| Series |
Fixes for dynptr
|
expand
-
[bpf-next,v1,00/13] Fixes for dynptr
-
[bpf-next,v1,01/13] bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func
-
[bpf-next,v1,02/13] bpf: Rework process_dynptr_func
-
[bpf-next,v1,03/13] bpf: Rename confusingly named RET_PTR_TO_ALLOC_MEM
-
[bpf-next,v1,04/13] bpf: Rework check_func_arg_reg_off
-
[bpf-next,v1,05/13] bpf: Fix state pruning for STACK_DYNPTR stack slots
-
[bpf-next,v1,06/13] bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR
-
[bpf-next,v1,07/13] bpf: Fix partial dynptr stack slot reads/writes
-
[bpf-next,v1,08/13] bpf: Use memmove for bpf_dynptr_{read,write}
-
[bpf-next,v1,09/13] selftests/bpf: Add test for dynptr reinit in user_ringbuf callback
-
[bpf-next,v1,10/13] selftests/bpf: Add dynptr pruning tests
-
[bpf-next,v1,11/13] selftests/bpf: Add dynptr var_off tests
-
[bpf-next,v1,12/13] selftests/bpf: Add dynptr partial slot overwrite tests
-
[bpf-next,v1,13/13] selftests/bpf: Add dynptr helper tests
|
This set fixes multiple issues in the dynptr code discovered during code review. - Missing dynptr stack slot liveness propagation - Missing checks for PTR_TO_STACK variable offset - Incomplete destruction of dynptr stack slots on writes - Modification of dynptr struct through callback argument with reg->type == PTR_TO_DYNPTR These can be abused to perform arbitrary kernel memory reads/writes by replacing dynptr contents. The first three cases are now unreachable from unprivileged BPF since the commit 8addbfc7b308 ("bpf: Gate dynptr API behind CAP_BPF") which has been applied to released stable kernels v6.0.1 and v5.19.15. The changes are fairly intrusive and non-trivial, in-depth review is warranted, as they rework the code before making the fixes to it, but for the better (IMO). Please see the individual commit logs for the details. Kumar Kartikeya Dwivedi (13): bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func bpf: Rework process_dynptr_func bpf: Rename confusingly named RET_PTR_TO_ALLOC_MEM bpf: Rework check_func_arg_reg_off bpf: Fix state pruning for STACK_DYNPTR stack slots bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR bpf: Fix partial dynptr stack slot reads/writes bpf: Use memmove for bpf_dynptr_{read,write} selftests/bpf: Add test for dynptr reinit in user_ringbuf callback selftests/bpf: Add dynptr pruning tests selftests/bpf: Add dynptr var_off tests selftests/bpf: Add dynptr partial slot overwrite tests selftests/bpf: Add dynptr helper tests include/linux/bpf.h | 10 +- include/linux/bpf_verifier.h | 8 +- include/uapi/linux/bpf.h | 8 +- kernel/bpf/btf.c | 22 +- kernel/bpf/helpers.c | 22 +- kernel/bpf/verifier.c | 574 ++++++++++++++---- scripts/bpf_doc.py | 1 + tools/include/uapi/linux/bpf.h | 8 +- .../testing/selftests/bpf/prog_tests/dynptr.c | 9 +- .../bpf/prog_tests/kfunc_dynptr_param.c | 5 +- .../selftests/bpf/prog_tests/user_ringbuf.c | 12 +- .../testing/selftests/bpf/progs/dynptr_fail.c | 35 ++ .../selftests/bpf/progs/dynptr_success.c | 20 + .../bpf/progs/test_kfunc_dynptr_param.c | 12 - .../selftests/bpf/progs/user_ringbuf_fail.c | 35 ++ tools/testing/selftests/bpf/verifier/dynptr.c | 182 ++++++ .../testing/selftests/bpf/verifier/ringbuf.c | 2 +- 17 files changed, 780 insertions(+), 185 deletions(-) create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c