From patchwork Fri Sep 6 13:56:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Borkmann X-Patchwork-Id: 13794230 X-Patchwork-Delegate: bpf@iogearbox.net Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69D201CF29B for ; Fri, 6 Sep 2024 13:56:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.133.104.62 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725630982; cv=none; b=eWxglWchN7BPYOity8apjVngXWm6/Mm9AFR9FjpYGQNlHF3edi1025NUD3itARvFX0P/ysLt/iRxK1u8p3+fINHqQzgoQQ9IXWo2wyaiBH0kqAE3PKwAl4cWEfync23lzGtOWuZ8r5RiYMlaKkdrM9Eys8phQFZxIq+I9/8NIPU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725630982; c=relaxed/simple; bh=5p8wEmvNKp8VN7fMxFNT1p3q8XWH37cEhxx/EYIf64Q=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QIqgJMOFFsfekW3QF4dF4dYKOVu6BbxzokFqkjfWKVHhNDia/iaVPbNdkAWMBNEiql0lRzwpwn561yrKgTwaoQqSVrBq5jEJ+5NqZylUec0307pflx2WVMGUmgAOpaiSaSx0LXoKVFxVUM9VzPe+mB+p1v9D671ex19a4YvqZaQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net; spf=pass smtp.mailfrom=iogearbox.net; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b=aH1nKpMO; arc=none smtp.client-ip=213.133.104.62 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b="aH1nKpMO" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iogearbox.net; s=default2302; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=Od00HE5PArnBef8YSwojfsKnQqJijINDhFWQooh5dCQ=; b=aH1nKpMOTyUE2lwDe3/vPlOlFL eZ+Hi5rSsXQcLI97OFA4IG5BQi2dDU/72upFaKS83A7kRYZV4PteaKZwaHvFVKxkNnF9lpNv8vRFy 2E4LeM+9PFW2TcQPgjaLQfTcURJJL9cF3q8PBJfLggYp3u0hYJKknOh4aH1U2HEyqPg6Y4UX7Gsqj rK1VOlPlIkYDVcWNWz+FbEehHrlKijjA+bGaA66af/zxILjvWJOKsFzZRrbBQQochp5+ypjJ9J8ID +PVP04pbnJBRuS+GhpiH7ftBdzMbEEvC1ejaX7vYgx2zzO2fUB4DJG7FhdPL0679wEA/Q0QBwKDYn X+hCMdPw==; Received: from 15.248.197.178.dynamic.cust.swisscom.net ([178.197.248.15] helo=localhost) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1smZRc-0001z6-Bw; Fri, 06 Sep 2024 15:56:12 +0200 From: Daniel Borkmann To: bpf@vger.kernel.org Cc: shung-hsi.yu@suse.com, andrii@kernel.org, ast@kernel.org, kongln9170@gmail.com, Daniel Borkmann Subject: [PATCH bpf-next v4 4/8] bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types Date: Fri, 6 Sep 2024 15:56:04 +0200 Message-Id: <20240906135608.26477-4-daniel@iogearbox.net> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20240906135608.26477-1-daniel@iogearbox.net> References: <20240906135608.26477-1-daniel@iogearbox.net> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.10/27390/Fri Sep 6 10:38:06 2024) X-Patchwork-Delegate: bpf@iogearbox.net When checking malformed helper function signatures, also take other argument types into account aside from just ARG_PTR_TO_UNINIT_MEM. This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can be passed there, too. The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier: add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos which had more than just one MEM_UNINIT-tagged type as arguments. The reason more than one is currently not supported is as we mark stack slots with STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to allow uninitialized stack memory to be passed to helpers when they just write into the buffer. Probing for base type as well as MEM_UNINIT tagging ensures that other types do not get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}). Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") Reported-by: Shung-Hsi Yu Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Shung-Hsi Yu --- v1 -> v2: - new patch (Shung-Hsi) v2 -> v3: - base_type(type) was needed also kernel/bpf/verifier.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 3a0801933a79..a1bbe4b401af 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8291,6 +8291,12 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type) type == ARG_CONST_SIZE_OR_ZERO; } +static bool arg_type_is_raw_mem(enum bpf_arg_type type) +{ + return base_type(type) == ARG_PTR_TO_MEM && + type & MEM_UNINIT; +} + static bool arg_type_is_release(enum bpf_arg_type type) { return type & OBJ_RELEASE; @@ -9343,15 +9349,15 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn) { int count = 0; - if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg1_type)) count++; - if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg2_type)) count++; - if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg3_type)) count++; - if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg4_type)) count++; - if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) + if (arg_type_is_raw_mem(fn->arg5_type)) count++; /* We only support one arg being in raw mode at the moment,