Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp8154408rwb; Wed, 23 Nov 2022 16:35:01 -0800 (PST) X-Google-Smtp-Source: AA0mqf6gJQ+cIiqIWtsmF/U74j/97nsjaOd3uOHQ3gACb9cqxuVegkA/H9E1QNYtrAIb1qRMFyA6 X-Received: by 2002:aa7:93a9:0:b0:562:d5be:adc8 with SMTP id x9-20020aa793a9000000b00562d5beadc8mr12284730pff.50.1669250101210; Wed, 23 Nov 2022 16:35:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669250101; cv=none; d=google.com; s=arc-20160816; b=ySgXt8BPmCvOIAXPE2u3MKqEjwhi8QpJ5kkePzMz+Cy4CmKm0lHBpsB7egwwCUQ7sK U2GXfNGK8i9sg8cIH9VmZBOtbNMTEzmUpszGLNfIp6jQ8kST+OJ65l6E4Q9/JXoP5YyR mZ0JvRtAVUXx+G6kwZ4d4/3pStqrthOr4pFTg6z4JVezY6v+EIBAhS2jA6lqHZrv+GtL LQFuB9qhZXbiqbZuXrUshJK1cX5au0wgF7e4GOA5jlM4e6cn8Q0VDInCQ+xUF7Gq6IBp uEhhLi2Iu0lLLnCFu0pefqvZ7lK3OMCVHJfDhle2nrxSlbjpmneafl4Erq9ZhrLEJFKT NtSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=s4ax6GtA0txnu02sTrM3Hw4L6wzN5n60YIPtv/YJCAA=; b=s974DJi0bYmByTdBoqB7FUiDrNLhL7sv9zrM42nyQfvW4ZgLBZWYLObEWeT2cT5UcR RVGLOESgzfylKY8URms+zvczGrSMPJxYTSmCOp4i0BUcXXK0UiVX3zp8o6EZ7JFuaaRC JRh6FJwBjlwXTARTjDl779z4UNED+7IG9p/nKInG/xp02OfeTEm7oaqlWkPK1h5vUKxT sqHDvu9dxmBpVFvMwgfawKVyVfyKPSQlNFJ4a5Auva0FKOWaEgGzoxcUHcZxNEek1D6P h1iZm8DbEimJKsAomQiS2RqXHg+0xeRHaV6nyHr640rGlrFFdHaPjacoMsS9Ih8pABwN gw/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qe14-20020a17090b4f8e00b0020593d282desi3176936pjb.12.2022.11.23.16.34.50; Wed, 23 Nov 2022 16:35:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230022AbiKWXlK (ORCPT + 89 others); Wed, 23 Nov 2022 18:41:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44078 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229618AbiKWXlJ (ORCPT ); Wed, 23 Nov 2022 18:41:09 -0500 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 103FCDEAED; Wed, 23 Nov 2022 15:41:07 -0800 (PST) Received: from sslproxy03.your-server.de ([88.198.220.132]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oxzMU-000LXo-Tb; Thu, 24 Nov 2022 00:41:02 +0100 Received: from [85.1.206.226] (helo=linux.home) by sslproxy03.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oxzMU-000BxX-Fr; Thu, 24 Nov 2022 00:41:02 +0100 Subject: Re: [PATCH bpf-next 0/3] bpf: Add LDX/STX/ST sanitize in jited BPF progs To: Hao Sun , bpf@vger.kernel.org Cc: ast@kernel.org, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, davem@davemloft.net, linux-kernel@vger.kernel.org References: <20221123141546.238297-1-sunhao.th@gmail.com> From: Daniel Borkmann Message-ID: Date: Thu, 24 Nov 2022 00:41:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20221123141546.238297-1-sunhao.th@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.7/26729/Wed Nov 23 09:18:01 2022) X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,URIBL_BLACK, URIBL_DBL_ABUSE_REDIR autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/23/22 3:15 PM, Hao Sun wrote: > The verifier sometimes makes mistakes[1][2] that may be exploited to > achieve arbitrary read/write. Currently, syzbot is continuously testing > bpf, and can find memory issues in bpf syscalls, but it can hardly find > mischecking/bugs in the verifier. We need runtime checks like KASAN in > BPF programs for this. This patch series implements address sanitize > in jited BPF progs for testing purpose, so that tools like syzbot can > find interesting bugs in the verifier automatically by, if possible, > generating and executing BPF programs that bypass the verifier but have > memory issues, then triggering this sanitizing. > > The idea is to dispatch read/write addr of a BPF program to the kernel > functions that are instrumented by KASAN, to achieve indirect checking. > Indirect checking is adopted because this is much simple, instrument > direct checking like compilers makes the jit much more complex. The > main step is: back up R0&R1 and store addr in R1, and then insert the > checking function before load/store insns, during bpf_misc_fixup(), and > finally in the jit stage, backup R1~R5 to make sure the checking funcs > won't corrupt regs states. An extra Kconfig option is used to enable > this, so normal use case won't be impacted at all. Thanks for looking into this! It's a bit unfortunate that this will need changes in every BPF JIT. Have you thought about a generic solution which would not require changes in JITs? Given this is for debugging and finding mischecking/bugs in the verifier, can't we reuse interpreter for this and only implement it there? I would be curious if we could achieve the same result from [3] with such approach. > Also, not all ldx/stx/st are instrumented. Insns rewrote by other fixup > or conversion passes that use BPF_REG_AX are skipped, because that > conflicts with us; insns whose access addr is specified by R10 are also > skipped because they are trivial to verify. > > Patch1 sanitizes st/stx insns, and Patch2 sanitizes ldx insns, Patch3 adds > selftests for instrumentation in each possible case, and all new/existing > selftests for the verifier can pass. Also, a BPF prog that also exploits > CVE-2022-23222 to achieve OOB read is provided[3], this can be perfertly > captured with this patch series. > > I haven't found a better way to back up the regs before executing the > checking functions, and have to store them on the stack. Comments and > advice are surely welcome. > > [1] http://bit.do/CVE-2021-3490 > [2] http://bit.do/CVE-2022-23222 > [3] OOB-read: https://pastebin.com/raw/Ee1Cw492 > > Hao Sun (3): > bpf: Sanitize STX/ST in jited BPF progs with KASAN > bpf: Sanitize LDX in jited BPF progs with KASAN > selftests/bpf: Add tests for LDX/STX/ST sanitize > > arch/x86/net/bpf_jit_comp.c | 34 ++ > include/linux/bpf.h | 14 + > kernel/bpf/Kconfig | 14 + > kernel/bpf/verifier.c | 190 +++++++++++ > .../selftests/bpf/verifier/sanitize_st_ldx.c | 323 ++++++++++++++++++ > 5 files changed, 575 insertions(+) > create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c > > > base-commit: 8a2162a9227dda936a21fe72014a9931a3853a7b > Thanks, Daniel