From patchwork Tue Aug 16 20:55:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12945279 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC2A4C25B0E for ; Tue, 16 Aug 2022 20:55:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236147AbiHPUzo (ORCPT ); Tue, 16 Aug 2022 16:55:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233785AbiHPUzn (ORCPT ); Tue, 16 Aug 2022 16:55:43 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08DB674B82 for ; Tue, 16 Aug 2022 13:55:43 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id y9-20020a17090322c900b0016f8fdcc3b1so7118837plg.6 for ; Tue, 16 Aug 2022 13:55:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc; bh=QrSW24/BS8u7q7dcP3o82dhH836yjfgTMb9u+0+RDPE=; b=hyCzE9JxjRzZ7zx6nizeJ1Ep24IqkfM3vFhvcOlBHgf0YtvYNVANdYmvd+ej3RGHNz ZdKP3kltutminzjQmgtk+SqYcpqP45GmC6q1c0bVj9bKW1Bmiqu3OB4EsyFRz9qmXoEB xxHM3mvnAI87dRzvpLrjFOnjELpDSAMMNiwqPSm0g15MB7EbBLEm3bVTlo91M4Ipf8Bc 8aDxulHd6by/u55s4KC++IyB1/gjRiSKTqf51Agi2Jj4efHbwTtJWmytOOJO7tcYIqk3 F7GtLIaW8qKJu1aIB1ujkk04GJ5t3fmsq/eHfX3CDhG7PpxpPmhzmT3auXFx8zF/Ze5j N8jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc; bh=QrSW24/BS8u7q7dcP3o82dhH836yjfgTMb9u+0+RDPE=; b=l1lzcfFr/Z4SVYhM85RlMfW4r7Beg5MVmnwzlCI/vqGfouxb7FibdOcQysjlux/ypv FwXFInGZlofiWQG4D0jRTy/W10JtUmQbJC5nvVyvEj6GW4iF25m+hcXnUW74vA2ekfvs Li32yV10Zd8bx3Zow4UaBXMCCiw0cDRq5NRYAThssv56lYDvobyR9Y50WPXaK6VTxMQY LvyM8AS8knyyF2KsMz8luwbCrftzmX2HU+hpsUuXoxsXVGNPCGEfd1w61skA43N6grjd 4wOI9IV+RrnT2Lb0sJQRhVAZNfbmXRuRnodWZweUz/FADE0K8P0dWb1hmxu8c6ZIyxhY V91w== X-Gm-Message-State: ACgBeo3HajKAMzfAOcqZ6od3PvfU0BIcTtz7/CllJ8+iIjdYZOCdJXWW CN37oJ1UbzNZyymAqpDI3RePEOfxBgGBZIZ5iOaoKa0DYRAb27qubOZstYpM/sET17TKn+FHGzM laNW77TXQMlQ+gMAzYKJHVlJLJr4VSSnJcpLsxIq2TvfVguMZfNNWfffATOqtS10= X-Google-Smtp-Source: AA6agR4Gve3PtDBwyEebIxFsHHKJknmXGXa055YJseN8EgiPxe7Ix7BUJhr+7hYaPqw3/jpwuFJAjKEj+Qyy5g== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:aa7:88cf:0:b0:52f:fdad:9e0 with SMTP id k15-20020aa788cf000000b0052ffdad09e0mr22733683pff.74.1660683342445; Tue, 16 Aug 2022 13:55:42 -0700 (PDT) Date: Tue, 16 Aug 2022 20:55:16 +0000 Message-Id: <20220816205517.682470-1-zhuyifei@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.1.595.g718a3a8f04-goog Subject: [PATCH bpf 1/2] bpf: Restrict bpf_sys_bpf to CAP_PERFMON From: YiFei Zhu To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Jinghao Jia , Daniel Borkmann , Alexei Starovoitov , Andrii Nakryiko , Song Liu , Stanislav Fomichev , Jason Zhang , Jann Horn , mvle@us.ibm.com, zohar@linux.ibm.com, tyxu.uiuc@gmail.com, security@kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The verifier cannot perform sufficient validation of any pointers passed into bpf_attr and treats them as integers rather than pointers. The helper will then read from arbitrary pointers passed into it. Restrict the helper to CAP_PERFMON since the security model in BPF of arbitrary kernel read is CAP_BPF + CAP_PERFMON. Fixes: af2ac3e13e45 ("bpf: Prepare bpf syscall to be used from kernel and user space.") Signed-off-by: YiFei Zhu --- kernel/bpf/syscall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index a4d40d98428a..27760627370d 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5197,7 +5197,7 @@ syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { switch (func_id) { case BPF_FUNC_sys_bpf: - return &bpf_sys_bpf_proto; + return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto; case BPF_FUNC_btf_find_by_name_kind: return &bpf_btf_find_by_name_kind_proto; case BPF_FUNC_sys_close: From patchwork Tue Aug 16 20:55:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12945280 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17ACFC25B0E for ; Tue, 16 Aug 2022 20:55:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236675AbiHPUzr (ORCPT ); Tue, 16 Aug 2022 16:55:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233785AbiHPUzq (ORCPT ); Tue, 16 Aug 2022 16:55:46 -0400 Received: from mail-pf1-x44a.google.com (mail-pf1-x44a.google.com [IPv6:2607:f8b0:4864:20::44a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 467F074376 for ; Tue, 16 Aug 2022 13:55:46 -0700 (PDT) Received: by mail-pf1-x44a.google.com with SMTP id v65-20020a626144000000b0052f89472f54so4216417pfb.11 for ; Tue, 16 Aug 2022 13:55:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:from:to:cc; bh=Tnxh09mMigEObNT8d1AOsWhAz1/ozMeGIpXEVIgkx7Y=; b=E1r9/o0vUU2ivMM7W+AZ6k7lK/mBTiLQceLw2XRFWxAFs+1iXzHTxF5vfe4Y1vV3cL kIPf4uBI0iNjd3WuYSHNECs2/CC6fwh2DgkSRnxh1V9myuzEkfQdJRw7J0la6mAsmmR+ AtWvJ/IJewHpUeQyQ2BlnrOpO7Xqya/tWMasAkZpgCNrMRmoys4QN5OoXkmeJdLoCvOj FDqMNITTc2XjHsSL31fqhxCHqx+HCwA9j6h+ufIqcSbGs0fed0IJOSkYueyPTkcZgqqt YHQmq0Ioj2/zr7od+qRea42Cf0SP8AK8dqvrr7GZyOfRYYPCbaCr/e9i6/yNUzKq0iy5 6Plg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:references:mime-version:message-id:in-reply-to :date:x-gm-message-state:from:to:cc; bh=Tnxh09mMigEObNT8d1AOsWhAz1/ozMeGIpXEVIgkx7Y=; b=rB3WFl0L+r3NSBLmoTdFv+kR+V8+iEeq8p/C6w9wySJkeUdP/3nzAmrPF0QDtNDHpq KnNgBHefZ+vjeTU2cpJKF0MVdj7aH5EnpnSFDRaws3Ks6WAzE3YIbMfRuElUa++xGLyo Olb8TixwDA7G+1gIhAILottzRK+G3AgHnBdbVQpCU5o8J01HumOkqGGubLbPYLlNg6zO 5SUPTMTY8RlWluXIxvFRlpJtaBLWdJTSkVjxld2vjN6M7R7iLgueIAX5NFszV4vwVtQ8 jOPTrpZG3RqlBckzQm7LbwfYRW4W5sSOJbxTAH/X2t4ai3ghfA55RFiO2QrZNUMO+LkY 4KrQ== X-Gm-Message-State: ACgBeo2IXdhqJab7nR7uGAEYMZ9X/iJS64GC1EvqzQ9S4vTgXuL8Dj5V t24ikpcW1HGO3RifKqtAWUCJnDlLR2qwQXh/QBN1anHRo72HNeaUBsRU/dPut5TrTiYlTUJF9qp 6rXeIn2ePgJoNCBivP/klrkyw4j5MgI/SyrtJ4uc9MHRoq9ZAq2dMDp7FCy9Gqag= X-Google-Smtp-Source: AA6agR4kh46MfTnNmY7hWP81gqMBgXm5cam87S6Es8noSzU4cYxWReBe+XMNXF/oqNh1EvxwKx0vuh6G7ffXqg== X-Received: from zhuyifei-kvm.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edc]) (user=zhuyifei job=sendgmr) by 2002:aa7:88d3:0:b0:52e:ade6:6192 with SMTP id k19-20020aa788d3000000b0052eade66192mr22776201pff.41.1660683345768; Tue, 16 Aug 2022 13:55:45 -0700 (PDT) Date: Tue, 16 Aug 2022 20:55:17 +0000 In-Reply-To: <20220816205517.682470-1-zhuyifei@google.com> Message-Id: <20220816205517.682470-2-zhuyifei@google.com> Mime-Version: 1.0 References: <20220816205517.682470-1-zhuyifei@google.com> X-Mailer: git-send-email 2.37.1.595.g718a3a8f04-goog Subject: [PATCH bpf 2/2] bpf: Add WARN_ON for recursive prog_run invocation From: YiFei Zhu To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Jinghao Jia , Daniel Borkmann , Alexei Starovoitov , Andrii Nakryiko , Song Liu , Stanislav Fomichev , Jason Zhang , Jann Horn , mvle@us.ibm.com, zohar@linux.ibm.com, tyxu.uiuc@gmail.com, security@kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Recursive invocation should not happen after commit 86f44fcec22c ("bpf: Disallow bpf programs call prog_run command."), unlike what is suggested in the comment. The only way to I can see this condition trigger is if userspace fetches an fd of a kernel-loaded lskel and attempt to race the kernel to execute that lskel... which also shouldn't happen under normal circumstances. To make this "should never happen" explicit, clarify this in the comment and add a WARN_ON. Fixes: 86f44fcec22c ("bpf: Disallow bpf programs call prog_run command.") Signed-off-by: YiFei Zhu --- kernel/bpf/syscall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 27760627370d..9cac9402c0bf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5119,8 +5119,8 @@ int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size) run_ctx.bpf_cookie = 0; run_ctx.saved_run_ctx = NULL; - if (!__bpf_prog_enter_sleepable(prog, &run_ctx)) { - /* recursion detected */ + if (WARN_ON(!__bpf_prog_enter_sleepable(prog, &run_ctx))) { + /* recursion detected, should never happen */ bpf_prog_put(prog); return -EBUSY; }