| Message ID | 20231102201619.3135203-2-song@kernel.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | bpf: File verification with LSM and fsverity | expand |
On Thu, Nov 2, 2023 at 1:16 PM Song Liu <song@kernel.org> wrote: > [...] > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index df697c74d519..92dc20d9b9ae 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -1378,6 +1378,7 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, > struct bpf_dynptr_kern *sig_ptr, > struct bpf_key *trusted_keyring) > { > + void *data, *sig; > int ret; > > if (trusted_keyring->has_ref) { > @@ -1394,10 +1395,14 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, > return ret; > } > > - return verify_pkcs7_signature(data_ptr->data, > - __bpf_dynptr_size(data_ptr), > - sig_ptr->data, > - __bpf_dynptr_size(sig_ptr), > + data = __bpf_dynptr_data(data_ptr, __bpf_dynptr_size(data_ptr)); > + sig = __bpf_dynptr_data(sig_ptr, __bpf_dynptr_size(sig_ptr)); > + > + if (!data || !sig) > + return -EINVAL; Sigh, I missed this failure: https://github.com/kernel-patches/bpf/actions/runs/6737884115/job/18316480188 #110/1 kfunc_dynptr_param/dynptr_data_null ... verify_success:FAIL:err unexpected err: actual -22 != expected -74 It is easy to fix, but I am not sure which is the right fix. Basically, null dynptr bpf_verify_pkcs7_signature used to return -EBADMSG. And it is returning -EINVAL after this change. Do we need to keep the error code as -EBADMSG? Thanks, Song > + > + return verify_pkcs7_signature(data, __bpf_dynptr_size(data_ptr), > + sig, __bpf_dynptr_size(sig_ptr), > trusted_keyring->key, > VERIFYING_UNSPECIFIED_SIGNATURE, NULL, > NULL); > -- > 2.34.1 > >
Hi Roberto, On Thu, Nov 2, 2023 at 3:59 PM Song Liu <song@kernel.org> wrote: > > On Thu, Nov 2, 2023 at 1:16 PM Song Liu <song@kernel.org> wrote: > > > [...] > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > > index df697c74d519..92dc20d9b9ae 100644 > > --- a/kernel/trace/bpf_trace.c > > +++ b/kernel/trace/bpf_trace.c > > @@ -1378,6 +1378,7 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, > > struct bpf_dynptr_kern *sig_ptr, > > struct bpf_key *trusted_keyring) > > { > > + void *data, *sig; > > int ret; > > > > if (trusted_keyring->has_ref) { > > @@ -1394,10 +1395,14 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, > > return ret; > > } > > > > - return verify_pkcs7_signature(data_ptr->data, > > - __bpf_dynptr_size(data_ptr), > > - sig_ptr->data, > > - __bpf_dynptr_size(sig_ptr), > > + data = __bpf_dynptr_data(data_ptr, __bpf_dynptr_size(data_ptr)); > > + sig = __bpf_dynptr_data(sig_ptr, __bpf_dynptr_size(sig_ptr)); > > + > > + if (!data || !sig) > > + return -EINVAL; > > Sigh, I missed this failure: > > https://github.com/kernel-patches/bpf/actions/runs/6737884115/job/18316480188 > > #110/1 kfunc_dynptr_param/dynptr_data_null > ... > verify_success:FAIL:err unexpected err: actual -22 != expected -74 > > It is easy to fix, but I am not sure which is the right fix. > > Basically, null dynptr bpf_verify_pkcs7_signature used to return > -EBADMSG. And it > is returning -EINVAL after this change. Do we need to keep the error code as > -EBADMSG? Could you please share your thoughts on this (EINVAL vs. EBADMSG)? Thanks, Song
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index b4825d3cdb29..129c5a7c5982 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1222,6 +1222,8 @@ enum bpf_dynptr_type { int bpf_dynptr_check_size(u32 size); u32 __bpf_dynptr_size(const struct bpf_dynptr_kern *ptr); +void *__bpf_dynptr_data(const struct bpf_dynptr_kern *ptr, u32 len); +void *__bpf_dynptr_data_rw(const struct bpf_dynptr_kern *ptr, u32 len); #ifdef CONFIG_BPF_JIT int bpf_trampoline_link_prog(struct bpf_tramp_link *link, struct bpf_trampoline *tr); diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index e46ac288a108..ddd1a5a81652 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -2611,3 +2611,50 @@ static int __init kfunc_init(void) } late_initcall(kfunc_init); + +/* Get a pointer to dynptr data up to len bytes for read only access. If + * the dynptr doesn't have continuous data up to len bytes, return NULL. + */ +void *__bpf_dynptr_data(const struct bpf_dynptr_kern *ptr, u32 len) +{ + enum bpf_dynptr_type type; + int err; + + if (!ptr->data) + return NULL; + + err = bpf_dynptr_check_off_len(ptr, 0, len); + if (err) + return NULL; + type = bpf_dynptr_get_type(ptr); + + switch (type) { + case BPF_DYNPTR_TYPE_LOCAL: + case BPF_DYNPTR_TYPE_RINGBUF: + return ptr->data + ptr->offset; + case BPF_DYNPTR_TYPE_SKB: + return skb_pointer_if_linear(ptr->data, ptr->offset, len); + case BPF_DYNPTR_TYPE_XDP: + { + void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset, len); + + if (IS_ERR_OR_NULL(xdp_ptr)) + return NULL; + return xdp_ptr; + } + default: + WARN_ONCE(true, "unknown dynptr type %d\n", type); + return NULL; + } +} + +/* Get a pointer to dynptr data up to len bytes for read write access. If + * the dynptr doesn't have continuous data up to len bytes, or the dynptr + * is read only, return NULL. + */ +void *__bpf_dynptr_data_rw(const struct bpf_dynptr_kern *ptr, u32 len) +{ + if (__bpf_dynptr_is_rdonly(ptr)) + return NULL; + return __bpf_dynptr_data(ptr, len); +} diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index df697c74d519..92dc20d9b9ae 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1378,6 +1378,7 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, struct bpf_dynptr_kern *sig_ptr, struct bpf_key *trusted_keyring) { + void *data, *sig; int ret; if (trusted_keyring->has_ref) { @@ -1394,10 +1395,14 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr_kern *data_ptr, return ret; } - return verify_pkcs7_signature(data_ptr->data, - __bpf_dynptr_size(data_ptr), - sig_ptr->data, - __bpf_dynptr_size(sig_ptr), + data = __bpf_dynptr_data(data_ptr, __bpf_dynptr_size(data_ptr)); + sig = __bpf_dynptr_data(sig_ptr, __bpf_dynptr_size(sig_ptr)); + + if (!data || !sig) + return -EINVAL; + + return verify_pkcs7_signature(data, __bpf_dynptr_size(data_ptr), + sig, __bpf_dynptr_size(sig_ptr), trusted_keyring->key, VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
Different types of bpf dynptr have different internal data storage. Specifically, SKB and XDP type of dynptr may have non-continuous data. Therefore, it is not always safe to directly access dynptr->data. Add __bpf_dynptr_data and __bpf_dynptr_data_rw to replace direct access to dynptr->data. Update bpf_verify_pkcs7_signature to use __bpf_dynptr_data instead of dynptr->data. Signed-off-by: Song Liu <song@kernel.org> --- include/linux/bpf.h | 2 ++ kernel/bpf/helpers.c | 47 ++++++++++++++++++++++++++++++++++++++++ kernel/trace/bpf_trace.c | 13 +++++++---- 3 files changed, 58 insertions(+), 4 deletions(-)