google-Smtp-Source: AA6agR7U3woeJDunTGaSTav0KlMd0WdJxylJ72DVAeZj0PkivyIyTgrx2ks4oEDYE1raI1N0uRGm X-Received: by 2002:a05:6a00:15c7:b0:52e:5a5d:27fa with SMTP id o7-20020a056a0015c700b0052e5a5d27famr22146135pfu.52.1661872399068; Tue, 30 Aug 2022 08:13:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661872399; cv=none; d=google.com; s=arc-20160816; b=T2a+gc1rCkPFF6pblTbCFV1Pegw7A92WGFXpTiOTgzn/v4ekBYCm3Xl3GJfOTfgCDI ASr4XrkCP76aM/LPE/f3DURy+aYjxm/2a6fY11xpJJ/cC6fWNE3zqA7uFX8njLMRaqpM E4jgJ0aTzoon/5EHj/9O1N6qHtyQk1MgCWblERVMHEGi0YtEOe5CYValBYX+WCzZuC3A tRHFPC4FwNvDOdXv2+Mri0QsY9eQiBKiPharXPt5M0uRy1LKCHdUmWb7b4R0kvmIFZkb hPzfBaz3/N/oGI924Zn6a/58+osOigtp+2zCFMwucEI92NzCQ4MFLmecyi0qD9l8ocu5 z/kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=lmXShkPGu5qohlisPijwUoqxiVIKAZ+9/TfZzFh7608=; b=l91nT39KNc+Quj+Gp9nfsPXnzRfL3KQsE59JSEjhIrBJ9JTOGU++KUpza9DkeR/kFt dTGUs0mpBdf++1W/UU20+7DIRTzsYa2VXixXNR3NsXmLCSZA7LlNFb6dHc0HOoHuNMcJ 2OqRNlQij3OiIw6KFEJacel6lKBCx+cTueS/jDC9idHeO/6R4g9h+zQUBJvS/B/JiQI1 f5iE4Ct02R3rGBzjfjANPSkFBd4ConVZ4/hD8OKCwRyJ/XHsFJc5DQeN1k3g9R/thz9l mAmb2syOP0gEmcIJdJ5CcS6OjP4HYdVq7+8/OO0MoB6yu/ttlyowMX/W+WDRJvvGEwHJ TLgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JDxrlRBM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b12-20020a056a000a8c00b00536542c9c23si12837977pfl.67.2022.08.30.08.13.07; Tue, 30 Aug 2022 08:13:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JDxrlRBM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbiH3O3o (ORCPT + 99 others); Tue, 30 Aug 2022 10:29:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229721AbiH3O3k (ORCPT ); Tue, 30 Aug 2022 10:29:40 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE534D25CD for ; Tue, 30 Aug 2022 07:29:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661869778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lmXShkPGu5qohlisPijwUoqxiVIKAZ+9/TfZzFh7608=; b=JDxrlRBMyLVKmtIlqZCS3a/b26dQWvv9SL8Cr7KgoPBgWRRgW7cQgWv7hsGa688ZG7Z97Q AJ+v9u9+do+WQlqO8hGwv1KS7sQ1PwP0654n3DqBGGtN2xohixDoBU33FftHHghNusqip5 xbnrgiFiZXDLfwPPMx8V5oVQ4DxCOCQ= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-274-vpZF_B4SPwWOUkird7P1DA-1; Tue, 30 Aug 2022 10:29:36 -0400 X-MC-Unique: vpZF_B4SPwWOUkird7P1DA-1 Received: by mail-pl1-f198.google.com with SMTP id u14-20020a170902e5ce00b00174b2ad8435so4362638plf.12 for ; Tue, 30 Aug 2022 07:29:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=lmXShkPGu5qohlisPijwUoqxiVIKAZ+9/TfZzFh7608=; b=E+PXkXSCYZUDawtEPlFuJerGlQtjkR8b3LR5dZdVT0jAbe6LVHDYxDznXaAFBT7Jyb hyjQ64xOs3Q7xGCfvcjaH2CYv16a6KLyz+AaIsCk8kQXXwATgTxPyPLVRuOJtkHNS77j vvgKprG/MR+4uHhOuS9QmtE/YQiwbLWbWkcwjaGcaJfkKwEk98BSQIGcTC1IfyKXPqrc bYYbx7hnKSGeQ4dFb3v4dRTTOlwVNKUXhIT7DzP+g+6pIDb0vCIu24jQJ77JS59hcR9d hLXJTlxHoyagQpe9t2nQ/q//C4+ZJG7ZFBOYzPHahQ7bBUomiiOD3Djh5F7JZvPDkb/u cl9w== X-Gm-Message-State: ACgBeo2WKWOSh+bTugO/oKdaxtFVgXhj+puZ2pUBuNhQvVYF3/1ihaJI 2pvnpANooN/DehZmgdBcQ3Sj8NRZbrDNHk/6w7m5gpLyfoMkfanZlIz1I1mK4gUGWvGrfz5z7Vi FqEMsW5rN+DkLR5GbHPNChNRzoMc+Wt8gW+WGWwWZ X-Received: by 2002:a63:d10b:0:b0:41d:bd7d:7759 with SMTP id k11-20020a63d10b000000b0041dbd7d7759mr18107744pgg.196.1661869775386; Tue, 30 Aug 2022 07:29:35 -0700 (PDT) X-Received: by 2002:a63:d10b:0:b0:41d:bd7d:7759 with SMTP id k11-20020a63d10b000000b0041dbd7d7759mr18107710pgg.196.1661869775042; Tue, 30 Aug 2022 07:29:35 -0700 (PDT) MIME-Version: 1.0 References: <20220824134055.1328882-1-benjamin.tissoires@redhat.com> <20220824134055.1328882-2-benjamin.tissoires@redhat.com> In-Reply-To: From: Benjamin Tissoires Date: Tue, 30 Aug 2022 16:29:23 +0200 Message-ID: Subject: Re: [PATCH bpf-next v9 01/23] bpf/verifier: allow all functions to read user provided context To: Kumar Kartikeya Dwivedi Cc: Alexei Starovoitov , Greg KH , Jiri Kosina , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Shuah Khan , Dave Marchevsky , Joe Stringer , Jonathan Corbet , Tero Kristo , LKML , "open list:HID CORE LAYER" , Network Development , bpf , "open list:KERNEL SELFTEST FRAMEWORK" , "open list:DOCUMENTATION" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 26, 2022 at 3:51 AM Kumar Kartikeya Dwivedi wrote: > > On Fri, 26 Aug 2022 at 03:42, Alexei Starovoitov > wrote: > > > > On Wed, Aug 24, 2022 at 6:41 AM Benjamin Tissoires > > wrote: > > > > > > When a function was trying to access data from context in a syscall eBPF > > > program, the verifier was rejecting the call unless it was accessing the > > > first element. > > > This is because the syscall context is not known at compile time, and > > > so we need to check this when actually accessing it. > > > > > > Check for the valid memory access if there is no convert_ctx callback, > > > and allow such situation to happen. > > > > > > There is a slight hiccup with subprogs. btf_check_subprog_arg_match() > > > will check that the types are matching, which is a good thing, but to > > > have an accurate result, it hides the fact that the context register may > > > be null. This makes env->prog->aux->max_ctx_offset being set to the size > > > of the context, which is incompatible with a NULL context. > > > > > > Solve that last problem by storing max_ctx_offset before the type check > > > and restoring it after. > > > > > > Acked-by: Kumar Kartikeya Dwivedi > > > Signed-off-by: Benjamin Tissoires > > > > > > --- > > > > > > changes in v9: > > > - rewrote the commit title and description > > > - made it so all functions can make use of context even if there is > > > no convert_ctx > > > - remove the is_kfunc field in bpf_call_arg_meta > > > > > > changes in v8: > > > - fixup comment > > > - return -EACCESS instead of -EINVAL for consistency > > > > > > changes in v7: > > > - renamed access_t into atype > > > - allow zero-byte read > > > - check_mem_access() to the correct offset/size > > > > > > new in v6 > > > --- > > > kernel/bpf/btf.c | 11 ++++++++++- > > > kernel/bpf/verifier.c | 19 +++++++++++++++++++ > > > 2 files changed, 29 insertions(+), 1 deletion(-) > > > > > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > > > index 903719b89238..386300f52b23 100644 > > > --- a/kernel/bpf/btf.c > > > +++ b/kernel/bpf/btf.c > > > @@ -6443,8 +6443,8 @@ int btf_check_subprog_arg_match(struct bpf_verifier_env *env, int subprog, > > > { > > > struct bpf_prog *prog = env->prog; > > > struct btf *btf = prog->aux->btf; > > > + u32 btf_id, max_ctx_offset; > > > bool is_global; > > > - u32 btf_id; > > > int err; > > > > > > if (!prog->aux->func_info) > > > @@ -6457,9 +6457,18 @@ int btf_check_subprog_arg_match(struct bpf_verifier_env *env, int subprog, > > > if (prog->aux->func_info_aux[subprog].unreliable) > > > return -EINVAL; > > > > > > + /* subprogs arguments are not actually accessing the data, we need > > > + * to check for the types if they match. > > > + * Store the max_ctx_offset and restore it after btf_check_func_arg_match() > > > + * given that this function will have a side effect of changing it. > > > + */ > > > + max_ctx_offset = env->prog->aux->max_ctx_offset; > > > + > > > is_global = prog->aux->func_info_aux[subprog].linkage == BTF_FUNC_GLOBAL; > > > err = btf_check_func_arg_match(env, btf, btf_id, regs, is_global, 0); > > > > > > + env->prog->aux->max_ctx_offset = max_ctx_offset; > > > > I don't understand this. > > If we pass a ctx into a helper and it's going to > > access [0..N] bytes from it why do we need to hide it? > > max_ctx_offset will be used later raw_tp, tp, syscall progs > > to determine whether it's ok to load them. > > By hiding the actual size of access somebody can construct > > a prog that reads out of bounds. > > How is this related to NULL-ness property? > > Same question, was just typing exactly the same thing. The test I have that is failing in patch 2/23 is the following, with args being set to NULL by userspace: SEC("syscall") int kfunc_syscall_test_null(struct syscall_test_args *args) { bpf_kfunc_call_test_mem_len_pass1(args, 0); return 0; } Basically: if userspace declares the following: DECLARE_LIBBPF_OPTS(bpf_test_run_opts, syscall_topts, .ctx_in = NULL, .ctx_size_in = 0, ); The verifier is happy with the current released kernel: kfunc_syscall_test_fail() never dereferences the ctx pointer, it just passes it around to bpf_kfunc_call_test_mem_len_pass1(), which in turn is also happy because it says it is not accessing the data at all (0 size memory parameter). In the current code, check_helper_mem_access() actually returns -EINVAL, but doesn't change max_ctx_offset (it's still at the value of 0 here). The program is now marked as unreliable, but the verifier goes on. When adding this patch, if we declare a syscall eBPF (or any other function that doesn't have env->ops->convert_ctx_access), the previous "test" is failing because this ensures the syscall program has to have a valid ctx pointer. btf_check_func_arg_match() now calls check_mem_access() which basically validates the fact that the program can dereference the ctx. So now, without the max_ctx_offset store/restore, the verifier enforces that the provided ctx is not null. What I thought that would happen was that if we were to pass a NULL context from userspace, but the eBPF program dereferences it (or in that case have a subprog or a function call that dereferences it), then max_ctx_offset would still be set to the proper value because of that internal dereference, and so the verifier would reject with -EINVAL the call to the eBPF program. If I add another test that has the following ebpf prog (with ctx_in being set to NULL by the userspace): SEC("syscall") int kfunc_syscall_test_null_fail(struct syscall_test_args *args) { bpf_kfunc_call_test_mem_len_pass1(args, sizeof(*args)); return 0; } Then the call of the program is actually failing with -EINVAL, even with this patch. But again, if setting from userspace a ctx of NULL with a 0 size is not considered as valid, then we can just drop that hunk and add a test to enforce it. Cheers, Benjamin > > > > > > + > > > /* Compiler optimizations can remove arguments from static functions > > > * or mismatched type can be passed into a global function. > > > * In such cases mark the function as unreliable from BTF point of view. > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index 2c1f8069f7b7..d694f43ab911 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -5229,6 +5229,25 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, > > > env, > > > regno, reg->off, access_size, > > > zero_size_allowed, ACCESS_HELPER, meta); > > > + case PTR_TO_CTX: > > > + /* in case the function doesn't know how to access the context, > > > + * (because we are in a program of type SYSCALL for example), we > > > + * can not statically check its size. > > > + * Dynamically check it now. > > > + */ > > > + if (!env->ops->convert_ctx_access) { > > > + enum bpf_access_type atype = meta && meta->raw_mode ? BPF_WRITE : BPF_READ; > > > + int offset = access_size - 1; > > > + > > > + /* Allow zero-byte read from PTR_TO_CTX */ > > > + if (access_size == 0) > > > + return zero_size_allowed ? 0 : -EACCES; > > > + > > > + return check_mem_access(env, env->insn_idx, regno, offset, BPF_B, > > > + atype, -1, false); > > > + } > > > > This part looks good alone. Without max_ctx_offset save/restore. > > +1, save/restore would be incorrect. >