[RFC,bpf-next,v4,4/6] bpf: Prevent BPF programs from access the buffer pointed by user_optval.

Commit Message

Kui-Feng Lee Aug. 19, 2023, 3:01 a.m. UTC

From: Kui-Feng Lee <thinker.li@gmail.com>

Since the buffer pointed by ctx->optval can be in user space, BPF programs
in kernel space should not access it directly. They should use kfuncs
provided later to access data.

Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
---
 kernel/bpf/cgroup.c   | 16 ++++++-
 kernel/bpf/verifier.c | 98 +++++++++++++++++++++----------------------
 2 files changed, 63 insertions(+), 51 deletions(-)

Patch

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b4f37960274d..1b2006dac4d5 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -2495,12 +2495,24 @@  static bool cg_sockopt_is_valid_access(int off, int size,
 	case offsetof(struct bpf_sockopt, optval):
 		if (size != sizeof(__u64))
 			return false;
-		info->reg_type = PTR_TO_PACKET;
+		if (prog->aux->sleepable)
+			/* Prohibit access to the memory pointed by optval
+			 * in sleepable programs.
+			 */
+			info->reg_type = PTR_TO_AUX | MEM_USER;
+		else
+			info->reg_type = PTR_TO_AUX;
 		break;
 	case offsetof(struct bpf_sockopt, optval_end):
 		if (size != sizeof(__u64))
 			return false;
-		info->reg_type = PTR_TO_PACKET_END;
+		if (prog->aux->sleepable)
+			/* Prohibit access to the memory pointed by
+			 * optval_end in sleepable programs.
+			 */
+			info->reg_type = PTR_TO_AUX_END | MEM_USER;
+		else
+			info->reg_type = PTR_TO_AUX_END;
 		break;
 	case offsetof(struct bpf_sockopt, retval):
 		if (size != size_default)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 05ab2c7f8798..83731e998b09 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -13403,7 +13403,7 @@  static void find_good_pkt_aux_pointers(struct bpf_verifier_state *vstate,
 	 * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.
 	 */
 	bpf_for_each_reg_in_vstate(vstate, state, reg, ({
-		if (reg->type == type && reg->id == dst_reg->id)
+		if (base_type(reg->type) == type && reg->id == dst_reg->id)
 			/* keep the maximum range already checked */
 			reg->range = max(reg->range, new_range);
 	}));
@@ -13958,100 +13958,100 @@  static bool try_match_pkt_pointers(const struct bpf_insn *insn,
 
 	switch (BPF_OP(insn->code)) {
 	case BPF_JGT:
-		if ((dst_reg->type == PTR_TO_PACKET &&
-		     src_reg->type == PTR_TO_PACKET_END) ||
-		    (dst_reg->type == PTR_TO_AUX &&
-		     src_reg->type == PTR_TO_AUX_END) ||
-		    (dst_reg->type == PTR_TO_PACKET_META &&
+		if ((base_type(dst_reg->type) == PTR_TO_PACKET &&
+		     base_type(src_reg->type) == PTR_TO_PACKET_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_AUX &&
+		     base_type(src_reg->type) == PTR_TO_AUX_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_PACKET_META &&
 		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
 			/* pkt_data' > pkt_end, pkt_meta' > pkt_data */
 			find_good_pkt_aux_pointers(this_branch, dst_reg,
-						   dst_reg->type, false);
+						   base_type(dst_reg->type), false);
 			mark_pkt_aux_end(other_branch, insn->dst_reg, true);
-		} else if ((dst_reg->type == PTR_TO_PACKET_END &&
-			    src_reg->type == PTR_TO_PACKET) ||
-			   (dst_reg->type == PTR_TO_AUX_END &&
-			    src_reg->type == PTR_TO_AUX) ||
+		} else if ((base_type(dst_reg->type) == PTR_TO_PACKET_END &&
+			    base_type(src_reg->type) == PTR_TO_PACKET) ||
+			   (base_type(dst_reg->type) == PTR_TO_AUX_END &&
+			    base_type(src_reg->type) == PTR_TO_AUX) ||
 			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
-			    src_reg->type == PTR_TO_PACKET_META)) {
+			    base_type(src_reg->type) == PTR_TO_PACKET_META)) {
 			/* pkt_end > pkt_data', pkt_data > pkt_meta' */
 			find_good_pkt_aux_pointers(other_branch, src_reg,
-						   src_reg->type, true);
+						   base_type(src_reg->type), true);
 			mark_pkt_aux_end(this_branch, insn->src_reg, false);
 		} else {
 			return false;
 		}
 		break;
 	case BPF_JLT:
-		if ((dst_reg->type == PTR_TO_PACKET &&
-		     src_reg->type == PTR_TO_PACKET_END) ||
-		    (dst_reg->type == PTR_TO_AUX &&
-		     src_reg->type == PTR_TO_AUX_END) ||
-		    (dst_reg->type == PTR_TO_PACKET_META &&
+		if ((base_type(dst_reg->type) == PTR_TO_PACKET &&
+		     base_type(src_reg->type) == PTR_TO_PACKET_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_AUX &&
+		     base_type(src_reg->type) == PTR_TO_AUX_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_PACKET_META &&
 		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
 			/* pkt_data' < pkt_end, pkt_meta' < pkt_data */
 			find_good_pkt_aux_pointers(other_branch, dst_reg,
-						   dst_reg->type, true);
+						   base_type(dst_reg->type), true);
 			mark_pkt_aux_end(this_branch, insn->dst_reg, false);
-		} else if ((dst_reg->type == PTR_TO_PACKET_END &&
-			    src_reg->type == PTR_TO_PACKET) ||
-			   (dst_reg->type == PTR_TO_AUX_END &&
-			    src_reg->type == PTR_TO_AUX) ||
+		} else if ((base_type(dst_reg->type) == PTR_TO_PACKET_END &&
+			    base_type(src_reg->type) == PTR_TO_PACKET) ||
+			   (base_type(dst_reg->type) == PTR_TO_AUX_END &&
+			    base_type(src_reg->type) == PTR_TO_AUX) ||
 			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
-			    src_reg->type == PTR_TO_PACKET_META)) {
+			    base_type(src_reg->type) == PTR_TO_PACKET_META)) {
 			/* pkt_end < pkt_data', pkt_data > pkt_meta' */
 			find_good_pkt_aux_pointers(this_branch, src_reg,
-						   src_reg->type, false);
+						   base_type(src_reg->type), false);
 			mark_pkt_aux_end(other_branch, insn->src_reg, true);
 		} else {
 			return false;
 		}
 		break;
 	case BPF_JGE:
-		if ((dst_reg->type == PTR_TO_PACKET &&
-		     src_reg->type == PTR_TO_PACKET_END) ||
-		    (dst_reg->type == PTR_TO_AUX &&
-		     src_reg->type == PTR_TO_AUX_END) ||
-		    (dst_reg->type == PTR_TO_PACKET_META &&
+		if ((base_type(dst_reg->type) == PTR_TO_PACKET &&
+		     base_type(src_reg->type) == PTR_TO_PACKET_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_AUX &&
+		     base_type(src_reg->type) == PTR_TO_AUX_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_PACKET_META &&
 		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
 			/* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */
 			find_good_pkt_aux_pointers(this_branch, dst_reg,
-						   dst_reg->type, true);
+						   base_type(dst_reg->type), true);
 			mark_pkt_aux_end(other_branch, insn->dst_reg, false);
-		} else if ((dst_reg->type == PTR_TO_PACKET_END &&
-			    src_reg->type == PTR_TO_PACKET) ||
-			   (dst_reg->type == PTR_TO_AUX_END &&
-			    src_reg->type == PTR_TO_AUX) ||
+		} else if ((base_type(dst_reg->type) == PTR_TO_PACKET_END &&
+			    base_type(src_reg->type) == PTR_TO_PACKET) ||
+			   (base_type(dst_reg->type) == PTR_TO_AUX_END &&
+			    base_type(src_reg->type) == PTR_TO_AUX) ||
 			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
-			    src_reg->type == PTR_TO_PACKET_META)) {
+			    base_type(src_reg->type) == PTR_TO_PACKET_META)) {
 			/* pkt_end >= pkt_data', pkt_data >= pkt_meta' */
 			find_good_pkt_aux_pointers(other_branch, src_reg,
-						   src_reg->type, false);
+						   base_type(src_reg->type), false);
 			mark_pkt_aux_end(this_branch, insn->src_reg, true);
 		} else {
 			return false;
 		}
 		break;
 	case BPF_JLE:
-		if ((dst_reg->type == PTR_TO_PACKET &&
-		     src_reg->type == PTR_TO_PACKET_END) ||
-		    (dst_reg->type == PTR_TO_AUX &&
-		     src_reg->type == PTR_TO_AUX_END) ||
-		    (dst_reg->type == PTR_TO_PACKET_META &&
+		if ((base_type(dst_reg->type) == PTR_TO_PACKET &&
+		     base_type(src_reg->type) == PTR_TO_PACKET_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_AUX &&
+		     base_type(src_reg->type) == PTR_TO_AUX_END) ||
+		    (base_type(dst_reg->type) == PTR_TO_PACKET_META &&
 		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
 			/* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */
 			find_good_pkt_aux_pointers(other_branch, dst_reg,
-						   dst_reg->type, false);
+						   base_type(dst_reg->type), false);
 			mark_pkt_aux_end(this_branch, insn->dst_reg, true);
-		} else if ((dst_reg->type == PTR_TO_PACKET_END &&
-			    src_reg->type == PTR_TO_PACKET) ||
-			   (dst_reg->type == PTR_TO_AUX_END &&
-			    src_reg->type == PTR_TO_AUX) ||
+		} else if ((base_type(dst_reg->type) == PTR_TO_PACKET_END &&
+			    base_type(src_reg->type) == PTR_TO_PACKET) ||
+			   (base_type(dst_reg->type) == PTR_TO_AUX_END &&
+			    base_type(src_reg->type) == PTR_TO_AUX) ||
 			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
-			    src_reg->type == PTR_TO_PACKET_META)) {
+			    base_type(src_reg->type) == PTR_TO_PACKET_META)) {
 			/* pkt_end <= pkt_data', pkt_data <= pkt_meta' */
 			find_good_pkt_aux_pointers(this_branch, src_reg,
-						   src_reg->type, true);
+						   base_type(src_reg->type), true);
 			mark_pkt_aux_end(other_branch, insn->src_reg, false);
 		} else {
 			return false;