From patchwork Mon Mar 13 23:58:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13173482 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF7A3C6FD19 for ; Mon, 13 Mar 2023 23:59:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230205AbjCMX67 (ORCPT ); Mon, 13 Mar 2023 19:58:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229827AbjCMX66 (ORCPT ); Mon, 13 Mar 2023 19:58:58 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4906187340; Mon, 13 Mar 2023 16:58:55 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id y2so13657220pjg.3; Mon, 13 Mar 2023 16:58:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678751935; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WSM+1NNi1Tfbc5IACqC5h/fXdbGu500kqDaYlPrdfOQ=; b=AtnhOoYq+zK89mkv9qjPLHbja1j6um2Gk6L3uAQBmNWoNQ+irAKn5p1EAvtCfyLB2g y1FWr0/0/CwQkO1c7q6GvM8y8JFYqx+xYDZKnEP80qnA2+EZOgLXYigq2shpEsatlEhT liF6AejJDbphN60aN7xEXmdSH/8UM0wmQ0lpjYIuGoRxdcrHBR2Y7TOjnhOdP75Ftj3Y C09it7o1gAZ46waGiQOX1f/jhbWdbHZDkDWvXl+zxEfmTFOsb0y6sX8PuycT+1pDQ7nb eguXztT/UYTYY8HybldI3QMOxaDfiTkZIx28/dFZ2++Nsq7hq4/6sprRNAwZnWZ6vVvH SteQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678751935; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WSM+1NNi1Tfbc5IACqC5h/fXdbGu500kqDaYlPrdfOQ=; b=A+0r3jr5ZOCc9W5zJERb2F+jaRgoEdM0wS2ScB7ZHeg5yvts7c6SOxxLAsapdfsaH/ zppZohnGMoyET6frKWBjEe7+tWvhwB1XukXwrmsOfM1FHULaWygj6KuskVKPFe0SP0Fe T1we8CedcyblsrX9xgDhoGSI/jnPtywpD7DL8ToJh0VSXp+45SyqEMuaDeGkxsfoGJdh OzOdnKsWAvVW/rJ1YRdwWqVBBF2De3FYRmmiuPCqmKBBER32dNphM0mSONiF+XWDQWLh BAgxNna3Hvadbtszf+go/WkUqVIQdXuahCKybXtQ4ZeeaG6vQtZpjmZOEoNdrZJeXW1V c+/g== X-Gm-Message-State: AO0yUKWmGR79b4N8XnIgywStkTE6i0XDFZqJvtaI7+wgEPmyUEci1Rel gsS5t8X14KWOGwAerr13VtXoEXoq2Sk= X-Google-Smtp-Source: AK7set8ZdaxBji0LMym0cdEIHkthsC0S4thdZEm40kUkwOArjGiAH41eoG5+6Uj5xCV4mvR2DcEPUQ== X-Received: by 2002:a17:90b:1c05:b0:23a:ccb4:64de with SMTP id oc5-20020a17090b1c0500b0023accb464demr11948078pjb.6.1678751934613; Mon, 13 Mar 2023 16:58:54 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:ad6b]) by smtp.gmail.com with ESMTPSA id my13-20020a17090b4c8d00b002339195a47bsm376400pjb.53.2023.03.13.16.58.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 13 Mar 2023 16:58:53 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 1/3] bpf: Fix bpf_strncmp proto. Date: Mon, 13 Mar 2023 16:58:43 -0700 Message-Id: <20230313235845.61029-2-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230313235845.61029-1-alexei.starovoitov@gmail.com> References: <20230313235845.61029-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov bpf_strncmp() doesn't write into its first argument. Make sure that the verifier knows about it. Signed-off-by: Alexei Starovoitov Acked-by: David Vernet --- kernel/bpf/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 77d64b6951b9..f753676ef652 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -571,7 +571,7 @@ static const struct bpf_func_proto bpf_strncmp_proto = { .func = bpf_strncmp, .gpl_only = false, .ret_type = RET_INTEGER, - .arg1_type = ARG_PTR_TO_MEM, + .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY, .arg2_type = ARG_CONST_SIZE, .arg3_type = ARG_PTR_TO_CONST_STR, }; From patchwork Mon Mar 13 23:58:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13173483 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF5D3C6FD1D for ; Mon, 13 Mar 2023 23:59:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbjCMX7B (ORCPT ); Mon, 13 Mar 2023 19:59:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229797AbjCMX7A (ORCPT ); Mon, 13 Mar 2023 19:59:00 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 836F860AB6; Mon, 13 Mar 2023 16:58:59 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id k18-20020a17090a591200b0023d36e30cb5so535158pji.1; Mon, 13 Mar 2023 16:58:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678751939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mwQ187piTg/LwOnQhafpEuDnmgMkumYLbSusILMjqAE=; b=E88p5WmcdiS4Xi58+SRapeAzO+vzrgb31ATDBG0hkCtNlJ9O8AxI/exsMgq4ber2yH +nEJB8B9vreIw+nRns1zqWv3gd3Rb6WwjsYtiGZ/oGsdO3LQYtGuhsKcxcYSkv7faLKA IfPgkY7YpO1bBodGtrLG25pWpyRi8CTHt6hLRKQQ61bKL/XBL4EPsnTqsDPwQfEY4Yr2 py09giZ737vfUs1HOPVwwPMFkEQwG/nv/uPN1gRYcaRSOXu/sFakJdzMAiDz80PHJJyL 5LLg9WFHKxekjlfqTT4LjGdlpZC7siCBTPgiDJmHvC770uac7b7waQGxjx3XCG76TNk+ p3cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678751939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mwQ187piTg/LwOnQhafpEuDnmgMkumYLbSusILMjqAE=; b=rzwHqZ3u5ZzD0uZHpqfXBBQOj3cvg2dgWP91II6PVaFMXmvdV49EBxkaUTNpcBX7Gh x1Smo5QGjuO21FuOKik4GOgCDfo4pWal0HvIUxNbLkZzPXTBo0Ln5rdTAM5SbZ3fKTjI Njj2TefkKkcMOqi0ZtiYUBo5oY+DuDhEciRElq2tBCzUE1cBNUi9Yy7AFuPyBZAoDvVm q9A2xiaauZjlIarKf5Hlwy6wIYASzZ/IgAzVXWj3u3ugPky1nYOHeUL75zoGPBWbs/tq wA1Ddg4VayB9uoh/Xa6ev2MGJSZo74woHpqnoDiOTWb2lhuNy4Y0AF9oYaNwwgPEypzz UorQ== X-Gm-Message-State: AO0yUKXCdNjw4uZCUwDbvYrBWBS8cZT5hTtrgS4Ori5gSY6IFK2YnCsP Q5nLThi3U7O2lCEHUlVALCA= X-Google-Smtp-Source: AK7set+EHgWNI4zzbIxvRrnZxV7UXPBLCTLCL8jhwoAbrUnOe9fsqJ3WqXLwCI1jrl+7broLqm9j1A== X-Received: by 2002:a17:90b:1c88:b0:234:1d1d:6ae6 with SMTP id oo8-20020a17090b1c8800b002341d1d6ae6mr37264595pjb.1.1678751938986; Mon, 13 Mar 2023 16:58:58 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:ad6b]) by smtp.gmail.com with ESMTPSA id p13-20020a17090a284d00b0023d0e743ff6sm409653pjf.3.2023.03.13.16.58.57 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 13 Mar 2023 16:58:58 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 2/3] bpf: Allow helpers access trusted PTR_TO_BTF_ID. Date: Mon, 13 Mar 2023 16:58:44 -0700 Message-Id: <20230313235845.61029-3-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230313235845.61029-1-alexei.starovoitov@gmail.com> References: <20230313235845.61029-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov The verifier rejects the code: bpf_strncmp(task->comm, 16, "my_task"); with the message: 16: (85) call bpf_strncmp#182 R1 type=trusted_ptr_ expected=fp, pkt, pkt_meta, map_key, map_value, mem, ringbuf_mem, buf Teach the verifier that such access pattern is safe. Do not allow untrusted and legacy ptr_to_btf_id to be passed into helpers. Reported-by: David Vernet Signed-off-by: Alexei Starovoitov Acked-by: David Vernet --- kernel/bpf/verifier.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 883d4ff2e288..2bbd89279070 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -6303,6 +6303,9 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, env, regno, reg->off, access_size, zero_size_allowed, ACCESS_HELPER, meta); + case PTR_TO_BTF_ID: + return check_ptr_to_btf_access(env, regs, regno, reg->off, + access_size, BPF_READ, -1); case PTR_TO_CTX: /* in case the function doesn't know how to access the context, * (because we are in a program of type SYSCALL for example), we @@ -7014,6 +7017,7 @@ static const struct bpf_reg_types mem_types = { PTR_TO_MEM, PTR_TO_MEM | MEM_RINGBUF, PTR_TO_BUF, + PTR_TO_BTF_ID | PTR_TRUSTED, }, }; @@ -7145,6 +7149,17 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, if (base_type(reg->type) != PTR_TO_BTF_ID) return 0; + if (compatible == &mem_types) { + if (!(arg_type & MEM_RDONLY)) { + verbose(env, + "%s() may write into memory pointed by R%d type=%s\n", + func_id_name(meta->func_id), + regno, reg_type_str(env, reg->type)); + return -EACCES; + } + return 0; + } + switch ((int)reg->type) { case PTR_TO_BTF_ID: case PTR_TO_BTF_ID | PTR_TRUSTED: From patchwork Mon Mar 13 23:58:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13173484 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BAE8C6FD19 for ; Mon, 13 Mar 2023 23:59:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230212AbjCMX7M (ORCPT ); Mon, 13 Mar 2023 19:59:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230233AbjCMX7I (ORCPT ); Mon, 13 Mar 2023 19:59:08 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 026397D080; Mon, 13 Mar 2023 16:59:03 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id x11so14762112pln.12; Mon, 13 Mar 2023 16:59:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678751943; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nlkU9N2SG/AbcwmYI206kiozQXDShvHpsyCvMGKViBI=; b=m6j/Seq56Oc/gUxZIDiLvvmUF/5kygdpl83xVs9abWQaec/G+NFakARqjM6RVU0/Ac Ln5A2XKOu90P0WVdkrO614dFB1j7t+Io0ligNOYQ8tXvisNI1/z9ZqNlT7oYI5gNOJXZ zeVyCnJtDo7LAdMNgROmRLiWLJBZt0wrNi8tCbptdGuPvBBv3u7taXSYHCwSGgpJE3zO mWXm/o93CbWvGcVlo3NDG3wjgcPaPHCkbnbnwdSnAjBX4TIKywGU1Nksf79VFQikSOGI 8KKtyJoegLNcyrTqo6gnuJl+Wvx7/DaLRHsJNPQyDNxcOygKw34OgVtbusYm7wqOtdGt TvRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678751943; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nlkU9N2SG/AbcwmYI206kiozQXDShvHpsyCvMGKViBI=; b=q1Nree+TJSGNb8F5ZZqeB0N+9TGGpWpZfB5NwbZiAXOs9CA1oG4uiWflBonq/HlEJv MOzPtm1KaRgIXyCm2FiLSQbLRgOSRH6FeKAPOnqp8At3sirK2uhX01RWOEkkXYSGD4V9 nqkDxHPrlM1F8sp72vNp8RWuLJkJyt+qNE+R++mrPZwu8oKiNlLPRV+p8zoBtqJCXB2M TwXp2VUf4ODZuRCJnyXVWbs1LNb0iyvjbrhiJW8s71A/gjId4ftG+BdSGlg6fkUGf5Zu +PqwK5AyHeu0YzbXMfm57JlWyhF4VR/R2G28LSUdLTwdOOtgu3a8nHhCoUDauwGZ4o7E MYpQ== X-Gm-Message-State: AO0yUKUUGd4CG/j2gMoIgMJUqe51JjmSUrPSiAIhs9/DLpPzI5Gki0VU AO9GkRLz0YvEbcbSSSrG8WU= X-Google-Smtp-Source: AK7set9TUuW1z2+5+1fYtrk1omDX2eJp1Wa2CLuxI81Q8aIGwTNp/xL3WgJiFXoheU/A1hzZXdFJHw== X-Received: by 2002:a05:6a20:1448:b0:c7:770a:557f with SMTP id a8-20020a056a20144800b000c7770a557fmr44481039pzi.50.1678751943311; Mon, 13 Mar 2023 16:59:03 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:ad6b]) by smtp.gmail.com with ESMTPSA id q25-20020a62e119000000b005d6999eec90sm258546pfh.120.2023.03.13.16.59.01 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 13 Mar 2023 16:59:02 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 3/3] selftests/bpf: Add various tests to check helper access into ptr_to_btf_id. Date: Mon, 13 Mar 2023 16:58:45 -0700 Message-Id: <20230313235845.61029-4-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230313235845.61029-1-alexei.starovoitov@gmail.com> References: <20230313235845.61029-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov Add various tests to check helper access into ptr_to_btf_id. Signed-off-by: Alexei Starovoitov Acked-by: David Vernet --- .../selftests/bpf/progs/task_kfunc_failure.c | 36 +++++++++++++++++++ .../selftests/bpf/progs/task_kfunc_success.c | 4 +++ 2 files changed, 40 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/task_kfunc_failure.c b/tools/testing/selftests/bpf/progs/task_kfunc_failure.c index 002c7f69e47f..27994d6b2914 100644 --- a/tools/testing/selftests/bpf/progs/task_kfunc_failure.c +++ b/tools/testing/selftests/bpf/progs/task_kfunc_failure.c @@ -301,3 +301,39 @@ int BPF_PROG(task_kfunc_from_lsm_task_free, struct task_struct *task) bpf_task_release(acquired); return 0; } + +SEC("tp_btf/task_newtask") +__failure __msg("access beyond the end of member comm") +int BPF_PROG(task_access_comm1, struct task_struct *task, u64 clone_flags) +{ + bpf_strncmp(task->comm, 17, "foo"); + return 0; +} + +SEC("tp_btf/task_newtask") +__failure __msg("access beyond the end of member comm") +int BPF_PROG(task_access_comm2, struct task_struct *task, u64 clone_flags) +{ + bpf_strncmp(task->comm + 1, 16, "foo"); + return 0; +} + +SEC("tp_btf/task_newtask") +__failure __msg("write into memory") +int BPF_PROG(task_access_comm3, struct task_struct *task, u64 clone_flags) +{ + bpf_probe_read_kernel(task->comm, 16, task->comm); + return 0; +} + +SEC("fentry/__set_task_comm") +__failure __msg("R1 type=ptr_ expected") +int BPF_PROG(task_access_comm4, struct task_struct *task, const char *buf, bool exec) +{ + /* + * task->comm is a legacy ptr_to_btf_id. The verifier cannot guarantee + * its safety. Hence it cannot be accessed with normal load insns. + */ + bpf_strncmp(task->comm, 16, "foo"); + return 0; +} diff --git a/tools/testing/selftests/bpf/progs/task_kfunc_success.c b/tools/testing/selftests/bpf/progs/task_kfunc_success.c index aebc4bb14e7d..4f61596b0242 100644 --- a/tools/testing/selftests/bpf/progs/task_kfunc_success.c +++ b/tools/testing/selftests/bpf/progs/task_kfunc_success.c @@ -207,6 +207,10 @@ int BPF_PROG(test_task_from_pid_invalid, struct task_struct *task, u64 clone_fla if (!is_test_kfunc_task()) return 0; + bpf_strncmp(task->comm, 12, "foo"); + bpf_strncmp(task->comm, 16, "foo"); + bpf_strncmp(&task->comm[8], 4, "foo"); + if (is_pid_lookup_valid(-1)) { err = 1; return 0;