From patchwork Thu Nov 17 22:55:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13047440 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2A93C4332F for ; Thu, 17 Nov 2022 22:56:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235044AbiKQW4T (ORCPT ); Thu, 17 Nov 2022 17:56:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235129AbiKQW4Q (ORCPT ); Thu, 17 Nov 2022 17:56:16 -0500 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E3B3657D3 for ; Thu, 17 Nov 2022 14:56:13 -0800 (PST) Received: by mail-pf1-x441.google.com with SMTP id b29so3172751pfp.13 for ; Thu, 17 Nov 2022 14:56:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DPomuiw38Tc36JRhHYvhQJpHAo45CMYZVjWlALJ2I00=; b=jCXmre/Cdccl+ibrThBtWFk4fv0CZ8yAN1rRMvOm9RSUvBTu0ofgAg3ahjkwA/jc4x 4zSL1CsG97gfWqzxHe0LbQ4iczgGk9BmdKlruQE4qaGczzG5b+t+B3WHhbiFOWAVuQjS LwaxBh1YIQ9/JCMZEOMsVGiaDn4Rt58ohbqC7Ux23yVNhGjn2pZLVVCcvWau9v40PX6K RuuxsFSGTxMP+A0by1ES2xJlvcZftKKju+9STEAFjQWZMk/21VvZHBWFBw8JlGANtNeN ho2Cu/zohC8HsGxzOlFZbAJwTkXkYTDEvX4H5sJ7CK5Qt4FrW1iUXP9/YG1papw8q+Z9 VYug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DPomuiw38Tc36JRhHYvhQJpHAo45CMYZVjWlALJ2I00=; b=Q0x2MNRBuFT5hrmBCFk9eCc8cOSp7g/ptSjQlJDm9En9yQQCTai7MfBVmpaiYWGu4g EA+VfaBEpfXiAc49ceXO6gXw6Xm6aS8X+Mo/wNaaBNH0btUxArewxwHL5ZX7ZMTlqiEP dABKkmy5FrkS9PIg84Vf0Jce+xxm53MhUrFwngTqHP+xyCqXg8XOFUoOmvcJN8YSP+Ms HFVD3kgniJdwI4UQKGFD38pR6IL+VZICmjOThwGQ0r7LktX8uM7Q1SNrWYtFhFK8rABQ /hJcEQr8AFQjfjUzMhvtXGtTcdMR0JnYu3qaxhOiWu/Sj6GsHYVOie5UhNsT4Nrg5VQU PbXg== X-Gm-Message-State: ANoB5pmX6YRRNjP+mk330ATdG31MfqbQeHdOd5a0Kj5CaPy345i1CWvi rTjoTrbKrzq6xIG893BHA8sthvQxP5Y= X-Google-Smtp-Source: AA0mqf4xkenl+pR46635D3VWiUO4FbSFo1C6RiNfmaJ0H3aBiKa73WvNFpfh7Euw+lNYrHuwqGH1rg== X-Received: by 2002:a63:d741:0:b0:457:f843:ffcd with SMTP id w1-20020a63d741000000b00457f843ffcdmr4106613pgi.101.1668725772366; Thu, 17 Nov 2022 14:56:12 -0800 (PST) Received: from localhost ([2409:40f4:8:955c:5484:8048:c08:7b3]) by smtp.gmail.com with ESMTPSA id i6-20020a626d06000000b00572275e68f8sm1659190pfc.166.2022.11.17.14.56.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 14:56:12 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Dave Marchevsky Subject: [PATCH bpf-next v9 15/23] bpf: Permit NULL checking pointer with non-zero fixed offset Date: Fri, 18 Nov 2022 04:25:02 +0530 Message-Id: <20221117225510.1676785-16-memxor@gmail.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221117225510.1676785-1-memxor@gmail.com> References: <20221117225510.1676785-1-memxor@gmail.com> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2422; i=memxor@gmail.com; h=from:subject; bh=24iLGg5VsnwmsvtaAeQ9jk4cZGNEIECN8xis7P+9mPQ=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBjdrkc+mohHswfHDzYNGMTg+MLWeTNlIOxWTD6wKYO D3uPfdGJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCY3a5HAAKCRBM4MiGSL8RygUbD/ 9wOVyivjJwrY1UMdpWeJEmPAr6JLmujgPSVTNUSAJIDAyd0l74jYYsSe4a2zTn5tQf1BaHktsP9KYz U7maV2CuoxHT2IxHzl11HhR4O4HuNfGB0TId685o8qOBDgidih6wioXHFmkvTmxBIRDhTOorimgNV5 QNN+jgMWTdwm8XtEswAZ3MDxCUIgPk5867HrFixS2zgfxdbqxTMxM7tBn09zk+dKSxMJt7ralVOmH7 4vNxdDG2w/65fzIwljH5oe0OVE8vOoejVJRPxLawlw76/QczJLu5Sjs+USB0a8NJYqTK/LfkwyIqKd yIeYKUVfCLJLkApf9Nzy42OkLkceOmd+2+gsvCleVifTId2Lem9v347HbfE8GgZA/c+NLa2+8pwiae poeWAhEDExOkfYi9bQnvXDvWI0PH5JEwb8rIRbhq/BLLGYO4duVqkN1myMBvlOtstq9aEB0WZd9Sql JQ7l9FrQyoa+MCmKhMyzdQDhhrPIvwEquCYhdJ02wX0eCMYV/ev7A8L2iHbXGtDxLVdDxY2J3YOyGg uOdQ1ufsTxEP4+YyvOxEHEH01cQhQbyVxQYv0Q20Y6eEYW6CR6ni/DkX6izNV7HvWLuVzFUe4WnGJw sitk5BKvAN0Uaa3ForvwScc9pkICnXzmUPUQFtWPT4Pa/uqkCsuzaGO2pktQ== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Pointer increment on seeing PTR_MAYBE_NULL is already protected against, hence make an exception for PTR_TO_BTF_ID | MEM_ALLOC while still keeping the warning for other unintended cases that might creep in. bpf_list_pop_{front,_back} helpers planned to be introduced in next commit will return a MEM_ALLOC register with incremented offset pointing to bpf_list_node field. The user is supposed to then obtain the pointer to the entry using container_of after NULL checking it. The current restrictions trigger a warning when doing the NULL checking. Revisiting the reason, it is meant as an assertion which seems to actually work and catch the bad case. Hence, under no other circumstances can reg->off be non-zero for a register that has the PTR_MAYBE_NULL type flag set. Signed-off-by: Kumar Kartikeya Dwivedi --- kernel/bpf/verifier.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index b96c525fa413..8951f50ae918 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10790,16 +10790,19 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, { if (type_may_be_null(reg->type) && reg->id == id && !WARN_ON_ONCE(!reg->id)) { - if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || - !tnum_equals_const(reg->var_off, 0) || - reg->off)) { - /* Old offset (both fixed and variable parts) should - * have been known-zero, because we don't allow pointer - * arithmetic on pointers that might be NULL. If we - * see this happening, don't convert the register. - */ + /* Old offset (both fixed and variable parts) should have been + * known-zero, because we don't allow pointer arithmetic on + * pointers that might be NULL. If we see this happening, don't + * convert the register. + * + * But in some cases, some helpers that return local kptrs + * advance offset for the returned pointer. In those cases, it + * is fine to expect to see reg->off. + */ + if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || !tnum_equals_const(reg->var_off, 0))) + return; + if (reg->type != (PTR_TO_BTF_ID | MEM_ALLOC | PTR_MAYBE_NULL) && WARN_ON_ONCE(reg->off)) return; - } if (is_null) { reg->type = SCALAR_VALUE; /* We don't need id and ref_obj_id from this point