Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp994268lqb; Wed, 17 Apr 2024 18:08:35 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWmC6Yota5Tul9a1nNAZ3l0PmXEWno6LJBLvJsNmraLnvAyW50zdr+h3Ad5wZVJTHXNcCxa8tJ4WhdYKo93xrfcPeazAN1bojPjQ8V4Hg== X-Google-Smtp-Source: AGHT+IFzzo7NP0EOdzekbg8a6j+gQ32A3ZCoPCvZKN1pmb8WNkzRU7xPULgYu3upiVoGIfR3R1Dq X-Received: by 2002:a05:6a20:7284:b0:1aa:5a89:18d7 with SMTP id o4-20020a056a20728400b001aa5a8918d7mr1841716pzk.19.1713402515218; Wed, 17 Apr 2024 18:08:35 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713402515; cv=pass; d=google.com; s=arc-20160816; b=FGR3s68jxfIWWJkkJG4ilLElvQaJ11cOcG5Ez/KsbemIfc7gFbOE1+dgs/iu9vwPZa QOW0S5oBLNtP1QxugSLw9jU9LONOrKTCdIbCaLctbcujdYJnq/E18DDvef9qg4bq2Vy4 8PvZKij+Fv2vTJF+FQFG6Ac2TRuOSuI67Ouq5fwj0leRGSe9P/u1uWhPP7Aa9bivrEjC PaRsBnYH+VDw05Unpdevs1WAvWpCCc0khzP4w4WytcJ/0hreJ24PC6h67RoQvz5M80ka NMKSefARWxTwk1dC75okbL/ayLgGbEdwGGPMFLvRZdnjTpRoAb0/wKVQzTUhclhgFWt8 gX+w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=ftfV9j6OBLIDvLqAVZnPAyLe0oFUXv4e5neRndjdTGc=; fh=ysT8pF80Bs82p5gpCkWpPHhTO6FUbWuinMEDgtcU3RU=; b=CnIsrMZ1dzzVyvFxWsq2mkhm5n+8CkcGvie6at1P9RGoKnNdQZnhuFiv64IYtlOj3i gYMHqIzch/9tKNVDqxDm0T7BH3r6fN8c0dXl0UyS5EIXkqelto2YA+1WkBPoFVudADXE 9RnX0ErTygdOzauEaXqTYtKlyCSwXpVZOZRzXamZTTpihGWZJud9wnzvCNJkx9h8RnYO BqBREqwZglsSLerq8UNvjGyKU1FETH7F5AfO4a85YbpXwtf2wERgVAPRMUkA+BiZbeyU I1nQ9phJt6McJSlm4wKTcTS1Seofd9nYV/WoGtpM4l/56Qp7vidluIB6Ps7VJiypA87L LZMw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=vrqW4XQ0; arc=pass (i=1 spf=pass spfdomain=flex--edliaw.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-149378-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-149378-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d129-20020a633687000000b005f3dca33f3dsi387618pga.307.2024.04.17.18.08.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 18:08:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-149378-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=vrqW4XQ0; arc=pass (i=1 spf=pass spfdomain=flex--edliaw.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-149378-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-149378-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D2E72281E57 for ; Thu, 18 Apr 2024 01:08:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D8B274F1F1; Thu, 18 Apr 2024 01:07:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vrqW4XQ0" Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 946EF4DA12 for ; Thu, 18 Apr 2024 01:07:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713402458; cv=none; b=UZFVcOUnSVB/ZIDutla0wPzEyIW5z/AIJZeWP4kMPKaBNyL+goGNolgqt7Y89y+FYMPrXbA7jV4NYQZuQwoA91G5AU2U6lw3WvX+KfLHC3Gap+OAWR7Jm2ctyBlKWsDJp36gJqhYJPaEcZlRT4H5DmWMlxpdvLL8tM4FOgw5GCA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713402458; c=relaxed/simple; bh=MbU7YSyF5IXinkJkjcfT0u+2sLXGMeKghessXGBFpX0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=lhYYmGzHMpvX8BEWxVWj3A2AxTAl1IP60yA5oy38LfXN1VOTeZAEIoKMsMUVBEB01uAbpuay3GJmHgPuShes6ZHcVNK3W6Sb5wRL0Ex5ncG4NGJRCz+pgANOHQKF3gwj8uHfh7loiieL7eYeGvpj/qhDPQ0AHr5lJF3opp+cEvM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vrqW4XQ0; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-6ed2a12e50aso263426b3a.1 for ; Wed, 17 Apr 2024 18:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713402457; x=1714007257; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ftfV9j6OBLIDvLqAVZnPAyLe0oFUXv4e5neRndjdTGc=; b=vrqW4XQ0BFqv0ya5iqg5r4kPq6PZeBGzeCBWccj+nlXEENmt9NjQuWOFGkeQE6iEkH 16QHTsp74nfai2CnvpThOTem9FaRneGB2TSjHWIy61OaSrQbpW5T/Wd80kNmdqLqFjYN LbL02t1k28RN3q+vZLEwr7NOlncyyaXwgj9kf6ywLCzpYF0ddzPuBW22/w4NBOhTb5HN t8LIPUs5sUinAvj6YK1g+IR31E0cIOvfIq1y5jFjI8xB7XMPQEqACM7V5sZl13SMMGoR jK3Ypx8eHC+mKNSAMsK7e1GMJ8XuxfrM0C8JVqB32zuGRo6w6gtLUn5Q2yXRwa81vuSf iSiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713402457; x=1714007257; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ftfV9j6OBLIDvLqAVZnPAyLe0oFUXv4e5neRndjdTGc=; b=AWq85XsKlyBM08/cu8XFsvy/JNKAiA6OgKudmNP2YVhJ02RauV/kkXHmtgQ70QPrxJ DoKus3dVp7lKse9gzNuvfi+HM+3tG3XnW7bSzLQ8cDtygikOBUek3zzjEaw4QYtg26rP wjV0Z7NF4g+BEl/szI/3S6dWjIOUgIb3GKwr1XMt+fTh7RY4JeJr56F0TWbsTcdeNia6 Hc+jVUXUV+YejIZujnlWQPf4aUvAwW/Ruefh+vW1ZJKC0K9wpm3jYEOMNW9f1RNhm5N1 +C3X7pEkyyniXfwOwouzizEm4WgOpH+iPSdUClGVT36U65OMU5vBhgNX4h/K1oKpCKk/ ZgxQ== X-Forwarded-Encrypted: i=1; AJvYcCUWgfRiuhZrDbmJAFb4blm82NqbnlNcmBJHCwDJj8NGRpZ7HXnpA4w5b9WjU/eM14yEf90GVjwvXQQu5FYS9C+Oz394NjDyhAN6tobY X-Gm-Message-State: AOJu0YzhLk/cBYiVpLhmaFcmXarqCt0yd+iwyj6rYRRme4JmMQjoRAOL yk3+FXBw8v8z/aeneFroUKTZTeuo2Ub+cUQx0IEeJVuLOs25wzabCgYYC2cgpbRR8jkUiyi5FUk Abg== X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a05:6a00:8509:b0:6ea:e009:1815 with SMTP id ha9-20020a056a00850900b006eae0091815mr8773pfb.3.1713402456770; Wed, 17 Apr 2024 18:07:36 -0700 (PDT) Date: Thu, 18 Apr 2024 01:07:12 +0000 In-Reply-To: <20240418010723.3069001-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418010723.3069001-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418010723.3069001-4-edliaw@google.com> Subject: [PATCH 5.15.y v2 3/5] bpf: Generally fix helper register offset check From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Hao Luo Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" From: Daniel Borkmann Right now the assertion on check_ptr_off_reg() is only enforced for register types PTR_TO_CTX (and open coded also for PTR_TO_BTF_ID), however, this is insufficient since many other PTR_TO_* register types such as PTR_TO_FUNC do not handle/expect register offsets when passed to helper functions. Given this can slip-through easily when adding new types, make this an explicit allow-list and reject all other current and future types by default if this is encountered. Also, extend check_ptr_off_reg() to handle PTR_TO_BTF_ID as well instead of duplicating it. For PTR_TO_BTF_ID, reg->off is used for BTF to match expected BTF ids if struct offset is used. This part still needs to be allowed, but the dynamic off from the tnum must be rejected. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Fixes: eaa6bcb71ef6 ("bpf: Introduce bpf_per_cpu_ptr()") Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov (cherry picked from commit 6788ab23508bddb0a9d88e104284922cb2c22b77) Signed-off-by: Edward Liaw --- kernel/bpf/verifier.c | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 61b8a9c69b1c..14813fbebc9f 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3792,14 +3792,15 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env, } #endif -int check_ptr_off_reg(struct bpf_verifier_env *env, - const struct bpf_reg_state *reg, int regno) +static int __check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno, + bool fixed_off_ok) { /* Access to this pointer-typed register or passing it to a helper * is only allowed in its original, unmodified form. */ - if (reg->off) { + if (!fixed_off_ok && reg->off) { verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n", reg_type_str(env, reg->type), regno, reg->off); return -EACCES; @@ -3817,6 +3818,12 @@ int check_ptr_off_reg(struct bpf_verifier_env *env, return 0; } +int check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno) +{ + return __check_ptr_off_reg(env, reg, regno, false); +} + static int __check_buffer_access(struct bpf_verifier_env *env, const char *buf_info, const struct bpf_reg_state *reg, @@ -5080,12 +5087,6 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, kernel_type_name(btf_vmlinux, *arg_btf_id)); return -EACCES; } - - if (!tnum_is_const(reg->var_off) || reg->var_off.value) { - verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n", - regno); - return -EACCES; - } } return 0; @@ -5140,10 +5141,26 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, if (err) return err; - if (type == PTR_TO_CTX) { - err = check_ptr_off_reg(env, reg, regno); + switch ((u32)type) { + case SCALAR_VALUE: + /* Pointer types where reg offset is explicitly allowed: */ + case PTR_TO_PACKET: + case PTR_TO_PACKET_META: + case PTR_TO_MAP_KEY: + case PTR_TO_MAP_VALUE: + case PTR_TO_MEM: + case PTR_TO_MEM | MEM_RDONLY: + case PTR_TO_BUF: + case PTR_TO_BUF | MEM_RDONLY: + case PTR_TO_STACK: + break; + /* All the rest must be rejected: */ + default: + err = __check_ptr_off_reg(env, reg, regno, + type == PTR_TO_BTF_ID); if (err < 0) return err; + break; } skip_type_check: -- 2.44.0.769.g3c40516874-goog