diff mbox series

[bpf,2/4] bpf: Zero ARG_PTR_TO_{LONG,INT} | MEM_UNINIT args in case of error

Message ID 20240823222033.31006-2-daniel@iogearbox.net (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [bpf,1/4] bpf: Fix helper writes to read-only maps | expand

Checks

Context Check Description
bpf/vmtest-bpf-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-VM_Test-4 fail Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-6 success Logs for aarch64-gcc / test
bpf/vmtest-bpf-VM_Test-7 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-VM_Test-8 fail Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-VM_Test-9 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-VM_Test-10 success Logs for s390x-gcc / test
bpf/vmtest-bpf-VM_Test-11 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-VM_Test-12 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-24 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-VM_Test-14 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-VM_Test-16 success Logs for x86_64-gcc / veristat
bpf/vmtest-bpf-VM_Test-19 success Logs for x86_64-llvm-17 / test
bpf/vmtest-bpf-VM_Test-20 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-VM_Test-13 fail Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-17 fail Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-22 fail Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-VM_Test-23 success Logs for x86_64-llvm-18 / test
bpf/vmtest-bpf-VM_Test-15 success Logs for x86_64-gcc / test
bpf/vmtest-bpf-VM_Test-21 fail Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-18 fail Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
netdev/series_format warning Series does not have a cover letter
netdev/tree_selection success Clearly marked for bpf, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 16 this patch: 16
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 4 blamed authors not CCed: ast@kernel.org rdna@fb.com sdf@fomichev.me martin.lau@linux.dev; 16 maintainers not CCed: andrii@kernel.org edumazet@google.com sdf@fomichev.me eddyz87@gmail.com haoluo@google.com kpsingh@kernel.org song@kernel.org ast@kernel.org martin.lau@linux.dev john.fastabend@gmail.com pabeni@redhat.com kuba@kernel.org netdev@vger.kernel.org jolsa@kernel.org yonghong.song@linux.dev rdna@fb.com
netdev/build_clang success Errors and warnings before: 16 this patch: 16
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 95 this patch: 95
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 37 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 15 this patch: 15
netdev/source_inline success Was 0 now: 0

Commit Message

Daniel Borkmann Aug. 23, 2024, 10:20 p.m. UTC 
For all non-tracing helpers which have ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
input arguments, zero the value for the case of an error as otherwise it
could leak memory. For tracing, it is not needed given CAP_PERFMON can
already read all kernel memory anyway.

Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types")
Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 kernel/bpf/helpers.c | 2 ++
 kernel/bpf/syscall.c | 1 +
 net/core/filter.c    | 4 ++++
 3 files changed, 7 insertions(+)

Comments

Shung-Hsi Yu Aug. 26, 2024, 6:38 a.m. UTC | #1 
On Sat, Aug 24, 2024 at 12:20:31AM GMT, Daniel Borkmann wrote:
> For all non-tracing helpers which have ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
> input arguments, zero the value for the case of an error as otherwise it
> could leak memory. For tracing, it is not needed given CAP_PERFMON can
> already read all kernel memory anyway.
> 
> Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types")
> Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[...]

Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Alexei Starovoitov Aug. 27, 2024, 11:42 p.m. UTC | #2 
On Fri, Aug 23, 2024 at 3:20 PM Daniel Borkmann <daniel@iogearbox.net> wrote:

> diff --git a/net/core/filter.c b/net/core/filter.c
> index 2ff210cb068c..a25c32da3d6c 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -6264,6 +6264,8 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
>         int skb_len, dev_len;
>         int mtu;
>
> +       *mtu_len = 0;
> +
>         if (unlikely(flags & ~(BPF_MTU_CHK_SEGS)))
>                 return -EINVAL;
>
> @@ -6313,6 +6315,8 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
>         int ret = BPF_MTU_CHK_RET_SUCCESS;
>         int mtu, dev_len;
>
> +       *mtu_len = 0;
> +
>         /* XDP variant doesn't support multi-buffer segment check (yet) */
>         if (unlikely(flags))
>                 return -EINVAL;

This looks wrong.
If selftests are not failing because of that they should.
diff mbox series

Patch

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 356a58aeb79b..20f6a2b7e708 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -522,6 +522,7 @@  BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
 	long long _res;
 	int err;
 
+	*res = 0;
 	err = __bpf_strtoll(buf, buf_len, flags, &_res);
 	if (err < 0)
 		return err;
@@ -548,6 +549,7 @@  BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
 	bool is_negative;
 	int err;
 
+	*res = 0;
 	err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative);
 	if (err < 0)
 		return err;
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 6d5942a6f41f..f799179fd6c7 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -5932,6 +5932,7 @@  static const struct bpf_func_proto bpf_sys_close_proto = {
 
 BPF_CALL_4(bpf_kallsyms_lookup_name, const char *, name, int, name_sz, int, flags, u64 *, res)
 {
+	*res = 0;
 	if (flags)
 		return -EINVAL;
 
diff --git a/net/core/filter.c b/net/core/filter.c
index 2ff210cb068c..a25c32da3d6c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6264,6 +6264,8 @@  BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
 	int skb_len, dev_len;
 	int mtu;
 
+	*mtu_len = 0;
+
 	if (unlikely(flags & ~(BPF_MTU_CHK_SEGS)))
 		return -EINVAL;
 
@@ -6313,6 +6315,8 @@  BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
 	int ret = BPF_MTU_CHK_RET_SUCCESS;
 	int mtu, dev_len;
 
+	*mtu_len = 0;
+
 	/* XDP variant doesn't support multi-buffer segment check (yet) */
 	if (unlikely(flags))
 		return -EINVAL;