Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp872093rdg; Wed, 11 Oct 2023 07:50:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGBtOToT2xo4uNL8rS5D2uDPNEfy4XEJXodVraClaKbLmk6GQ7DFGxVMvHoKVcJEN2V7kad X-Received: by 2002:a05:6a00:3992:b0:68a:49bc:e0af with SMTP id fi18-20020a056a00399200b0068a49bce0afmr23500733pfb.1.1697035838341; Wed, 11 Oct 2023 07:50:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697035838; cv=none; d=google.com; s=arc-20160816; b=sEywyBH+l8XYBObXVRKzhE+owNuhqY1vPG6b8nXJqEnE6/iGOi42Jlw8fLBz95gGkh ccE/wRBnjj7v2dcVBpr9OnOJVt/6KLwz2/YWCXTn0sQS1S5YyH42r5ihbCbTl9TLS8wq fLufoxTJWSeRqkD1vhcssSY9cVs2U/ixLlAdkk7DgC8qh+wYi5Gdg63lnH8E42kkBbi6 94nZj818uEYuNyfO5Pqdei/DezZWvCWzME4AUD9k6407iAESUZ3LVrT7N2wI8v6otcjJ cfVqb2rpOCTFYdhOBJSqBvktsSmXZm8DW/Dz1XRvty1LAIlzfIvtoXbvJfUsZM0oXI04 XHRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=0aQhKrb4/+Xz4qVKIM0Ni2OXXGUwXMSHkhmb0dr/HI8=; fh=tJGPhqK6B2TpNL7KZiXTkhW+Zak1PMFT14iahG+qcOY=; b=gQNlbMx9mDfeAJg6WqYI4eWAwSOYTu1B1cEwQKjwPEPfPIVhmgcd7Qlg14bGPE5KCD hbNR5hYwq73ZiYryl6aM0ojURQJ5rgx7a5xgNYwkEhyavOqDhLdfQdDFZdH9EC7EZzs4 Eumf8qsFkfhXC3mDtItzsDDyC0M+cJJDN/QscETJ+u2ddDdLqm9hL8uwahDfpWpQo5wg vK0Bgp8W3f6SsdFweI0ZK7vmvm6cb/1GRRNx++HAnxdnYEmotoT75jsZQvn1cyqFjKR/ MxHt+qmSxiLehWEy2Bicr3u7UXX76dXBspcrqe3hav2oN7aXHQgaSG2O0zT4RdNz+0DS wu1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@iogearbox.net header.s=default2302 header.b=GMRqCZtF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=iogearbox.net Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id bt23-20020a056a00439700b0068e39cd7acdsi12160510pfb.83.2023.10.11.07.50.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 07:50:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@iogearbox.net header.s=default2302 header.b=GMRqCZtF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=iogearbox.net Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 448FD8145555; Wed, 11 Oct 2023 07:50:34 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232598AbjJKOuP (ORCPT + 99 others); Wed, 11 Oct 2023 10:50:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235077AbjJKOuN (ORCPT ); Wed, 11 Oct 2023 10:50:13 -0400 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FDB090; Wed, 11 Oct 2023 07:50:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iogearbox.net; s=default2302; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=0aQhKrb4/+Xz4qVKIM0Ni2OXXGUwXMSHkhmb0dr/HI8=; b=GMRqCZtFYuT29eLIyGZ01UZv5c gP7ASRlMKnQPbIcRLKCnxfO/uZ+io0b+prSrCY9nJyXXsV+y3Yu5hGoLb6/Dp2ZcGuGOXLnCRrcVG 7dHEWCyx3CPka+d6/IdN58HH4K32As7jX4Jjnp6DHvsS3b3d0t8iJg+X6iucx85PKDhwExnvuQpLr hHYUoJIUmijxEE+jo7ZZ7X1WG0XMFmG7O15xVeDp1bqSh1O5DDZxroAoihS4BaUYKATfH/KGb33am 0H1LNM40etqqiwGGi/lo8GiZwFTwGG0uDU7W3eRoXI6pLD5j61l/CJ84ync02ff3JKHCZ0SXv5bux 0+AATayg==; Received: from sslproxy06.your-server.de ([78.46.172.3]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qqaXC-000MiE-6e; Wed, 11 Oct 2023 16:50:02 +0200 Received: from [85.1.206.226] (helo=linux.home) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qqaXB-000KHF-6t; Wed, 11 Oct 2023 16:50:01 +0200 Subject: Re: [PATCH bpf-next] Detect jumping to reserved code during check_cfg() To: Hao Sun , Andrii Nakryiko Cc: John Fastabend , Alexei Starovoitov , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org References: <20231009-jmp-into-reserved-fields-v1-1-d8006e2ac1f6@gmail.com> <6524f6f77b896_66abc2084d@john.notmuch> <92f824ec-9538-501c-e63e-8483ffe14bad@iogearbox.net> From: Daniel Borkmann Message-ID: <79dd71a5-446d-9b05-7d37-40e49bbf04ae@iogearbox.net> Date: Wed, 11 Oct 2023 16:50:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.10/27058/Wed Oct 11 09:39:37 2023) X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 11 Oct 2023 07:50:34 -0700 (PDT) On 10/11/23 8:46 AM, Hao Sun wrote: > On Wed, Oct 11, 2023 at 4:42 AM Andrii Nakryiko > wrote: >> On Tue, Oct 10, 2023 at 1:33 AM Daniel Borkmann wrote: >>> On 10/10/23 9:02 AM, John Fastabend wrote: >>>> Hao Sun wrote: >>>>> Currently, we don't check if the branch-taken of a jump is reserved code of >>>>> ld_imm64. Instead, such a issue is captured in check_ld_imm(). The verifier >>>>> gives the following log in such case: >>>>> >>>>> func#0 @0 >>>>> 0: R1=ctx(off=0,imm=0) R10=fp0 >>>>> 0: (18) r4 = 0xffff888103436000 ; R4_w=map_ptr(off=0,ks=4,vs=128,imm=0) >>>>> 2: (18) r1 = 0x1d ; R1_w=29 >>>>> 4: (55) if r4 != 0x0 goto pc+4 ; R4_w=map_ptr(off=0,ks=4,vs=128,imm=0) >>>>> 5: (1c) w1 -= w1 ; R1_w=0 >>>>> 6: (18) r5 = 0x32 ; R5_w=50 >>>>> 8: (56) if w5 != 0xfffffff4 goto pc-2 >>>>> mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx -1 >>>>> mark_precise: frame0: regs=r5 stack= before 6: (18) r5 = 0x32 >>>>> 7: R5_w=50 >>>>> 7: BUG_ld_00 >>>>> invalid BPF_LD_IMM insn >>>>> >>>>> Here the verifier rejects the program because it thinks insn at 7 is an >>>>> invalid BPF_LD_IMM, but such a error log is not accurate since the issue >>>>> is jumping to reserved code not because the program contains invalid insn. >>>>> Therefore, make the verifier check the jump target during check_cfg(). For >>>>> the same program, the verifier reports the following log: >>>> >>>> I think we at least would want a test case for this. Also how did you create >>>> this case? Is it just something you did manually and noticed a strange error? >>> >>> Curious as well. >>> >>> We do have test cases which try to jump into the middle of a double insn as can >>> be seen that this patch breaks BPF CI with regards to log mismatch below (which >>> still needs to be adapted, too). Either way, it probably doesn't hurt to also add >>> the above snippet as a test. >>> >>> Hao, as I understand, the patch here is an usability improvement (not a fix per se) >>> where we reject such cases earlier during cfg check rather than at a later point >>> where we validate ld_imm instruction. Or are there cases you found which were not >>> yet captured via current check_ld_imm()? >>> >>> test_verifier failure log : >>> >>> #458/u test1 ld_imm64 FAIL >>> Unexpected verifier log! >>> EXP: R1 pointer comparison >>> RES: >>> FAIL >>> Unexpected error message! >>> EXP: R1 pointer comparison >>> RES: jump to reserved code from insn 0 to 2 >>> verification time 22 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> >>> jump to reserved code from insn 0 to 2 >>> verification time 22 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> #458/p test1 ld_imm64 FAIL >>> Unexpected verifier log! >>> EXP: invalid BPF_LD_IMM insn >>> RES: >>> FAIL >>> Unexpected error message! >>> EXP: invalid BPF_LD_IMM insn >>> RES: jump to reserved code from insn 0 to 2 >>> verification time 9 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> >>> jump to reserved code from insn 0 to 2 >>> verification time 9 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> #459/u test2 ld_imm64 FAIL >>> Unexpected verifier log! >>> EXP: R1 pointer comparison >>> RES: >>> FAIL >>> Unexpected error message! >>> EXP: R1 pointer comparison >>> RES: jump to reserved code from insn 0 to 2 >>> verification time 11 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> >>> jump to reserved code from insn 0 to 2 >>> verification time 11 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> #459/p test2 ld_imm64 FAIL >>> Unexpected verifier log! >>> EXP: invalid BPF_LD_IMM insn >>> RES: >>> FAIL >>> Unexpected error message! >>> EXP: invalid BPF_LD_IMM insn >>> RES: jump to reserved code from insn 0 to 2 >>> verification time 8 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> >>> jump to reserved code from insn 0 to 2 >>> verification time 8 usec >>> stack depth 0 >>> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 >>> #460/u test3 ld_imm64 OK >>> >>>>> func#0 @0 >>>>> jump to reserved code from insn 8 to 7 >>>>> >>>>> Signed-off-by: Hao Sun >>> >>> nit: This needs to be before the "---" line. >>> >>>>> --- >>>>> kernel/bpf/verifier.c | 7 +++++++ >>>>> 1 file changed, 7 insertions(+) >>>>> >>>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >>>>> index eed7350e15f4..725ac0b464cf 100644 >>>>> --- a/kernel/bpf/verifier.c >>>>> +++ b/kernel/bpf/verifier.c >>>>> @@ -14980,6 +14980,7 @@ static int push_insn(int t, int w, int e, struct bpf_verifier_env *env, >>>>> { >>>>> int *insn_stack = env->cfg.insn_stack; >>>>> int *insn_state = env->cfg.insn_state; >>>>> + struct bpf_insn *insns = env->prog->insnsi; >>>>> >>>>> if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH)) >>>>> return DONE_EXPLORING; >>>>> @@ -14993,6 +14994,12 @@ static int push_insn(int t, int w, int e, struct bpf_verifier_env *env, >>>>> return -EINVAL; >>>>> } >>>>> >>>>> + if (e == BRANCH && insns[w].code == 0) { >>>>> + verbose_linfo(env, t, "%d", t); >>>>> + verbose(env, "jump to reserved code from insn %d to %d\n", t, w); >>>>> + return -EINVAL; >>>>> + } >>> >>> Other than that, lgtm. >> >> We do rely quite a lot on verifier not complaining eagerly about some >> potentially invalid instructions if it's provable that some portion of >> the code won't ever be reached (think using .rodata variables for >> feature gating, poisoning intructions due to failed CO-RE relocation, >> which libbpf does actively, except it's using a call to non-existing >> helper). As such, check_cfg() is a wrong place to do such validity >> checks because some of the branches might never be run and validated >> in practice. > > Don't really agree. Jump to the middle of ld_imm64 is just like jumping > out of bounds, both break the CFG integrity immediately. For those > apparently incorrect jumps, rejecting early makes everything simple; > otherwise, we probably need some rewrite in the end. Could you elaborate on the 'breaking CFG integrity immediately'? This was what I was trying to gather earlier with log improvement vs actual fix. Do you mean /potentially/ breaking CFG integrity, if, say, we had a double insn jump in future and there is a back-jump to the 2nd part of the insn? > Also, as you mentioned, libbpf relies on non-existing helpers, not jump > to the middle of ld_imm64. It seems better and easier to not leave this > hole. Thanks, Daniel