diff mbox series

[bpf] bpf: btf: fix truncated last_member_type_id in btf_struct_resolve

Message ID 20220909092107.3035-1-oss@lmb.io (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [bpf] bpf: btf: fix truncated last_member_type_id in btf_struct_resolve | expand

Checks

Context Check Description
bpf/vmtest-bpf-VM_Test-2 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-VM_Test-5 success Logs for set-matrix
netdev/tree_selection success Clearly marked for bpf
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 4 this patch: 4
netdev/cc_maintainers success CCed 12 of 12 maintainers
netdev/build_clang success Errors and warnings before: 5 this patch: 5
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-VM_Test-1 success Logs for build for s390x with gcc
bpf/vmtest-bpf-VM_Test-3 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-6 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-VM_Test-7 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-8 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-15 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-16 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-17 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-PR success PR summary
bpf/vmtest-bpf-VM_Test-9 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-VM_Test-10 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-12 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-13 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-14 success Logs for test_progs_no_alu32 on x86_64 with llvm-16

Commit Message

Lorenz Bauer Sept. 9, 2022, 9:21 a.m. UTC 
When trying to finish resolving a struct member, btf_struct_resolve
saves the member type id in a u16 temporary variable. This truncates
the 32 bit type id value if it exceeds UINT16_MAX.

As a result, structs that have members with type ids > UINT16_MAX and
which need resolution will fail with a message like this:

    [67414] STRUCT ff_device size=120 vlen=12
        effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size

Fix this by changing the type of last_member_type_id to u32.

Fixes: eb3f595dab40 ("bpf: btf: Validate type reference")
Signed-off-by: Lorenz Bauer <oss@lmb.io>
---
 kernel/bpf/btf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stanislav Fomichev Sept. 9, 2022, 5:19 p.m. UTC | #1 
On 09/09, Lorenz Bauer wrote:
> When trying to finish resolving a struct member, btf_struct_resolve
> saves the member type id in a u16 temporary variable. This truncates
> the 32 bit type id value if it exceeds UINT16_MAX.

> As a result, structs that have members with type ids > UINT16_MAX and
> which need resolution will fail with a message like this:

>      [67414] STRUCT ff_device size=120 vlen=12
>          effect_owners type_id=67434 bits_offset=960 Member exceeds  
> struct_size

> Fix this by changing the type of last_member_type_id to u32.

Makes sense to me; I'm surprised the compiler isn't raising a warning on  
line:
last_member_type_id = last_member->type;

Reviewed-by: Stanislav Fomichev <sdf@google.com>

> Fixes: eb3f595dab40 ("bpf: btf: Validate type reference")
> Signed-off-by: Lorenz Bauer <oss@lmb.io>
> ---
>   kernel/bpf/btf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 7e64447659f3..36fd4b509294 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3128,7 +3128,7 @@ static int btf_struct_resolve(struct  
> btf_verifier_env *env,
>   	if (v->next_member) {
>   		const struct btf_type *last_member_type;
>   		const struct btf_member *last_member;
> -		u16 last_member_type_id;
> +		u32 last_member_type_id;

>   		last_member = btf_type_member(v->t) + v->next_member - 1;
>   		last_member_type_id = last_member->type;
> --
> 2.34.1
Martin KaFai Lau Sept. 9, 2022, 6:17 p.m. UTC | #2 
On 9/9/22 2:21 AM, Lorenz Bauer wrote:
> When trying to finish resolving a struct member, btf_struct_resolve
> saves the member type id in a u16 temporary variable. This truncates
> the 32 bit type id value if it exceeds UINT16_MAX.
> 
> As a result, structs that have members with type ids > UINT16_MAX and
> which need resolution will fail with a message like this:
> 
>      [67414] STRUCT ff_device size=120 vlen=12
>          effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size
> 
> Fix this by changing the type of last_member_type_id to u32.
> 
> Fixes: eb3f595dab40 ("bpf: btf: Validate type reference")

The fix tag should be

Fixes: a0791f0df7d2 ("bpf: fix BTF limits")

> Signed-off-by: Lorenz Bauer <oss@lmb.io>
> ---
>   kernel/bpf/btf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 7e64447659f3..36fd4b509294 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3128,7 +3128,7 @@ static int btf_struct_resolve(struct btf_verifier_env *env,
>   	if (v->next_member) {
>   		const struct btf_type *last_member_type;
>   		const struct btf_member *last_member;
> -		u16 last_member_type_id;
> +		u32 last_member_type_id;

The change makes sense.

The kernel's vmlinux and module btf parsing doesn't go through this 
resolve check though.  Are you trying to __sys_bpf(BPF_BTF_LOAD) the btf 
from the vmlinux file into the kernel ?
Lorenz Bauer Sept. 10, 2022, 11:02 a.m. UTC | #3 
On Fri, 9 Sep 2022, at 19:17, Martin KaFai Lau wrote:
>
> The fix tag should be
>
> Fixes: a0791f0df7d2 ("bpf: fix BTF limits")

Ah, thanks very much! Sent a v2.

> The change makes sense.
>
> The kernel's vmlinux and module btf parsing doesn't go through this 
> resolve check though.  Are you trying to __sys_bpf(BPF_BTF_LOAD) the btf 
> from the vmlinux file into the kernel ?

Yes, with the twist that the BTF was serialised by github.com/cilium/ebpf instead of libbpf.
diff mbox series

Patch

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 7e64447659f3..36fd4b509294 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3128,7 +3128,7 @@  static int btf_struct_resolve(struct btf_verifier_env *env,
 	if (v->next_member) {
 		const struct btf_type *last_member_type;
 		const struct btf_member *last_member;
-		u16 last_member_type_id;
+		u32 last_member_type_id;
 
 		last_member = btf_type_member(v->t) + v->next_member - 1;
 		last_member_type_id = last_member->type;