| Message ID | 20201210013349.943719-1-yhs@fb.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf: permits pointers on stack for helper calls | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for bpf-next |
| netdev/subject_prefix | success | Link |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 17 this patch: 17 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 9 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 17 this patch: 17 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
> On Dec 9, 2020, at 5:33 PM, Yonghong Song <yhs@fb.com> wrote: > > Currently, when checking stack memory accessed by helper calls, > for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are > allowed. > > Song discovered an issue where the below bpf program > int dump_task(struct bpf_iter__task *ctx) > { > struct seq_file *seq = ctx->meta->seq; > static char[] info = "abc"; > BPF_SEQ_PRINTF(seq, "%s\n", info); > return 0; > } > may cause a verifier failure. > > The verifier output looks like: > ; struct seq_file *seq = ctx->meta->seq; > 1: (79) r1 = *(u64 *)(r1 +0) > ; BPF_SEQ_PRINTF(seq, "%s\n", info); > 2: (18) r2 = 0xffff9054400f6000 > 4: (7b) *(u64 *)(r10 -8) = r2 > 5: (bf) r4 = r10 > ; > 6: (07) r4 += -8 > ; BPF_SEQ_PRINTF(seq, "%s\n", info); > 7: (18) r2 = 0xffff9054400fe000 > 9: (b4) w3 = 4 > 10: (b4) w5 = 8 > 11: (85) call bpf_seq_printf#126 > R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0) > R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value > last_idx 11 first_idx 0 > regs=8 stack=0 before 10: (b4) w5 = 8 > regs=8 stack=0 before 9: (b4) w3 = 4 > invalid indirect read from stack off -8+0 size 8 > > Basically, the verifier complains the map_value pointer at "fp-8" location. > To fix the issue, if env->allow_ptr_leaks is true, let us also permit > pointers on the stack to be accessible by the helper. > > Suggested-by: Alexei Starovoitov <ast@kernel.org> > Reported-by: Song Liu <songliubraving@fb.com> > Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Song Liu <songliubraving@fb.com> Thanks for the fix! > --- > kernel/bpf/verifier.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 93def76cf32b..9159c9822ede 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, > goto mark; > > if (state->stack[spi].slot_type[0] == STACK_SPILL && > - state->stack[spi].spilled_ptr.type == SCALAR_VALUE) { > + (state->stack[spi].spilled_ptr.type == SCALAR_VALUE || > + env->allow_ptr_leaks)) { > __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); > for (j = 0; j < BPF_REG_SIZE; j++) > state->stack[spi].slot_type[j] = STACK_MISC; > -- > 2.24.1 >
On 12/10/20 2:33 AM, Yonghong Song wrote: > Currently, when checking stack memory accessed by helper calls, > for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are > allowed. > > Song discovered an issue where the below bpf program > int dump_task(struct bpf_iter__task *ctx) > { > struct seq_file *seq = ctx->meta->seq; > static char[] info = "abc"; > BPF_SEQ_PRINTF(seq, "%s\n", info); > return 0; > } > may cause a verifier failure. > > The verifier output looks like: > ; struct seq_file *seq = ctx->meta->seq; > 1: (79) r1 = *(u64 *)(r1 +0) > ; BPF_SEQ_PRINTF(seq, "%s\n", info); > 2: (18) r2 = 0xffff9054400f6000 > 4: (7b) *(u64 *)(r10 -8) = r2 > 5: (bf) r4 = r10 > ; > 6: (07) r4 += -8 > ; BPF_SEQ_PRINTF(seq, "%s\n", info); > 7: (18) r2 = 0xffff9054400fe000 > 9: (b4) w3 = 4 > 10: (b4) w5 = 8 > 11: (85) call bpf_seq_printf#126 > R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0) > R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value > last_idx 11 first_idx 0 > regs=8 stack=0 before 10: (b4) w5 = 8 > regs=8 stack=0 before 9: (b4) w3 = 4 > invalid indirect read from stack off -8+0 size 8 > > Basically, the verifier complains the map_value pointer at "fp-8" location. > To fix the issue, if env->allow_ptr_leaks is true, let us also permit > pointers on the stack to be accessible by the helper. > > Suggested-by: Alexei Starovoitov <ast@kernel.org> > Reported-by: Song Liu <songliubraving@fb.com> > Signed-off-by: Yonghong Song <yhs@fb.com> > --- > kernel/bpf/verifier.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 93def76cf32b..9159c9822ede 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, > goto mark; > > if (state->stack[spi].slot_type[0] == STACK_SPILL && > - state->stack[spi].spilled_ptr.type == SCALAR_VALUE) { > + (state->stack[spi].spilled_ptr.type == SCALAR_VALUE || > + env->allow_ptr_leaks)) { Afaik, in check_stack_write() we mark some of the spilled_ptr.type as NOT_INIT, shouldn't we at least avoid an implicit transition of NOT_INIT into SCALAR_VALUE? > __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); > for (j = 0; j < BPF_REG_SIZE; j++) > state->stack[spi].slot_type[j] = STACK_MISC; >
On 12/10/20 4:10 PM, Daniel Borkmann wrote: > On 12/10/20 2:33 AM, Yonghong Song wrote: >> Currently, when checking stack memory accessed by helper calls, >> for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are >> allowed. >> >> Song discovered an issue where the below bpf program >> int dump_task(struct bpf_iter__task *ctx) >> { >> struct seq_file *seq = ctx->meta->seq; >> static char[] info = "abc"; >> BPF_SEQ_PRINTF(seq, "%s\n", info); >> return 0; >> } >> may cause a verifier failure. >> >> The verifier output looks like: >> ; struct seq_file *seq = ctx->meta->seq; >> 1: (79) r1 = *(u64 *)(r1 +0) >> ; BPF_SEQ_PRINTF(seq, "%s\n", info); >> 2: (18) r2 = 0xffff9054400f6000 >> 4: (7b) *(u64 *)(r10 -8) = r2 >> 5: (bf) r4 = r10 >> ; >> 6: (07) r4 += -8 >> ; BPF_SEQ_PRINTF(seq, "%s\n", info); >> 7: (18) r2 = 0xffff9054400fe000 >> 9: (b4) w3 = 4 >> 10: (b4) w5 = 8 >> 11: (85) call bpf_seq_printf#126 >> R1_w=ptr_seq_file(id=0,off=0,imm=0) >> R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0) >> R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value >> last_idx 11 first_idx 0 >> regs=8 stack=0 before 10: (b4) w5 = 8 >> regs=8 stack=0 before 9: (b4) w3 = 4 >> invalid indirect read from stack off -8+0 size 8 >> >> Basically, the verifier complains the map_value pointer at "fp-8" >> location. >> To fix the issue, if env->allow_ptr_leaks is true, let us also permit >> pointers on the stack to be accessible by the helper. >> >> Suggested-by: Alexei Starovoitov <ast@kernel.org> >> Reported-by: Song Liu <songliubraving@fb.com> >> Signed-off-by: Yonghong Song <yhs@fb.com> >> --- >> kernel/bpf/verifier.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index 93def76cf32b..9159c9822ede 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct >> bpf_verifier_env *env, int regno, >> goto mark; >> if (state->stack[spi].slot_type[0] == STACK_SPILL && >> - state->stack[spi].spilled_ptr.type == SCALAR_VALUE) { >> + (state->stack[spi].spilled_ptr.type == SCALAR_VALUE || >> + env->allow_ptr_leaks)) { > > Afaik, in check_stack_write() we mark some of the spilled_ptr.type as > NOT_INIT, > shouldn't we at least avoid an implicit transition of NOT_INIT into > SCALAR_VALUE? Make sense! here we check env->allow_ptr_leaks and we should the spilled_ptr.type for allow_ptr_leaks should be a pointer (!= NOT_INIT). Will send v3 soon. > >> __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); >> for (j = 0; j < BPF_REG_SIZE; j++) >> state->stack[spi].slot_type[j] = STACK_MISC; >> >
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 93def76cf32b..9159c9822ede 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, goto mark; if (state->stack[spi].slot_type[0] == STACK_SPILL && - state->stack[spi].spilled_ptr.type == SCALAR_VALUE) { + (state->stack[spi].spilled_ptr.type == SCALAR_VALUE || + env->allow_ptr_leaks)) { __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); for (j = 0; j < BPF_REG_SIZE; j++) state->stack[spi].slot_type[j] = STACK_MISC;
Currently, when checking stack memory accessed by helper calls, for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are allowed. Song discovered an issue where the below bpf program int dump_task(struct bpf_iter__task *ctx) { struct seq_file *seq = ctx->meta->seq; static char[] info = "abc"; BPF_SEQ_PRINTF(seq, "%s\n", info); return 0; } may cause a verifier failure. The verifier output looks like: ; struct seq_file *seq = ctx->meta->seq; 1: (79) r1 = *(u64 *)(r1 +0) ; BPF_SEQ_PRINTF(seq, "%s\n", info); 2: (18) r2 = 0xffff9054400f6000 4: (7b) *(u64 *)(r10 -8) = r2 5: (bf) r4 = r10 ; 6: (07) r4 += -8 ; BPF_SEQ_PRINTF(seq, "%s\n", info); 7: (18) r2 = 0xffff9054400fe000 9: (b4) w3 = 4 10: (b4) w5 = 8 11: (85) call bpf_seq_printf#126 R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0) R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value last_idx 11 first_idx 0 regs=8 stack=0 before 10: (b4) w5 = 8 regs=8 stack=0 before 9: (b4) w3 = 4 invalid indirect read from stack off -8+0 size 8 Basically, the verifier complains the map_value pointer at "fp-8" location. To fix the issue, if env->allow_ptr_leaks is true, let us also permit pointers on the stack to be accessible by the helper. Suggested-by: Alexei Starovoitov <ast@kernel.org> Reported-by: Song Liu <songliubraving@fb.com> Signed-off-by: Yonghong Song <yhs@fb.com> --- kernel/bpf/verifier.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)