diff mbox series

[bpf-next,1/2] bpf: Fix an error around PTR_UNTRUSTED

Message ID 20230628115205.248395-2-laoar.shao@gmail.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series bpf: Fix errors in verifying a union | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 14 this patch: 14
netdev/cc_maintainers fail 1 blamed authors not CCed: void@manifault.com; 3 maintainers not CCed: void@manifault.com martin.lau@linux.dev song@kernel.org
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 14 this patch: 14
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 44 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-19 success Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-22 success Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-25 success Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-29 success Logs for veristat
bpf/vmtest-bpf-next-VM_Test-11 fail Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-13 fail Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 fail Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-15 fail Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 fail Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-18 fail Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-23 success Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 fail Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-12 fail Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ${{ matrix.test }} on ${{ matrix.arch }} with ${{ matrix.toolchain_full }}
bpf/vmtest-bpf-next-VM_Test-2 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-4 fail Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-5 fail Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 fail Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-7 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-8 success Logs for veristat

Commit Message

Yafang Shao June 28, 2023, 11:52 a.m. UTC 
Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
cleared when we start to walk a new struct, because the struct in
question may be a struct nested in a union. We should also check and set
this flag before we walk its each member, in case itself is a union.

Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
---
 kernel/bpf/btf.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

Comments

Yafang Shao June 29, 2023, 3:11 a.m. UTC | #1 
On Wed, Jun 28, 2023 at 7:52 PM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
> cleared when we start to walk a new struct, because the struct in
> question may be a struct nested in a union. We should also check and set
> this flag before we walk its each member, in case itself is a union.
>
> Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>  kernel/bpf/btf.c | 20 +++++++++-----------
>  1 file changed, 9 insertions(+), 11 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 29fe21099298..e0a493230727 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6133,7 +6133,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
>         const char *tname, *mname, *tag_value;
>         u32 vlen, elem_id, mid;
>
> -       *flag = 0;
>  again:
>         tname = __btf_name_by_offset(btf, t->name_off);
>         if (!btf_type_is_struct(t)) {
> @@ -6142,6 +6141,14 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
>         }
>
>         vlen = btf_type_vlen(t);
> +       if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1)
> +               /*
> +                * walking unions yields untrusted pointers
> +                * with exception of __bpf_md_ptr and other
> +                * unions with a single member
> +                */
> +               *flag |= PTR_UNTRUSTED;
> +
>         if (off + size > t->size) {
>                 /* If the last element is a variable size array, we may
>                  * need to relax the rule.
> @@ -6302,15 +6309,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
>                  * of this field or inside of this struct
>                  */
>                 if (btf_type_is_struct(mtype)) {
> -                       if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
> -                           btf_type_vlen(mtype) != 1)
> -                               /*
> -                                * walking unions yields untrusted pointers
> -                                * with exception of __bpf_md_ptr and other
> -                                * unions with a single member
> -                                */
> -                               *flag |= PTR_UNTRUSTED;
> -
>                         /* our field must be inside that union or struct */
>                         t = mtype;
>
> @@ -6476,7 +6474,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
>                           bool strict)
>  {
>         const struct btf_type *type;
> -       enum bpf_type_flag flag;
> +       enum bpf_type_flag flag = 0;
>         int err;
>
>         /* Are we already done? */
> --
> 2.39.3
>

Just noticed that it breaks test_sk_storage_tracing, because skb->sk
is in a union:
   struct sk_buff {
       ...
       union {
           struct sock             *sk;
           int                     ip_defrag_offset;
       };
       ...
   };

I will think about it.
Alexei Starovoitov June 29, 2023, 3:35 a.m. UTC | #2 
On Wed, Jun 28, 2023 at 8:12 PM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> On Wed, Jun 28, 2023 at 7:52 PM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
> > cleared when we start to walk a new struct, because the struct in
> > question may be a struct nested in a union. We should also check and set
> > this flag before we walk its each member, in case itself is a union.
> >
> > Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
> > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > ---
> >  kernel/bpf/btf.c | 20 +++++++++-----------
> >  1 file changed, 9 insertions(+), 11 deletions(-)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 29fe21099298..e0a493230727 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -6133,7 +6133,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> >         const char *tname, *mname, *tag_value;
> >         u32 vlen, elem_id, mid;
> >
> > -       *flag = 0;
> >  again:
> >         tname = __btf_name_by_offset(btf, t->name_off);
> >         if (!btf_type_is_struct(t)) {
> > @@ -6142,6 +6141,14 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> >         }
> >
> >         vlen = btf_type_vlen(t);
> > +       if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1)
> > +               /*
> > +                * walking unions yields untrusted pointers
> > +                * with exception of __bpf_md_ptr and other
> > +                * unions with a single member
> > +                */
> > +               *flag |= PTR_UNTRUSTED;
> > +
> >         if (off + size > t->size) {
> >                 /* If the last element is a variable size array, we may
> >                  * need to relax the rule.
> > @@ -6302,15 +6309,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> >                  * of this field or inside of this struct
> >                  */
> >                 if (btf_type_is_struct(mtype)) {
> > -                       if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
> > -                           btf_type_vlen(mtype) != 1)
> > -                               /*
> > -                                * walking unions yields untrusted pointers
> > -                                * with exception of __bpf_md_ptr and other
> > -                                * unions with a single member
> > -                                */
> > -                               *flag |= PTR_UNTRUSTED;
> > -
> >                         /* our field must be inside that union or struct */
> >                         t = mtype;
> >
> > @@ -6476,7 +6474,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
> >                           bool strict)
> >  {
> >         const struct btf_type *type;
> > -       enum bpf_type_flag flag;
> > +       enum bpf_type_flag flag = 0;
> >         int err;
> >
> >         /* Are we already done? */
> > --
> > 2.39.3
> >
>
> Just noticed that it breaks test_sk_storage_tracing, because skb->sk
> is in a union:
>    struct sk_buff {
>        ...
>        union {
>            struct sock             *sk;
>            int                     ip_defrag_offset;
>        };
>        ...
>    };
>
> I will think about it.

It can be whitelisted similar to BTF_TYPE_SAFE_*.
Please add a selftest for the new feature.
Yafang Shao June 29, 2023, 3:46 a.m. UTC | #3 
On Thu, Jun 29, 2023 at 11:35 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Wed, Jun 28, 2023 at 8:12 PM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > On Wed, Jun 28, 2023 at 7:52 PM Yafang Shao <laoar.shao@gmail.com> wrote:
> > >
> > > Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
> > > cleared when we start to walk a new struct, because the struct in
> > > question may be a struct nested in a union. We should also check and set
> > > this flag before we walk its each member, in case itself is a union.
> > >
> > > Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
> > > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > > ---
> > >  kernel/bpf/btf.c | 20 +++++++++-----------
> > >  1 file changed, 9 insertions(+), 11 deletions(-)
> > >
> > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > > index 29fe21099298..e0a493230727 100644
> > > --- a/kernel/bpf/btf.c
> > > +++ b/kernel/bpf/btf.c
> > > @@ -6133,7 +6133,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> > >         const char *tname, *mname, *tag_value;
> > >         u32 vlen, elem_id, mid;
> > >
> > > -       *flag = 0;
> > >  again:
> > >         tname = __btf_name_by_offset(btf, t->name_off);
> > >         if (!btf_type_is_struct(t)) {
> > > @@ -6142,6 +6141,14 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> > >         }
> > >
> > >         vlen = btf_type_vlen(t);
> > > +       if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1)
> > > +               /*
> > > +                * walking unions yields untrusted pointers
> > > +                * with exception of __bpf_md_ptr and other
> > > +                * unions with a single member
> > > +                */
> > > +               *flag |= PTR_UNTRUSTED;
> > > +
> > >         if (off + size > t->size) {
> > >                 /* If the last element is a variable size array, we may
> > >                  * need to relax the rule.
> > > @@ -6302,15 +6309,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> > >                  * of this field or inside of this struct
> > >                  */
> > >                 if (btf_type_is_struct(mtype)) {
> > > -                       if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
> > > -                           btf_type_vlen(mtype) != 1)
> > > -                               /*
> > > -                                * walking unions yields untrusted pointers
> > > -                                * with exception of __bpf_md_ptr and other
> > > -                                * unions with a single member
> > > -                                */
> > > -                               *flag |= PTR_UNTRUSTED;
> > > -
> > >                         /* our field must be inside that union or struct */
> > >                         t = mtype;
> > >
> > > @@ -6476,7 +6474,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
> > >                           bool strict)
> > >  {
> > >         const struct btf_type *type;
> > > -       enum bpf_type_flag flag;
> > > +       enum bpf_type_flag flag = 0;
> > >         int err;
> > >
> > >         /* Are we already done? */
> > > --
> > > 2.39.3
> > >
> >
> > Just noticed that it breaks test_sk_storage_tracing, because skb->sk
> > is in a union:
> >    struct sk_buff {
> >        ...
> >        union {
> >            struct sock             *sk;
> >            int                     ip_defrag_offset;
> >        };
> >        ...
> >    };
> >
> > I will think about it.
>
> It can be whitelisted similar to BTF_TYPE_SAFE_*.

Got it.

> Please add a selftest for the new feature.

Sure, will add it.
diff mbox series

Patch

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 29fe21099298..e0a493230727 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6133,7 +6133,6 @@  static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
 	const char *tname, *mname, *tag_value;
 	u32 vlen, elem_id, mid;
 
-	*flag = 0;
 again:
 	tname = __btf_name_by_offset(btf, t->name_off);
 	if (!btf_type_is_struct(t)) {
@@ -6142,6 +6141,14 @@  static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
 	}
 
 	vlen = btf_type_vlen(t);
+	if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1)
+		/*
+		 * walking unions yields untrusted pointers
+		 * with exception of __bpf_md_ptr and other
+		 * unions with a single member
+		 */
+		*flag |= PTR_UNTRUSTED;
+
 	if (off + size > t->size) {
 		/* If the last element is a variable size array, we may
 		 * need to relax the rule.
@@ -6302,15 +6309,6 @@  static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
 		 * of this field or inside of this struct
 		 */
 		if (btf_type_is_struct(mtype)) {
-			if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
-			    btf_type_vlen(mtype) != 1)
-				/*
-				 * walking unions yields untrusted pointers
-				 * with exception of __bpf_md_ptr and other
-				 * unions with a single member
-				 */
-				*flag |= PTR_UNTRUSTED;
-
 			/* our field must be inside that union or struct */
 			t = mtype;
 
@@ -6476,7 +6474,7 @@  bool btf_struct_ids_match(struct bpf_verifier_log *log,
 			  bool strict)
 {
 	const struct btf_type *type;
-	enum bpf_type_flag flag;
+	enum bpf_type_flag flag = 0;
 	int err;
 
 	/* Are we already done? */