| Message ID | 20240911033719.91468-2-lulie@linux.alibaba.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Commit | 8aeaed21befc90f27f4fca6dd190850d97d2e9e3 |
| Headers | show |
| Series | bpf: Allow skb dynptr for tp_btf | expand |
On 9/10/24 8:37 PM, Philo Lu wrote: > Pointers passed to tp_btf were trusted to be valid, but some tracepoints > do take NULL pointer as input, such as trace_tcp_send_reset(). Then the > invalid memory access cannot be detected by verifier. > > This patch fix it by add a suffix "__nullable" to the unreliable > argument. The suffix is shown in btf, and PTR_MAYBE_NULL will be added > to nullable arguments. Then users must check the pointer before use it. > > A problem here is that we use "btf_trace_##call" to search func_proto. > As it is a typedef, argument names as well as the suffix are not > recorded. To solve this, I use bpf_raw_event_map to find > "__bpf_trace##template" from "btf_trace_##call", and then we can see the > suffix. > > Suggested-by: Alexei Starovoitov <ast@kernel.org> > Signed-off-by: Philo Lu <lulie@linux.alibaba.com> > --- > kernel/bpf/btf.c | 9 +++++++++ > kernel/bpf/verifier.c | 36 ++++++++++++++++++++++++++++++++---- > 2 files changed, 41 insertions(+), 4 deletions(-) > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > index 1e29281653c62..d1ea38d08f301 100644 > --- a/kernel/bpf/btf.c > +++ b/kernel/bpf/btf.c > @@ -6385,6 +6385,12 @@ static bool prog_args_trusted(const struct bpf_prog *prog) > } > } > > +static bool prog_arg_maybe_null(const struct bpf_prog *prog, const struct btf *btf, The "prog" arg is not used, so the following nit... > + const struct btf_param *arg) > +{ > + return btf_param_match_suffix(btf, arg, "__nullable"); > +} > + > int btf_ctx_arg_offset(const struct btf *btf, const struct btf_type *func_proto, > u32 arg_no) > { > @@ -6554,6 +6560,9 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, > if (prog_args_trusted(prog)) > info->reg_type |= PTR_TRUSTED; > > + if (prog_arg_maybe_null(prog, btf, &args[arg])) ... I changed it to directly use btf_param_match_suffix(btf, &args[arg], "__nullable"), and removed the new prog_arg_maybe_null(). There are already a few is_kfunc_arg_{nullable, ...} helpers in verifier.c. Maybe we can consider refactoring them (if) there are more use cases like this in the future.
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 1e29281653c62..d1ea38d08f301 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -6385,6 +6385,12 @@ static bool prog_args_trusted(const struct bpf_prog *prog) } } +static bool prog_arg_maybe_null(const struct bpf_prog *prog, const struct btf *btf, + const struct btf_param *arg) +{ + return btf_param_match_suffix(btf, arg, "__nullable"); +} + int btf_ctx_arg_offset(const struct btf *btf, const struct btf_type *func_proto, u32 arg_no) { @@ -6554,6 +6560,9 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, if (prog_args_trusted(prog)) info->reg_type |= PTR_TRUSTED; + if (prog_arg_maybe_null(prog, btf, &args[arg])) + info->reg_type |= PTR_MAYBE_NULL; + if (tgt_prog) { enum bpf_prog_type tgt_type; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 217eb0eafa2a6..72c232fc451be 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -28,6 +28,8 @@ #include <linux/cpumask.h> #include <linux/bpf_mem_alloc.h> #include <net/xdp.h> +#include <linux/trace_events.h> +#include <linux/kallsyms.h> #include "disasm.h" @@ -21788,11 +21790,13 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, { bool prog_extension = prog->type == BPF_PROG_TYPE_EXT; bool prog_tracing = prog->type == BPF_PROG_TYPE_TRACING; + char trace_symbol[KSYM_SYMBOL_LEN]; const char prefix[] = "btf_trace_"; + struct bpf_raw_event_map *btp; int ret = 0, subprog = -1, i; const struct btf_type *t; bool conservative = true; - const char *tname; + const char *tname, *fname; struct btf *btf; long addr = 0; struct module *mod = NULL; @@ -21923,10 +21927,34 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, return -EINVAL; } tname += sizeof(prefix) - 1; - t = btf_type_by_id(btf, t->type); - if (!btf_type_is_ptr(t)) - /* should never happen in valid vmlinux build */ + + /* The func_proto of "btf_trace_##tname" is generated from typedef without argument + * names. Thus using bpf_raw_event_map to get argument names. + */ + btp = bpf_get_raw_tracepoint(tname); + if (!btp) return -EINVAL; + fname = kallsyms_lookup((unsigned long)btp->bpf_func, NULL, NULL, NULL, + trace_symbol); + bpf_put_raw_tracepoint(btp); + + if (fname) + ret = btf_find_by_name_kind(btf, fname, BTF_KIND_FUNC); + + if (!fname || ret < 0) { + bpf_log(log, "Cannot find btf of tracepoint template, fall back to %s%s.\n", + prefix, tname); + t = btf_type_by_id(btf, t->type); + if (!btf_type_is_ptr(t)) + /* should never happen in valid vmlinux build */ + return -EINVAL; + } else { + t = btf_type_by_id(btf, ret); + if (!btf_type_is_func(t)) + /* should never happen in valid vmlinux build */ + return -EINVAL; + } + t = btf_type_by_id(btf, t->type); if (!btf_type_is_func_proto(t)) /* should never happen in valid vmlinux build */
Pointers passed to tp_btf were trusted to be valid, but some tracepoints do take NULL pointer as input, such as trace_tcp_send_reset(). Then the invalid memory access cannot be detected by verifier. This patch fix it by add a suffix "__nullable" to the unreliable argument. The suffix is shown in btf, and PTR_MAYBE_NULL will be added to nullable arguments. Then users must check the pointer before use it. A problem here is that we use "btf_trace_##call" to search func_proto. As it is a typedef, argument names as well as the suffix are not recorded. To solve this, I use bpf_raw_event_map to find "__bpf_trace##template" from "btf_trace_##call", and then we can see the suffix. Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Philo Lu <lulie@linux.alibaba.com> --- kernel/bpf/btf.c | 9 +++++++++ kernel/bpf/verifier.c | 36 ++++++++++++++++++++++++++++++++---- 2 files changed, 41 insertions(+), 4 deletions(-)