Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2414749rwb; Wed, 30 Nov 2022 06:24:41 -0800 (PST) X-Google-Smtp-Source: AA0mqf64cbxiYTrOfeav+6Yku6930latb6XsU1ztZC9azIBwnWQZnK9RpvmYhJEJPKfWlqsvaN9r X-Received: by 2002:a50:ed14:0:b0:46b:fb4:6b6f with SMTP id j20-20020a50ed14000000b0046b0fb46b6fmr15381957eds.237.1669818281786; Wed, 30 Nov 2022 06:24:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669818281; cv=none; d=google.com; s=arc-20160816; b=OvIGdr6aojP6pWG2SQWAC/JVLNB1SDWEH6kFHBnJ6MlTYd5tkjAr3XSy/YRyExcur3 hOeCrcLDQPS8Wg13+yMPRQo8sWsIKIUPFHSekNPnD1E53BZYNBC5sGIkLlgdvlATsAdy N2C0o3zDkpFHlyoO0rjsdrkthCmtUVy9MVSt7WwptJbDAD2RF5ETo7bdVUm7jZ8PcGFc jEFFJwxiykEv69oMjJdkUDh2H7O984koB6Ittv1ArRpMboez2Eztjf+jH7plqih9+Rhh 0hxE1rRkvaAGUDrbjhfqaz69ymikgvd2L1WuP7pgRb11+gmYk3jbvQOTltMSgBI6V9IV hang== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=/rfjH+Ywk+Hy7E1u4SxgJ+qFIhLbA9Ml11IbTXtwN8Y=; b=V1WnPEwyVoMxTEDcjCaAtim1YLMN2JK8ZJX/rQOB/9OVculuXUsCB5HdHt6K4QrDDw 4ZihoQXhy4K5pViAqHJ5aGxfB146cfBqxIgV8DEldH8F43I0DkHBBYggAED6y/wKDL63 vlvVgUdl4CwYRHVV1uaOm/YQQK+bn3NWnlBF4iObjMis37kYDIEx6D/9mfb/ccGKixCX bS3ZblEL+2BFjSpmyE7k2sLTMNqvN0EyaiUs6hxLkSy1MBoXXpap+OqvDGb4DYc8fHGR gPjQuGSHM5nfayOJ7hxqzySTsoRK8qkqVYZ5wu45rQQ/DLifP/7SYX89QTEUSEqrhqP1 qNsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sa30-20020a1709076d1e00b007ae3958c7besi1462594ejc.97.2022.11.30.06.24.19; Wed, 30 Nov 2022 06:24:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230216AbiK3NxW (ORCPT + 83 others); Wed, 30 Nov 2022 08:53:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229719AbiK3NxU (ORCPT ); Wed, 30 Nov 2022 08:53:20 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EAE948428; Wed, 30 Nov 2022 05:53:16 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4NMgTg3PMSz9xHZ9; Wed, 30 Nov 2022 21:46:15 +0800 (CST) Received: from roberto-ThinkStation-P620 (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwCnRXIpYIdjFoOrAA--.3628S2; Wed, 30 Nov 2022 14:52:53 +0100 (CET) Message-ID: <30f658418386dd55aef5d109a52b7a32c4678648.camel@huaweicloud.com> Subject: Re: [PoC][PATCH] bpf: Call return value check function in the JITed code From: Roberto Sassu To: Alexei Starovoitov Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Florent Revest , Brendan Jackman , Paul Moore , James Morris , "Serge E . Hallyn" , bpf , LSM List , LKML , Roberto Sassu Date: Wed, 30 Nov 2022 14:52:38 +0100 In-Reply-To: References: <700dffccdfeeb3d19c5385550e4c84f08c705e19.camel@huaweicloud.com> <20221116154712.4115929-1-roberto.sassu@huaweicloud.com> <05bf553f795ac93ea3032cfc1b56ca35fd6a920a.camel@huaweicloud.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-CM-TRANSID: LxC2BwCnRXIpYIdjFoOrAA--.3628S2 X-Coremail-Antispam: 1UD129KBjvJXoWxWF18GrW5Wr43Jw4xCF18uFg_yoWrCw1rpr W5JF15Gr48Ar18Ar1Utwn8KFs3tF1xA3WUW3s8Ary8Ar13Kry3Jr1UGr4Yka1DAr1ktryS vF1DXr47Kwn8XaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkjb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a6rW5MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIE c7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UZ18PUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAMBF1jj4YaIQAAsF X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-11-16 at 09:55 -0800, Alexei Starovoitov wrote: > On Wed, Nov 16, 2022 at 8:41 AM Roberto Sassu > wrote: > > On Wed, 2022-11-16 at 08:16 -0800, Alexei Starovoitov wrote: > > > On Wed, Nov 16, 2022 at 7:48 AM Roberto Sassu > > > wrote: > > > > +static bool is_ret_value_allowed(int ret, u32 ret_flags) > > > > +{ > > > > + if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) || > > > > + (ret == 0 && !(ret_flags & LSM_RET_ZERO)) || > > > > + (ret == 1 && !(ret_flags & LSM_RET_ONE)) || > > > > + (ret > 1 && !(ret_flags & LSM_RET_GT_ONE))) > > > > + return false; > > > > + > > > > + return true; > > > > +} > > > > + > > > > /* For every LSM hook that allows attachment of BPF programs, declare a nop > > > > * function where a BPF program can be attached. > > > > */ > > > > @@ -30,6 +41,15 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ > > > > #include > > > > #undef LSM_HOOK > > > > > > > > +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...) \ > > > > +noinline RET bpf_lsm_##NAME##_ret(int ret) \ > > > > +{ \ > > > > + return is_ret_value_allowed(ret, RET_FLAGS) ? ret : DEFAULT; \ > > > > +} > > > > + > > > > +#include > > > > +#undef LSM_HOOK > > > > + > > > > > > because lsm hooks is mess of undocumented return values your > > > "solution" is to add hundreds of noninline functions > > > and hack the call into them in JITs ?! > > > > I revisited the documentation and checked each LSM hook one by one. > > Hopefully, I completed it correctly, but I would review again (others > > are also welcome to do it). > > > > Not sure if there is a more efficient way. Do you have any idea? > > Maybe we find a way to use only one check function (by reusing the > > address of the attachment point?). > > > > Regarding the JIT approach, I didn't find a reliable solution for using > > just the verifier. As I wrote to you, there could be the case where the > > range can include positive values, despite the possible return values > > are zero and -EACCES. > > Didn't you find that there are only 12 or so odd return cases. > Maybe refactor some of them to something that the verifier can enforce > and denylist the rest ? Ok, went back to trying to enforce the return value on the verifier side, assuming that for now we consider hooks that return zero or a negative value. I wanted to see if at least we are able to enforce that. The biggest problem is which value of the register I should use, the 64 bit one or the 32 bit one? We can have a look at test_libbpf_get_fd_by_id_opts. The default flavor gives: 0000000000000000 : 0: b4 00 00 00 00 00 00 00 w0 = 0 1: 79 12 00 00 00 00 00 00 r2 = *(u64 *)(r1 + 0) 2: 18 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r3 = 0 ll 4: 5d 32 05 00 00 00 00 00 if r2 != r3 goto +5 5: 79 11 08 00 00 00 00 00 r1 = *(u64 *)(r1 + 8) 6: 57 01 00 00 02 00 00 00 r1 &= 2 7: b4 00 00 00 00 00 00 00 w0 = 0 8: 15 01 01 00 00 00 00 00 if r1 == 0 goto +1 9: b4 00 00 00 f3 ff ff ff w0 = -13 smin_value = 0xfffffff3, smax_value = 0xfffffff3, s32_min_value = 0xfffffff3, s32_max_value = 0xfffffff3, I think it is because of this, in check_alu_op(): if (BPF_CLASS(insn->code) == BPF_ALU64) { __mark_reg_known(regs + insn->dst_reg, insn->imm); } else { __mark_reg_known(regs + insn->dst_reg, (u32)insn->imm); } } So, here you have to use the 32 bit values. But, if you use the no_alu32 flavor: 0000000000000000 : 0: b7 00 00 00 00 00 00 00 r0 = 0 1: 79 12 00 00 00 00 00 00 r2 = *(u64 *)(r1 + 0) 2: 18 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r3 = 0 ll 4: 5d 32 04 00 00 00 00 00 if r2 != r3 goto +4 5: 79 10 08 00 00 00 00 00 r0 = *(u64 *)(r1 + 8) 6: 67 00 00 00 3e 00 00 00 r0 <<= 62 7: c7 00 00 00 3f 00 00 00 r0 s>>= 63 smin_value = 0xffffffffffffffff, smax_value = 0x0, s32_min_value = 0x80000000, s32_max_value = 0x7fffffff, 8: 57 00 00 00 f3 ff ff ff r0 &= -13 smin_value = 0xfffffffffffffff3, smax_value = 0x7fffffffffffffff, s32_min_value = 0x80000000, s32_max_value = 0x7ffffff3, I would have hoped to see: smin_value = 0xfffffffffffffff3, smax_value = 0x0, but it doesn't because of this, in scalar_min_max_and(): if (dst_reg->smin_value < 0 || smin_val < 0) { /* Lose signed bounds when ANDing negative numbers, * ain't nobody got time for that. */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; Could we do an AND, if src_reg is known? And what would be the right register value to use? Thanks Roberto