diff mbox series

[bpf-next,v2,1/2] bpf: permits pointers on stack for helper calls

Message ID 20201210013349.943719-1-yhs@fb.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series bpf: permits pointers on stack for helper calls | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for bpf-next
netdev/subject_prefix success Link
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 17 this patch: 17
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 17 this patch: 17
netdev/header_inline success Link
netdev/stable success Stable not CCed

Commit Message

Yonghong Song Dec. 10, 2020, 1:33 a.m. UTC
Currently, when checking stack memory accessed by helper calls,
for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are
allowed.

Song discovered an issue where the below bpf program
  int dump_task(struct bpf_iter__task *ctx)
  {
    struct seq_file *seq = ctx->meta->seq;
    static char[] info = "abc";
    BPF_SEQ_PRINTF(seq, "%s\n", info);
    return 0;
  }
may cause a verifier failure.

The verifier output looks like:
  ; struct seq_file *seq = ctx->meta->seq;
  1: (79) r1 = *(u64 *)(r1 +0)
  ; BPF_SEQ_PRINTF(seq, "%s\n", info);
  2: (18) r2 = 0xffff9054400f6000
  4: (7b) *(u64 *)(r10 -8) = r2
  5: (bf) r4 = r10
  ;
  6: (07) r4 += -8
  ; BPF_SEQ_PRINTF(seq, "%s\n", info);
  7: (18) r2 = 0xffff9054400fe000
  9: (b4) w3 = 4
  10: (b4) w5 = 8
  11: (85) call bpf_seq_printf#126
   R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0)
  R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value
  last_idx 11 first_idx 0
  regs=8 stack=0 before 10: (b4) w5 = 8
  regs=8 stack=0 before 9: (b4) w3 = 4
  invalid indirect read from stack off -8+0 size 8

Basically, the verifier complains the map_value pointer at "fp-8" location.
To fix the issue, if env->allow_ptr_leaks is true, let us also permit
pointers on the stack to be accessible by the helper.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Reported-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Yonghong Song <yhs@fb.com>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Song Liu Dec. 10, 2020, 5:18 p.m. UTC | #1
> On Dec 9, 2020, at 5:33 PM, Yonghong Song <yhs@fb.com> wrote:
> 
> Currently, when checking stack memory accessed by helper calls,
> for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are
> allowed.
> 
> Song discovered an issue where the below bpf program
>  int dump_task(struct bpf_iter__task *ctx)
>  {
>    struct seq_file *seq = ctx->meta->seq;
>    static char[] info = "abc";
>    BPF_SEQ_PRINTF(seq, "%s\n", info);
>    return 0;
>  }
> may cause a verifier failure.
> 
> The verifier output looks like:
>  ; struct seq_file *seq = ctx->meta->seq;
>  1: (79) r1 = *(u64 *)(r1 +0)
>  ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>  2: (18) r2 = 0xffff9054400f6000
>  4: (7b) *(u64 *)(r10 -8) = r2
>  5: (bf) r4 = r10
>  ;
>  6: (07) r4 += -8
>  ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>  7: (18) r2 = 0xffff9054400fe000
>  9: (b4) w3 = 4
>  10: (b4) w5 = 8
>  11: (85) call bpf_seq_printf#126
>   R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0)
>  R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value
>  last_idx 11 first_idx 0
>  regs=8 stack=0 before 10: (b4) w5 = 8
>  regs=8 stack=0 before 9: (b4) w3 = 4
>  invalid indirect read from stack off -8+0 size 8
> 
> Basically, the verifier complains the map_value pointer at "fp-8" location.
> To fix the issue, if env->allow_ptr_leaks is true, let us also permit
> pointers on the stack to be accessible by the helper.
> 
> Suggested-by: Alexei Starovoitov <ast@kernel.org>
> Reported-by: Song Liu <songliubraving@fb.com>
> Signed-off-by: Yonghong Song <yhs@fb.com>

Acked-by: Song Liu <songliubraving@fb.com>

Thanks for the fix!

> ---
> kernel/bpf/verifier.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 93def76cf32b..9159c9822ede 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
> 			goto mark;
> 
> 		if (state->stack[spi].slot_type[0] == STACK_SPILL &&
> -		    state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
> +		    (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
> +		     env->allow_ptr_leaks)) {
> 			__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
> 			for (j = 0; j < BPF_REG_SIZE; j++)
> 				state->stack[spi].slot_type[j] = STACK_MISC;
> -- 
> 2.24.1
>
Daniel Borkmann Dec. 11, 2020, 12:10 a.m. UTC | #2
On 12/10/20 2:33 AM, Yonghong Song wrote:
> Currently, when checking stack memory accessed by helper calls,
> for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are
> allowed.
> 
> Song discovered an issue where the below bpf program
>    int dump_task(struct bpf_iter__task *ctx)
>    {
>      struct seq_file *seq = ctx->meta->seq;
>      static char[] info = "abc";
>      BPF_SEQ_PRINTF(seq, "%s\n", info);
>      return 0;
>    }
> may cause a verifier failure.
> 
> The verifier output looks like:
>    ; struct seq_file *seq = ctx->meta->seq;
>    1: (79) r1 = *(u64 *)(r1 +0)
>    ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>    2: (18) r2 = 0xffff9054400f6000
>    4: (7b) *(u64 *)(r10 -8) = r2
>    5: (bf) r4 = r10
>    ;
>    6: (07) r4 += -8
>    ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>    7: (18) r2 = 0xffff9054400fe000
>    9: (b4) w3 = 4
>    10: (b4) w5 = 8
>    11: (85) call bpf_seq_printf#126
>     R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0)
>    R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value
>    last_idx 11 first_idx 0
>    regs=8 stack=0 before 10: (b4) w5 = 8
>    regs=8 stack=0 before 9: (b4) w3 = 4
>    invalid indirect read from stack off -8+0 size 8
> 
> Basically, the verifier complains the map_value pointer at "fp-8" location.
> To fix the issue, if env->allow_ptr_leaks is true, let us also permit
> pointers on the stack to be accessible by the helper.
> 
> Suggested-by: Alexei Starovoitov <ast@kernel.org>
> Reported-by: Song Liu <songliubraving@fb.com>
> Signed-off-by: Yonghong Song <yhs@fb.com>
> ---
>   kernel/bpf/verifier.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 93def76cf32b..9159c9822ede 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
>   			goto mark;
>   
>   		if (state->stack[spi].slot_type[0] == STACK_SPILL &&
> -		    state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
> +		    (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
> +		     env->allow_ptr_leaks)) {

Afaik, in check_stack_write() we mark some of the spilled_ptr.type as NOT_INIT,
shouldn't we at least avoid an implicit transition of NOT_INIT into SCALAR_VALUE?

>   			__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
>   			for (j = 0; j < BPF_REG_SIZE; j++)
>   				state->stack[spi].slot_type[j] = STACK_MISC;
>
Yonghong Song Dec. 11, 2020, 2:24 a.m. UTC | #3
On 12/10/20 4:10 PM, Daniel Borkmann wrote:
> On 12/10/20 2:33 AM, Yonghong Song wrote:
>> Currently, when checking stack memory accessed by helper calls,
>> for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are
>> allowed.
>>
>> Song discovered an issue where the below bpf program
>>    int dump_task(struct bpf_iter__task *ctx)
>>    {
>>      struct seq_file *seq = ctx->meta->seq;
>>      static char[] info = "abc";
>>      BPF_SEQ_PRINTF(seq, "%s\n", info);
>>      return 0;
>>    }
>> may cause a verifier failure.
>>
>> The verifier output looks like:
>>    ; struct seq_file *seq = ctx->meta->seq;
>>    1: (79) r1 = *(u64 *)(r1 +0)
>>    ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>>    2: (18) r2 = 0xffff9054400f6000
>>    4: (7b) *(u64 *)(r10 -8) = r2
>>    5: (bf) r4 = r10
>>    ;
>>    6: (07) r4 += -8
>>    ; BPF_SEQ_PRINTF(seq, "%s\n", info);
>>    7: (18) r2 = 0xffff9054400fe000
>>    9: (b4) w3 = 4
>>    10: (b4) w5 = 8
>>    11: (85) call bpf_seq_printf#126
>>     R1_w=ptr_seq_file(id=0,off=0,imm=0) 
>> R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0)
>>    R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value
>>    last_idx 11 first_idx 0
>>    regs=8 stack=0 before 10: (b4) w5 = 8
>>    regs=8 stack=0 before 9: (b4) w3 = 4
>>    invalid indirect read from stack off -8+0 size 8
>>
>> Basically, the verifier complains the map_value pointer at "fp-8" 
>> location.
>> To fix the issue, if env->allow_ptr_leaks is true, let us also permit
>> pointers on the stack to be accessible by the helper.
>>
>> Suggested-by: Alexei Starovoitov <ast@kernel.org>
>> Reported-by: Song Liu <songliubraving@fb.com>
>> Signed-off-by: Yonghong Song <yhs@fb.com>
>> ---
>>   kernel/bpf/verifier.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 93def76cf32b..9159c9822ede 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3769,7 +3769,8 @@ static int check_stack_boundary(struct 
>> bpf_verifier_env *env, int regno,
>>               goto mark;
>>           if (state->stack[spi].slot_type[0] == STACK_SPILL &&
>> -            state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
>> +            (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
>> +             env->allow_ptr_leaks)) {
> 
> Afaik, in check_stack_write() we mark some of the spilled_ptr.type as 
> NOT_INIT,
> shouldn't we at least avoid an implicit transition of NOT_INIT into 
> SCALAR_VALUE?

Make sense! here we check env->allow_ptr_leaks and we should the 
spilled_ptr.type for allow_ptr_leaks should be a pointer (!= NOT_INIT).
Will send v3 soon.

> 
>>               __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
>>               for (j = 0; j < BPF_REG_SIZE; j++)
>>                   state->stack[spi].slot_type[j] = STACK_MISC;
>>
>
diff mbox series

Patch

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 93def76cf32b..9159c9822ede 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3769,7 +3769,8 @@  static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
 			goto mark;
 
 		if (state->stack[spi].slot_type[0] == STACK_SPILL &&
-		    state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
+		    (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
+		     env->allow_ptr_leaks)) {
 			__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
 			for (j = 0; j < BPF_REG_SIZE; j++)
 				state->stack[spi].slot_type[j] = STACK_MISC;