[RFC,bpf-next,0/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)

Message ID	20220831031907.16133-1-shung-hsi.yu@suse.com (mailing list archive)
Headers	show Return-Path: <bpf-owner@kernel.org> From: Shung-Hsi Yu <shung-hsi.yu@suse.com> To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org Cc: "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "John Fastabend" <john.fastabend@gmail.com>, Shung-Hsi Yu <shung-hsi.yu@suse.com> Subject: [RFC bpf-next 0/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...) Date: Wed, 31 Aug 2022 11:19:05 +0800 Message-Id: <20220831031907.16133-1-shung-hsi.yu@suse.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...) \| expand [RFC,bpf-next,0/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...) [RFC,bpf-next,1/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...) [RFC,bpf-next,2/2] proof for the safe usage of tnum_in()

Message ID

20220831031907.16133-1-shung-hsi.yu@suse.com (mailing list archive)

Headers

From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: "Alexei Starovoitov" <ast@kernel.org>,
        "Daniel Borkmann" <daniel@iogearbox.net>,
        "John Fastabend" <john.fastabend@gmail.com>,
        Shung-Hsi Yu <shung-hsi.yu@suse.com>
Subject: [RFC bpf-next 0/2] bpf: tnums: warn against the usage of
 tnum_in(tnum_range(), ...)
Date: Wed, 31 Aug 2022 11:19:05 +0800
Message-Id: <20220831031907.16133-1-shung-hsi.yu@suse.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 5gR/daOm0u+srdkbx6rmQcFDJo5xaYMpYbIZG/m1cD3vYKjUEdegnxXN00SKs8M9m1WlxQzRQwShSvJzLSJ6wiELLrmkj+LP5QMxty7CScJo8YSSyrAn0jQk7eqvYcZDalWHAAoJHMSsqqmRuYUVEOSipjxGLs74OFhyqKTuGtuGvqm3mV3iTPrTRbdUVKJxu4Cs0Bcpr+fDrNYGhpSRk4eBDGIalJOyuEAI1JYK/maHLQJdIQeVY+ez+S3/cCG3ijai85MXNfx2i9TpOGjI0PfM3xQHR5mlG8X1eRyUYQUTEBHpgimcNRFmM0itNBDBvzizhZnyWx65pdVHvOq3J1+r53P59zrTu29hU+Bvvj6LWnxUixo03vwKVcFz2QCUe8doNrh63HNfc8X3cU+iD+T3uWMoGuCGtyTzcRMHR+y9sR963g9E++ebgJkdwvASnoeAzwZQgJRsBe+ML5Fk6MscVKiTQoc9evlRN9gW4wri3pvK6T3hLz9IvKtuRDe3iTtJQTad5HIamuP9UEBDoCesbiBjbeSlPNJXvGXaNTvXbZX9BzlF5eLDDDk7v6Axd0fdjyeHOt/LOTjd5IYX4LNPHY7tkUj25atWbPdliMwuViRjegYNEVQ7gUo5wxXKCsS6hpkW6eoW/kevzScSOkaR08apv6dW31gPIfcxUXUAs37bVNARWgaeoasZzLtOtihMOoQcbMK7EawOmeGF6a+uxX7HXx6lk1he5ZVAE1bHVH2ED7TKDc/za3o9MSui1ZFH5FvG0T4Znn9DThlyw5XgerG9PJ/0sBetnOj/Cc/gyp1AV4Zdv90PudzSjjIsNjYd2W8w6oMbThWf08Zlfl4qK/VTNdyG118EH+5MTj47Mhhjq82NYP79Vt0+nQ9dVP6EqR7QzUfsyobc56y4Pt+V8MgXj1gKR89qUCJYV1WlTY8WLpqwCLvBxDB/atV9wHLQKc1hv/LfIrmGRSJCivL4hMa927hLTaTmbAmj7gKm8xLjqdwYGXwu4f0JLXYCFjIjbo7Z57lA+eLJHCBzA96ZCFrwgBfvemMn3rM8IQp8IGo65jGaHkC67ktmtGRIp+ffj5y129R49rY85xDEwyNJoY7N7rlrixhopCvaSYWFWxhdHHLd7vQucgMp8BW82+5pJmg41NUSpiRbpUVPfaGen6FQkwaaxQAS4zdJaqu+hA+B1u5NZ3E/VZTc1ekLYNvK4Uls++KtCOwO7Rpzkp52daZLlIyDrmR86PGsleKsMrsdf9FU8td3HfuTyZGlw8i2MB+jHVAMR1+zMkNOZ3v8HFX1VBdkieLYQw1QWYSoCNG+bGNWnzyDVisYbq/pLL5c5KVs8EpFLggZ5lSqoLx1kIXzfkGQURy7JEHcHq6jDoiGReBj5RtzVTdwlgeBaFZyoFjd+OlL74wL9OSC/L7STwFB6YuRJ5vtTBxqm0MU6Zv/9TiF/EwfwcOTXRM5MldymI3pYJuFGewXeEyZIgR7cIqA2ru7edCvN4ohlPoOT7sZ4gWy2IObMJt42pbvrknPz2nCJT9OBPaB5arY/Rr3Vf6c9CcTtgQabTwWD5na1PO4JmqVBbjhj3MXvFXB
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f9680f7f-07d7-4280-998a-08da8aff996f
X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB8107.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Aug 2022 03:19:23.9689
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 OA0DpkmEujr7uYfiYUryn7hs5OZ0GZDzpsGzrjO6B5UR8Sn+ZMd2NpXwWOr9uPllr4NgSBUFEEyH6A7uAFqLSg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR04MB3009
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

Series

bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...) | expand

Message

Shung-Hsi Yu Aug. 31, 2022, 3:19 a.m. UTC

Commit a657182a5c51 ("bpf: Don't use tnum_range on array range checking
for poke descriptors") has shown that using tnum_range() as argument to
tnum_in() can lead to misleading code that looks like tight bound check
when in fact the actual allowed range is much wider.

This patchset is a follow up of the above commit. I've audited other
usage of tnum_in() in verifier and have concluded that all of either
provides a tight bound check, or is using reg->var_off as the first
argument, and thus safe.

To prevent the problematic tnum_in(tnum_range(), ...) usage, add
documentation in the tnum.h header file to warn against it.

This is sent as an RFC for two reasons:
1. Gather feedback on whether it's possible to prevent the problematic
   usage besides relying just on documentation. 

   One invasive option is to switch bound-checks done with
   tnum_in(tnum_range(), ...) to use reg->u{min,max}_value instead,
   which should always provide a tight bound check.

   Alternatively maybe problematic usage can be detected through
   development tool (sparse or Coccinelle?), but I know rather little
   about them.
   
2. Attach a proof for the claimed safe usage of tnum_in(tnum_range(), ...)
   found in patch 1, where the proof itself is not meant to be
   merged.

Shung-Hsi Yu (2):
  bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)
  proof for the safe usage of tnum_in()

 include/linux/tnum.h |  20 +++++-
 tnum_in.py           | 158 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 176 insertions(+), 2 deletions(-)
 create mode 100755 tnum_in.py