Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp881697rwb; Wed, 16 Nov 2022 08:53:34 -0800 (PST) X-Google-Smtp-Source: AA0mqf6yRx34o1WY6eHislws7iFjINw3FMbyCB7Pb9kGg0LFjk5i4MWBZu3ckBxJH6d7eB+cL2fi X-Received: by 2002:a17:90a:f982:b0:210:7cd5:db0e with SMTP id cq2-20020a17090af98200b002107cd5db0emr4795130pjb.30.1668617614485; Wed, 16 Nov 2022 08:53:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668617614; cv=none; d=google.com; s=arc-20160816; b=YSp2OuF3R10AzUDD/Y8MAyFdtMz+7noxuFMMriTJXT25VwZsOJ/857nLCUJJ/5yNEu tWaUpUKz744FYxt1hHSlkJREzyJMTs5l5gGJwcOY3MwYjVzekaf8DsFY8Lx/7lGD5vz5 ljTEPaoJvYo/wXQyHz5p7clyzTpxVMBBJG1o6Sr3UsyCIkHBcod6K7GOvFaTx1T7+fk4 acQ4QVRXSCRZfYl5FgxrDzjjXEhOMa1tMzPcXN6m1pFEISxKqA79JfPrsDqtibnqgis1 +qQip/hlOsISxADSXI1VgcvM/ClwRWTCBG6a+WcXf5szs5fP28qOr1vXxTtuMkJXNIHR uuxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=u/lODpTstCnZBP2jsc4a/1Z9QpTdFzxcPQG8IDaTReU=; b=yHw2bxBeMLWZf2Q9VK6joSWwSNWoIiB8ANbQbadQ2p65Icig9PzHdIdbyxZ+cm/agZ ZOhZEXnz1ikRi3A/diALgFnug3AzhPtNUMHzlBCzzzG1fLV1ei7TCvTOYF+zs7WTtaIA GYT8LKkBveWrxVfk5fUTCxxQSnyRzIrD3e/k/VX8xAeBIYhCHv/YAmPYttuW1J/Tx0dr wjJwyYqcNG1Fqusw2yfXI74yOWGg95A6DtIAVBtgvyBN7JdTXUXUOKW2IynV8VEXgmkE 52BUCBUtI5X4oXwJyCong4yVr5FoFNWW6yN1VsEFzyk13AuHlKcKAZ89pDDkH3qetzaa 0bJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b22-20020a17090a101600b002137030b2basi2203695pja.54.2022.11.16.08.53.22; Wed, 16 Nov 2022 08:53:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239169AbiKPQqZ (ORCPT + 90 others); Wed, 16 Nov 2022 11:46:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239141AbiKPQqG (ORCPT ); Wed, 16 Nov 2022 11:46:06 -0500 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D64BA25C58; Wed, 16 Nov 2022 08:41:41 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4NC7tg2nwfz9v7Hb; Thu, 17 Nov 2022 00:34:51 +0800 (CST) Received: from roberto-ThinkStation-P620 (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwCnRXKgEnVjK3ptAA--.39850S2; Wed, 16 Nov 2022 17:41:16 +0100 (CET) Message-ID: <05bf553f795ac93ea3032cfc1b56ca35fd6a920a.camel@huaweicloud.com> Subject: Re: [PoC][PATCH] bpf: Call return value check function in the JITed code From: Roberto Sassu To: Alexei Starovoitov Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Florent Revest , Brendan Jackman , Paul Moore , James Morris , "Serge E . Hallyn" , bpf , LSM List , LKML , Roberto Sassu Date: Wed, 16 Nov 2022 17:41:00 +0100 In-Reply-To: References: <700dffccdfeeb3d19c5385550e4c84f08c705e19.camel@huaweicloud.com> <20221116154712.4115929-1-roberto.sassu@huaweicloud.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-CM-TRANSID: LxC2BwCnRXKgEnVjK3ptAA--.39850S2 X-Coremail-Antispam: 1UD129KBjvJXoWxWF18GF1UuFWUuFy5GFyUZFb_yoW5Xw1kpr WrGFWYkF4DZ3yxGrWqyw45Cw4rX34fJr48G345K348Aayayw1xtw1UKF1Y9F4UCr4vg34F 9FZrZ34fCwnrZaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkFb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxAIw28IcxkI 7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxV Cjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZVWrXwCIc40Y0x0EwIxGrwCI42IY 6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6x AIw20EY4v20xvaj40_Wr1j6rW3Jr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280 aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x07UZ18PUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQASBF1jj4WFggACsm X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-11-16 at 08:16 -0800, Alexei Starovoitov wrote: > On Wed, Nov 16, 2022 at 7:48 AM Roberto Sassu > wrote: > > +static bool is_ret_value_allowed(int ret, u32 ret_flags) > > +{ > > + if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) || > > + (ret == 0 && !(ret_flags & LSM_RET_ZERO)) || > > + (ret == 1 && !(ret_flags & LSM_RET_ONE)) || > > + (ret > 1 && !(ret_flags & LSM_RET_GT_ONE))) > > + return false; > > + > > + return true; > > +} > > + > > /* For every LSM hook that allows attachment of BPF programs, declare a nop > > * function where a BPF program can be attached. > > */ > > @@ -30,6 +41,15 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ > > #include > > #undef LSM_HOOK > > > > +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...) \ > > +noinline RET bpf_lsm_##NAME##_ret(int ret) \ > > +{ \ > > + return is_ret_value_allowed(ret, RET_FLAGS) ? ret : DEFAULT; \ > > +} > > + > > +#include > > +#undef LSM_HOOK > > + > > because lsm hooks is mess of undocumented return values your > "solution" is to add hundreds of noninline functions > and hack the call into them in JITs ?! I revisited the documentation and checked each LSM hook one by one. Hopefully, I completed it correctly, but I would review again (others are also welcome to do it). Not sure if there is a more efficient way. Do you have any idea? Maybe we find a way to use only one check function (by reusing the address of the attachment point?). Regarding the JIT approach, I didn't find a reliable solution for using just the verifier. As I wrote to you, there could be the case where the range can include positive values, despite the possible return values are zero and -EACCES. # ./test_progs-no_alu32 -t libbpf_get_fd *reg = {type = SCALAR_VALUE, off = 0, {range = 0, {map_ptr = 0x0 , map_uid = 0}, {btf = 0x0 , btf_id = 0}, mem_size = 0, dynptr = {type = BPF_DYNPTR_TYPE_INVALID, first_slot = false}, raw = {raw1 = 0, raw2 = 0}, subprogno = 0}, id = 0, ref_obj_id = 0, var_off = {value = 0, mask = 18446744073709551603}, smin_value = -9223372036854775808, smax_value = 9223372036854775795, umin_value = 0, umax_value = 18446744073709551603, s32_min_value = -2147483648, s32_max_value = 2147483635, u32_min_value = 0, u32_max_value = 4294967283, parent = 0x0 , frameno = 0, subreg_def = 0, live = REG_LIVE_WRITTEN, precise = false} The JIT approach instead is 100% reliable, as you check the real value to be returned to BPF LSM. But of course, the performance will be worse this way. If you are able to determine at verification time that an eBPF program is not going to return illegal values, that would be better. I'm not sure it is feasible. Thanks Roberto