From patchwork Fri Jun 7 15:28:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Tissoires X-Patchwork-Id: 13690411 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E19119FA85; Fri, 7 Jun 2024 15:29:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717774148; cv=none; b=lSlS9GWsyCsbNiEYlrWYztkh1eh0rTpdeKC9MwxaFSnL+LOnyCPU/1JqVpOTk0ifFBMR4emjMpCTPGdE6egfnWz3lHlLFKZs+8wZ7TqLYWLnuT9tcXr3+3Ebtec8QkTmP7FR7n6R1ZilfxItcjtysH+diJCwE4IkcsXl3dttc50= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717774148; c=relaxed/simple; bh=TtjyZ/izg+s9HXVd8EhQE8xSZuzHQYiYlGm/WW0aymA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=u9Jch0O9SNU+gxPhORp4/g49EOzuKpQ4FUpd5kdCP224zb1pIc/FpptJz/ZHqoWwi5pYaui8iHv5MQ+imaPnaacD6xznD1T+HWrE4XWIaP0Y32n+d6tf0i3OtSDN0Xbx2rg5VLwYX+Lt83U/f+uh8mD0P8h3VHWSllwlsz02Zjc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=UPZ0ja05; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="UPZ0ja05" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA758C32786; Fri, 7 Jun 2024 15:29:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717774147; bh=TtjyZ/izg+s9HXVd8EhQE8xSZuzHQYiYlGm/WW0aymA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=UPZ0ja05QtmDgRLLETpxWuONT3qYlLc/0TVjFhi9psXo2qi5+pJcv2+U33z8gH/2Q +iq1UFI1OiFDw+KL/7uJv62a8VaTkw1V74dks46JMx5fF3r8Sey0Hrw8sQvgANiINP K+DvMtWO/YcbhIlzT00K2qKTdfvVnk1BlJp6IM8EadITbUWNzG6ZoSv/oGiPIVwQrY vj0PJ5VVonMlG7zuzSZhss60T2Pb7sJYiswWVPyUJ3GwOQsPDp3Xs8PrUn+cgVGGAi m512CL6y4BmT+gEpndtQ+dV6ddDWqQf7Lnf6iPzvuEo0CauLKfhgwbJL79ZlMjTP36 y/fojj0QeQ2RA== From: Benjamin Tissoires Date: Fri, 07 Jun 2024 17:28:35 +0200 Subject: [PATCH HID v2 15/16] HID: bpf: rework hid_bpf_ops_btf_struct_access Precedence: bulk X-Mailing-List: linux-kselftest@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240607-hid_bpf_struct_ops-v2-15-3f95f4d02292@kernel.org> References: <20240607-hid_bpf_struct_ops-v2-0-3f95f4d02292@kernel.org> In-Reply-To: <20240607-hid_bpf_struct_ops-v2-0-3f95f4d02292@kernel.org> To: Shuah Khan , Jiri Kosina , Jonathan Corbet , Alexei Starovoitov Cc: linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-input@vger.kernel.org, linux-doc@vger.kernel.org, Benjamin Tissoires X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1717774109; l=4063; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=TtjyZ/izg+s9HXVd8EhQE8xSZuzHQYiYlGm/WW0aymA=; b=SyH9GsXkta7A7y+QVmvqG72PU58wXxiqMvqZ9USgw55CKUCYzUJn6mpzt7PEszglWcf6ZRQEx F3iRL5e3ps1BpLy/fEu2fVGSTVmyQh+A43CsXwxD2vaavxqnZzCHWHu X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= The idea is to provide a list of stucts and their editable fields. Currently no functional changes are introduced here, we will add some more writeable fields in the next patch. Signed-off-by: Benjamin Tissoires --- new in v2 --- drivers/hid/bpf/hid_bpf_struct_ops.c | 91 +++++++++++++++++++++++++++--------- 1 file changed, 69 insertions(+), 22 deletions(-) diff --git a/drivers/hid/bpf/hid_bpf_struct_ops.c b/drivers/hid/bpf/hid_bpf_struct_ops.c index 056d05d96962..944e6d91a36b 100644 --- a/drivers/hid/bpf/hid_bpf_struct_ops.c +++ b/drivers/hid/bpf/hid_bpf_struct_ops.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include "hid_bpf_dispatch.h" @@ -52,40 +53,86 @@ static int hid_bpf_ops_check_member(const struct btf_type *t, return 0; } +struct hid_bpf_offset_write_range { + const char *struct_name; + u32 struct_length; + u32 start; + u32 end; +}; + static int hid_bpf_ops_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, int off, int size) { - const struct btf_type *state; - const struct btf_type *t; - s32 type_id; +#define WRITE_RANGE(_name, _field, _start_offset, _end_offset) \ + { \ + .struct_name = #_name, \ + .struct_length = sizeof(struct _name), \ + .start = offsetof(struct _name, _field) + _start_offset, \ + .end = offsetofend(struct _name, _field) + _end_offset, \ + } - type_id = btf_find_by_name_kind(reg->btf, "hid_bpf_ctx", - BTF_KIND_STRUCT); - if (type_id < 0) - return -EINVAL; + const struct hid_bpf_offset_write_range write_ranges[] = { + WRITE_RANGE(hid_bpf_ctx, retval, 0, 0), + }; +#undef WRITE_RANGE + const struct btf_type *state = NULL; + const struct btf_type *t; + const char *cur = NULL; + int i; t = btf_type_by_id(reg->btf, reg->btf_id); - state = btf_type_by_id(reg->btf, type_id); - if (t != state) { - bpf_log(log, "only access to hid_bpf_ctx is supported\n"); - return -EACCES; - } - /* out-of-bound access in hid_bpf_ctx */ - if (off + size > sizeof(struct hid_bpf_ctx)) { - bpf_log(log, "write access at off %d with size %d\n", off, size); - return -EACCES; + for (i = 0; i < ARRAY_SIZE(write_ranges); i++) { + const struct hid_bpf_offset_write_range *write_range = &write_ranges[i]; + s32 type_id; + + /* we already found a writeable struct, but there is a + * new one, let's break the loop. + */ + if (t == state && write_range->struct_name != cur) + break; + + /* new struct to look for */ + if (write_range->struct_name != cur) { + type_id = btf_find_by_name_kind(reg->btf, write_range->struct_name, + BTF_KIND_STRUCT); + if (type_id < 0) + return -EINVAL; + + state = btf_type_by_id(reg->btf, type_id); + } + + /* this is not the struct we are looking for */ + if (t != state) { + cur = write_range->struct_name; + continue; + } + + /* first time we see this struct, check for out of bounds */ + if (cur != write_range->struct_name && + off + size > write_range->struct_length) { + bpf_log(log, "write access for struct %s at off %d with size %d\n", + write_range->struct_name, off, size); + return -EACCES; + } + + /* now check if we are in our boundaries */ + if (off >= write_range->start && off + size <= write_range->end) + return NOT_INIT; + + cur = write_range->struct_name; } - if (off < offsetof(struct hid_bpf_ctx, retval)) { + + if (t != state) + bpf_log(log, "write access to this struct is not supported\n"); + else bpf_log(log, - "write access at off %d with size %d on read-only part of hid_bpf_ctx\n", - off, size); - return -EACCES; - } + "write access at off %d with size %d on read-only part of %s\n", + off, size, cur); - return NOT_INIT; + return -EACCES; } static const struct bpf_verifier_ops hid_bpf_verifier_ops = {