| Message ID | 20220330011456.2984509-1-kafai@fb.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 4a9c7bbe2ed4d2b240674b1fb606c41d3940c412 |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf,1/2] bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT | expand |
On 3/29/22 6:14 PM, Martin KaFai Lau wrote: > The commit 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications") > fixes the verifier checking for BPF_PROG_TYPE_EXT (extension) > prog such that the verifier looks for things based > on the target prog type that it is extending instead of > the BPF_PROG_TYPE_EXT itself. > > The current resolve_prog_type() returns the target prog type. > It checks for nullness on prog->aux->dst_prog. However, > when loading a BPF_PROG_TYPE_TRACING prog and it is tracing another > bpf prog instead of a kernel function, prog->aux->dst_prog is not > NULL also. In this case, the verifier should still verify as the > BPF_PROG_TYPE_TRACING type instead of the traced prog type in > prog->aux->dst_prog->type. > > An oops has been reported when tracing a struct_ops prog. A NULL > dereference happened in check_return_code() when accessing the > prog->aux->attach_func_proto->type and prog->aux->attach_func_proto > is NULL here because the traced struct_ops prog has the "unreliable" set. > > This patch is to change the resolve_prog_type() to only > return the target prog type if the prog being verified is > BPF_PROG_TYPE_EXT. > > Fixes: 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications") > Signed-off-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Yonghong Song <yhs@fb.com>
Hello: This series was applied to bpf/bpf.git (master) by Alexei Starovoitov <ast@kernel.org>: On Tue, 29 Mar 2022 18:14:56 -0700 you wrote: > The commit 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications") > fixes the verifier checking for BPF_PROG_TYPE_EXT (extension) > prog such that the verifier looks for things based > on the target prog type that it is extending instead of > the BPF_PROG_TYPE_EXT itself. > > The current resolve_prog_type() returns the target prog type. > It checks for nullness on prog->aux->dst_prog. However, > when loading a BPF_PROG_TYPE_TRACING prog and it is tracing another > bpf prog instead of a kernel function, prog->aux->dst_prog is not > NULL also. In this case, the verifier should still verify as the > BPF_PROG_TYPE_TRACING type instead of the traced prog type in > prog->aux->dst_prog->type. > > [...] Here is the summary with links: - [bpf,1/2] bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT https://git.kernel.org/bpf/bpf/c/4a9c7bbe2ed4 - [bpf,2/2] bpf: selftests: Test fentry tracing a struct_ops program https://git.kernel.org/bpf/bpf/c/0a210af6d0a0 You are awesome, thank you!
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index c1fc4af47f69..3a9d2d7cc6b7 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -570,9 +570,11 @@ static inline u32 type_flag(u32 type) return type & ~BPF_BASE_TYPE_MASK; } +/* only use after check_attach_btf_id() */ static inline enum bpf_prog_type resolve_prog_type(struct bpf_prog *prog) { - return prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; + return prog->type == BPF_PROG_TYPE_EXT ? + prog->aux->dst_prog->type : prog->type; } #endif /* _LINUX_BPF_VERIFIER_H */
The commit 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications") fixes the verifier checking for BPF_PROG_TYPE_EXT (extension) prog such that the verifier looks for things based on the target prog type that it is extending instead of the BPF_PROG_TYPE_EXT itself. The current resolve_prog_type() returns the target prog type. It checks for nullness on prog->aux->dst_prog. However, when loading a BPF_PROG_TYPE_TRACING prog and it is tracing another bpf prog instead of a kernel function, prog->aux->dst_prog is not NULL also. In this case, the verifier should still verify as the BPF_PROG_TYPE_TRACING type instead of the traced prog type in prog->aux->dst_prog->type. An oops has been reported when tracing a struct_ops prog. A NULL dereference happened in check_return_code() when accessing the prog->aux->attach_func_proto->type and prog->aux->attach_func_proto is NULL here because the traced struct_ops prog has the "unreliable" set. This patch is to change the resolve_prog_type() to only return the target prog type if the prog being verified is BPF_PROG_TYPE_EXT. Fixes: 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications") Signed-off-by: Martin KaFai Lau <kafai@fb.com> --- include/linux/bpf_verifier.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)