From patchwork Thu Sep 5 13:48:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Borkmann X-Patchwork-Id: 13792378 X-Patchwork-Delegate: bpf@iogearbox.net Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8655E19D8A0 for ; Thu, 5 Sep 2024 13:48:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.133.104.62 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725544103; cv=none; b=XRx8zLW1T4hgl0Hw94olx08FQvFvBYdgDq4x2Ah2LEgxzXOJSdWgaRc9X5qUVDmfFbMPLAVxORurvPB5Jscb//snL87vy1pkpaDNmD2xAPzcNhn6i7K9XihlxPqdcqnVFi7gq3NC+QjAZb9Aiq+g1XeWwBtmTqy/hZqI7tJ2Sws= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725544103; c=relaxed/simple; bh=R+uEBjwB1QfpW3TEXj0ElvO73QWFOcpPp4sXtSfamvA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=GL3rlfLtF5fKRJ8UKxQPPXSQYEjFiOGH10hjB2p7eOBMlacBJLaYk/C/ry8no7OuILxDnr7KmStMS+OpSXfm2msuBohXe4FIhFkFlJ62s6aLdzW7T4ZR7V8XMCd9Q9QvqeXsakg5J+fXrZO1z/oZbUMi12G+7pJYuzPJUGfYSt8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net; spf=pass smtp.mailfrom=iogearbox.net; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b=mR2gepy9; arc=none smtp.client-ip=213.133.104.62 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b="mR2gepy9" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iogearbox.net; s=default2302; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=WOXjDdj11i6DqGo8x8pctDnj/d0p5LO19KWjWKc6tGk=; b=mR2gepy9v025Fvy8QfT+kj5Mxy hEn0EMIBdRE2tJE85HBFTWtZHvJQejWcCQ+uBS30Pu3XHUZBpUXy4QGdTLUi+obHXrC+no93u3wMb vVKSe+PqbG7cmbqfD+yJZ3qJj7Wfd5PapIlXMNUKX/nZCsiUlLpYYe/lIxEjv6xxigs5JuhdCZSwb 5d4KJoDu1NDoPhDteQ/xIA5Qyuz2oeuVtieaQIqceNHPnYFv/lgQdZxvsQ3osrilDW3niPXTneQdR EaogQqvq1MxPMRF+8R3NWXDzbmKzPMUSff5GdGElfz2qkL7VbxYJMF3fuOkPKM8qBorh8CZXtVlqV WQNFu57Q==; Received: from 23.248.197.178.dynamic.cust.swisscom.net ([178.197.248.23] helo=localhost) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1smCqQ-000FDb-TI; Thu, 05 Sep 2024 15:48:18 +0200 From: Daniel Borkmann To: bpf@vger.kernel.org Cc: shung-hsi.yu@suse.com, andrii@kernel.org, ast@kernel.org, kongln9170@gmail.com, Daniel Borkmann Subject: [PATCH bpf-next v3 2/6] bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types Date: Thu, 5 Sep 2024 15:48:09 +0200 Message-Id: <20240905134813.874-2-daniel@iogearbox.net> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20240905134813.874-1-daniel@iogearbox.net> References: <20240905134813.874-1-daniel@iogearbox.net> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.10/27389/Thu Sep 5 10:33:25 2024) X-Patchwork-Delegate: bpf@iogearbox.net When checking malformed helper function signatures, also take other argument types into account aside from just ARG_PTR_TO_UNINIT_MEM. This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can be passed there, too. The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier: add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos which had more than just one MEM_UNINIT-tagged type as arguments. The reason more than one is currently not supported is as we mark stack slots with STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to allow uninitialized stack memory to be passed to helpers when they just write into the buffer. Probing for base type as well as MEM_UNINIT tagging ensures that other types do not get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}). Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") Reported-by: Shung-Hsi Yu Signed-off-by: Daniel Borkmann --- v1 -> v2: - new patch (Shung-Hsi) v2 -> v3: - base_type(type) was needed also kernel/bpf/verifier.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index efd9c453399e..26240637c863 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8296,6 +8296,12 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type) type == ARG_CONST_SIZE_OR_ZERO; } +static bool arg_type_is_raw_mem(enum bpf_arg_type type) +{ + return base_type(type) == ARG_PTR_TO_MEM && + type & MEM_UNINIT; +} + static bool arg_type_is_release(enum bpf_arg_type type) { return type & OBJ_RELEASE; @@ -9348,15 +9354,15 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn) { int count = 0; - if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg1_type)) count++; - if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg2_type)) count++; - if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg3_type)) count++; - if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg4_type)) count++; - if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg5_type)) count++; /* We only support one arg being in raw mode at the moment,