From patchwork Mon Nov 14 19:15:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13042734 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14D59C433FE for ; Mon, 14 Nov 2022 19:17:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235800AbiKNTRI (ORCPT ); Mon, 14 Nov 2022 14:17:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237340AbiKNTQx (ORCPT ); Mon, 14 Nov 2022 14:16:53 -0500 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECC1B29361 for ; Mon, 14 Nov 2022 11:16:49 -0800 (PST) Received: by mail-pf1-x442.google.com with SMTP id 140so10474749pfz.6 for ; Mon, 14 Nov 2022 11:16:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qWiYAsRgE6BX8qJ0Iu8jZXDm2tAGkdrg9ETQquXoTlI=; b=QRVu4fG/sV68FEzalpq4wde8k2XK2PKZnTvpnREks7okA046FlAJvDFjyT5e4rpY2r 0sXeuF1vBubW0/lqHXUbOTZrXXSdvB1Iuq0JpQw3ubinAnOwY4V1ghH24VmO2H3kPLRG kk3uD2QFptyJc5vDUqs9CJ3CdyLpS4rsD+C5CqNwuPsNI6OS9uHaraJRDvhx7z/h2PVs vDn/fX9vZTjB8EaNCnZqgsLOi3SS9vKAtN2enZenJhiwdXbDR5bvNPh4UNBDoJnEDpEc SXWj6oPYnkpBtYGmOx5/IajhyrZKCjjzS0sLZzNeQkOT0NUom0e8zkofiBLrS8vTx24r 9npg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qWiYAsRgE6BX8qJ0Iu8jZXDm2tAGkdrg9ETQquXoTlI=; b=xATtYLGVGzH9+KwwWLhDH+j/JezMl3eChQyimIq7fLIsEMc/2uxd+sOAgkSZpB5rP6 7VhEJ7jYgkfTscvAmy1ili1VtTk8Sy/Mxs/E1gezU2OwAXE7P7XvfvNBXvt/6ybHdh1d 0j8JOIH4+Ynmk1kRsRUe4O9LrxkJUNMT+pEHc0ROcg1TXvOx5xitPN+nCWw+yYtHs0GN Hl0YYJsCJmc7O1g4+9Rx4Q9cDvfvlANZ7qn7ai703KeXHczKzrN42mS/UVa0NQUNxDW4 LmH6xB9x1l5ACZCc8xYF6G/fj29AuiivwfRcniWeX37aOSVDMDPbQE5+T3Zic3EL9LA1 yUSw== X-Gm-Message-State: ANoB5pks56WjyN0/+NdYmcWZ+5XOxK7FfDiQs0jR2DLqAdrvk7IVFX5Z zOURfY91gJl3/waWk1BlKvX/AraQQVCylw== X-Google-Smtp-Source: AA0mqf4P0INbQDx/ifVJwKXR1ahUnXCKfXUk44hJU4eRWwySdXay/iGhGY/PCXkVw6GPUfk4mUBd1Q== X-Received: by 2002:a63:1949:0:b0:46f:38ad:de99 with SMTP id 9-20020a631949000000b0046f38adde99mr13050820pgz.218.1668453409427; Mon, 14 Nov 2022 11:16:49 -0800 (PST) Received: from localhost ([59.152.80.69]) by smtp.gmail.com with ESMTPSA id v64-20020a626143000000b0056bcd7e1e04sm7081365pfb.124.2022.11.14.11.16.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Nov 2022 11:16:49 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Dave Marchevsky Subject: [PATCH bpf-next v7 19/26] bpf: Permit NULL checking pointer with non-zero fixed offset Date: Tue, 15 Nov 2022 00:45:40 +0530 Message-Id: <20221114191547.1694267-20-memxor@gmail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221114191547.1694267-1-memxor@gmail.com> References: <20221114191547.1694267-1-memxor@gmail.com> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2227; i=memxor@gmail.com; h=from:subject; bh=6Xyei5T2AP1FaAFXmRhfrqj1zOfW3ny611AeNkXJLek=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBjcpPJKfgXhqUoqyJsCCsCEvXFyun4/h/CISksRirh Gy+8s76JAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCY3KTyQAKCRBM4MiGSL8Ryqi8EA C9lxKSSHIs/86mXCDuRVZ0SAQMM1+i3eRUC0/NkGWPl94SGQ5d0DW93J6JkGHJdQOl9xAmJJLowVoX XUBytFukbja1u91DDX7tNEQn4VDMvErnIrRu46HXIUktXBu7hjSTSAkkXQA0pDEYuQ6yeteax/hTt1 RiLeowgw+LFoF48NFiti+2lzuKxcfbgSsNfp4rmteWkklvd/3PfX1ocWxAIEGPSCs6J5n0uanvUp+d Gl8DsY8cE4iMS8f7DSFSjonEo7Uxfhq5WzF4IU57RbC99QhtbwMFCvBPWmIN2YxOU5dTLrNPDxXP2X TvKzpXoLhLkfjhKq9096knbmSPzjKxqFmBKeWL28JfNS2FiAD8ixI2cFci05zWKIeKXJc46iUZ0zMa cyHLyU5tpt6Cz9QuQZjXQOCbdwOh2N94d59643/0TLAT5kDtuvesIjVNz33v0EbefkP4qE/VnjZJ4J jow9WRCzKKNv8xrVrey4yPWO5SVTEnmoYkODoRRzv8BxOrLVH0mqEhTTwjx8ruK49vZAbYK32sY8Tu G9AO7wg1J8GG1/jZ6EmOvdUtuc5Wj1F+ZZFMY33f0mKm7EAj9eheawqNlDoav6Elfu67Nv0rZ2Vcap wuW1aHPkiilDb9UXuZ0kc0W+GAJ0YBe3FCnarikJtbXQkds0LebZZIX7WtSg== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Pointer increment on seeing PTR_MAYBE_NULL is already protected against, hence make an exception for PTR_TO_BTF_ID | MEM_ALLOC while still keeping the warning for other unintended cases that might creep in. bpf_list_pop_{front,_back} helpers planned to be introduced in next commit will return a MEM_ALLOC register with incremented offset pointing to bpf_list_node field. The user is supposed to then obtain the pointer to the entry using container_of after NULL checking it. The current restrictions trigger a warning when doing the NULL checking. Revisiting the reason, it is meant as an assertion which seems to actually work and catch the bad case. Hence, under no other circumstances can reg->off be non-zero for a register that has the PTR_MAYBE_NULL type flag set. Signed-off-by: Kumar Kartikeya Dwivedi --- kernel/bpf/verifier.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 7372737cbde9..e194c3feb01f 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10800,15 +10800,20 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, { if (type_may_be_null(reg->type) && reg->id == id && !WARN_ON_ONCE(!reg->id)) { - if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || - !tnum_equals_const(reg->var_off, 0) || - reg->off)) { + if (reg->smin_value || reg->smax_value || !tnum_equals_const(reg->var_off, 0) || reg->off) { /* Old offset (both fixed and variable parts) should * have been known-zero, because we don't allow pointer * arithmetic on pointers that might be NULL. If we * see this happening, don't convert the register. + * + * But in some cases, some helpers that return local + * kptrs advance offset for the returned pointer. + * In those cases, it is fine to expect to see reg->off. */ - return; + if (WARN_ON_ONCE(reg->type != (PTR_TO_BTF_ID | MEM_ALLOC | PTR_MAYBE_NULL))) + return; + if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || !tnum_equals_const(reg->var_off, 0))) + return; } if (is_null) { reg->type = SCALAR_VALUE;