From patchwork Tue May  2 00:52:16 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Rosenberg <drosen@google.com>
X-Patchwork-Id: 13228400
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2CF0AC7EE29
	for <bpf@archiver.kernel.org>; Tue,  2 May 2023 00:52:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232267AbjEBAwc (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 1 May 2023 20:52:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47490 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231610AbjEBAw3 (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 1 May 2023 20:52:29 -0400
Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com
 [IPv6:2607:f8b0:4864:20::1149])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76B3D30FD
        for <bpf@vger.kernel.org>; Mon,  1 May 2023 17:52:26 -0700 (PDT)
Received: by mail-yw1-x1149.google.com with SMTP id
 00721157ae682-55a1aec6693so35026887b3.1
        for <bpf@vger.kernel.org>; Mon, 01 May 2023 17:52:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1682988745; x=1685580745;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=PMr9CSFbKkempgdzzQdL7Zwkt6UumLJeT//GgveDKNc=;
        b=wF/S5NQERpRui8VV7CmlInDtl7fNY4zZ4NWELSVB64eZ+BL3IUzATu4W9rpD+KMOKo
         Q7LXbK24Ismjhasn2z+IVHaR+2KoENDn8Gva3vlq1ubILJi1yZu+7L+tWrXySiBEPRli
         TgelUmL8vI0SXx1AFaQ1UDzvcgHvUTFLcJlopgg0trpoWlcNuzQ7z4GVHNrwPLPUBov7
         xM6vQn+1CItfnsv3iuz9ufdtnR9jlk1xNzhxRa/S2JnPkoieoNlMGjRk1FTBpqc7aEQ+
         Tjzi/+T3HqlnplQk2XG7rZ7shFmhhhjJAwdUt/5+53H0DlE66LuPAW6Ysp8KZhaxfPE3
         sDcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682988745; x=1685580745;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=PMr9CSFbKkempgdzzQdL7Zwkt6UumLJeT//GgveDKNc=;
        b=LAbog3sNTng5ISK0kU1faSael3LXAmPFo1xHPGsn1MpE2v5dgvcq1MpT6KT7Ok929e
         o74WuUw2iypRIG5tnnpB01XJWV9W3Q1lLfdxgyghvGyLMDUI0F7cPO9JAMItwJLqkMrz
         ks7llnZdlBGLALppwSSmJSJc+mXTB7T859AYhELEYYaLdjmd5bGlqt/rOfWw5eciI1HJ
         Bz4qlsmQS3XCJFtLTx1zEifl1hgToqcz2zNhjTjnU+aOz8bCiLh3grnW10Hr3Pq/6DPb
         S/XVjZHcqNd0gqppmMYuZHXwdPfMBFkXrYmTrytLEvbehBxJ+zNnL9YiF6k5mCsl/jpz
         9L/g==
X-Gm-Message-State: AC+VfDx55phxiYSBQ2cECuubNPcOS2/7R/KAFftBJjXJ2JMBjagVLjdV
        PEV4Qwe+qndVnCvFDNbAKrMBhmpQhwsYHBPIru9npvxAOnY+bhXOYO4oF4u7Pqj7bLYJmSbgqK+
        JmG983NFXZRqbPIEOex0eJUKiiSQ+DG12mCHkkQPUuy4jpbNSEXUZP7+EhQ==
X-Google-Smtp-Source: 
 ACHHUZ7oCobC8owwsaLv8x2B0ByE/cvT1vna7koor91mo0f1BZQzjn+N03CUVl3Zl+vk+UaaiXTYo3b6QIE=
X-Received: from drosen.mtv.corp.google.com
 ([2620:15c:211:201:908a:598a:7b5a:d40b])
 (user=drosen job=sendgmr) by 2002:a81:4007:0:b0:545:1d7f:acbf with SMTP id
 l7-20020a814007000000b005451d7facbfmr9025404ywn.10.1682988745369; Mon, 01 May
 2023 17:52:25 -0700 (PDT)
Date: Mon,  1 May 2023 17:52:16 -0700
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.1.495.gc816e09b53d-goog
Message-ID: <20230502005218.3627530-1-drosen@google.com>
Subject: [PATCH v2 1/3] bpf: Allow NULL buffers in bpf_dynptr_slice(_rw)
From: Daniel Rosenberg <drosen@google.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
        Shuah Khan <shuah@kernel.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Joanne Koong <joannelkoong@gmail.com>,
        Mykola Lysenko <mykolal@fb.com>, linux-kernel@vger.kernel.org,
        linux-kselftest@vger.kernel.org, kernel-team@android.com,
        Daniel Rosenberg <drosen@google.com>
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

bpf_dynptr_slice(_rw) uses a user provided buffer if it can not provide
a pointer to a block of contiguous memory. This buffer is unused in the
case of local dynptrs, and may be unused in other cases as well. There
is no need to require the buffer, as the kfunc can just return NULL if
it was needed and not provided.

This adds another kfunc annotation, __opt, which combines with __sz and
__szk to allow the buffer associated with the size to be NULL. If the
buffer is NULL, the verifier does not check that the buffer is of
sufficient size.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
---
 Documentation/bpf/kfuncs.rst | 23 ++++++++++++++++++++++-
 include/linux/skbuff.h       |  2 +-
 kernel/bpf/helpers.c         | 30 ++++++++++++++++++------------
 kernel/bpf/verifier.c        | 17 +++++++++++++----
 4 files changed, 54 insertions(+), 18 deletions(-)


base-commit: 6e98b09da931a00bf4e0477d0fa52748bf28fcce

diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
index ea2516374d92..7a3d9de5f315 100644
--- a/Documentation/bpf/kfuncs.rst
+++ b/Documentation/bpf/kfuncs.rst
@@ -100,7 +100,7 @@ Hence, whenever a constant scalar argument is accepted by a kfunc which is not a
 size parameter, and the value of the constant matters for program safety, __k
 suffix should be used.
 
-2.2.2 __uninit Annotation
+2.2.3 __uninit Annotation
 -------------------------
 
 This annotation is used to indicate that the argument will be treated as
@@ -117,6 +117,27 @@ Here, the dynptr will be treated as an uninitialized dynptr. Without this
 annotation, the verifier will reject the program if the dynptr passed in is
 not initialized.
 
+2.2.4 __opt Annotation
+-------------------------
+
+This annotation is used to indicate that the buffer associated with an __sz or __szk
+argument may be null. If the function is passed a nullptr in place of the buffer,
+the verifier will not check that length is appropriate for the buffer. The kfunc is
+responsible for checking if this buffer is null before using it.
+
+An example is given below::
+
+        __bpf_kfunc void *bpf_dynptr_slice(..., void *buffer__opt, u32 buffer__szk)
+        {
+        ...
+        }
+
+Here, the buffer may be null. If buffer is not null, it at least of size buffer_szk.
+Either way, the returned buffer is either NULL, or of size buffer_szk. Without this
+annotation, the verifier will reject the program if a null pointer is passed in with
+a nonzero size.
+
+
 .. _BPF_kfunc_nodef:
 
 2.3 Using an existing kernel function
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 738776ab8838..8ddb4af1a501 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4033,7 +4033,7 @@ __skb_header_pointer(const struct sk_buff *skb, int offset, int len,
 	if (likely(hlen - offset >= len))
 		return (void *)data + offset;
 
-	if (!skb || unlikely(skb_copy_bits(skb, offset, buffer, len) < 0))
+	if (!skb || !buffer || unlikely(skb_copy_bits(skb, offset, buffer, len) < 0))
 		return NULL;
 
 	return buffer;
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 8d368fa353f9..26efb6fbeab2 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2167,13 +2167,15 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
  * bpf_dynptr_slice() - Obtain a read-only pointer to the dynptr data.
  * @ptr: The dynptr whose data slice to retrieve
  * @offset: Offset into the dynptr
- * @buffer: User-provided buffer to copy contents into
- * @buffer__szk: Size (in bytes) of the buffer. This is the length of the
- *		 requested slice. This must be a constant.
+ * @buffer__opt: User-provided buffer to copy contents into.  May be NULL
+ * @buffer__szk: Size (in bytes) of the buffer if present. This is the
+ *               length of the requested slice. This must be a constant.
  *
  * For non-skb and non-xdp type dynptrs, there is no difference between
  * bpf_dynptr_slice and bpf_dynptr_data.
  *
+ *  If buffer__opt is NULL, the call will fail if buffer_opt was needed.
+ *
  * If the intention is to write to the data slice, please use
  * bpf_dynptr_slice_rdwr.
  *
@@ -2190,7 +2192,7 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
  * direct pointer)
  */
 __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset,
-				   void *buffer, u32 buffer__szk)
+				   void *buffer__opt, u32 buffer__szk)
 {
 	enum bpf_dynptr_type type;
 	u32 len = buffer__szk;
@@ -2210,15 +2212,17 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset
 	case BPF_DYNPTR_TYPE_RINGBUF:
 		return ptr->data + ptr->offset + offset;
 	case BPF_DYNPTR_TYPE_SKB:
-		return skb_header_pointer(ptr->data, ptr->offset + offset, len, buffer);
+		return skb_header_pointer(ptr->data, ptr->offset + offset, len, buffer__opt);
 	case BPF_DYNPTR_TYPE_XDP:
 	{
 		void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + offset, len);
 		if (xdp_ptr)
 			return xdp_ptr;
 
-		bpf_xdp_copy_buf(ptr->data, ptr->offset + offset, buffer, len, false);
-		return buffer;
+		if (!buffer__opt)
+			return NULL;
+		bpf_xdp_copy_buf(ptr->data, ptr->offset + offset, buffer__opt, len, false);
+		return buffer__opt;
 	}
 	default:
 		WARN_ONCE(true, "unknown dynptr type %d\n", type);
@@ -2230,13 +2234,15 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset
  * bpf_dynptr_slice_rdwr() - Obtain a writable pointer to the dynptr data.
  * @ptr: The dynptr whose data slice to retrieve
  * @offset: Offset into the dynptr
- * @buffer: User-provided buffer to copy contents into
- * @buffer__szk: Size (in bytes) of the buffer. This is the length of the
- *		 requested slice. This must be a constant.
+ * @buffer__opt: User-provided buffer to copy contents into. May be NULL
+ * @buffer__szk: Size (in bytes) of the buffer if present. This is the
+ *               length of the requested slice. This must be a constant.
  *
  * For non-skb and non-xdp type dynptrs, there is no difference between
  * bpf_dynptr_slice and bpf_dynptr_data.
  *
+ * If buffer__opt is NULL, the call will fail if buffer_opt was needed.
+ *
  * The returned pointer is writable and may point to either directly the dynptr
  * data at the requested offset or to the buffer if unable to obtain a direct
  * data pointer to (example: the requested slice is to the paged area of an skb
@@ -2267,7 +2273,7 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset
  * direct pointer)
  */
 __bpf_kfunc void *bpf_dynptr_slice_rdwr(const struct bpf_dynptr_kern *ptr, u32 offset,
-					void *buffer, u32 buffer__szk)
+					void *buffer__opt, u32 buffer__szk)
 {
 	if (!ptr->data || bpf_dynptr_is_rdonly(ptr))
 		return NULL;
@@ -2294,7 +2300,7 @@ __bpf_kfunc void *bpf_dynptr_slice_rdwr(const struct bpf_dynptr_kern *ptr, u32 o
 	 * will be copied out into the buffer and the user will need to call
 	 * bpf_dynptr_write() to commit changes.
 	 */
-	return bpf_dynptr_slice(ptr, offset, buffer, buffer__szk);
+	return bpf_dynptr_slice(ptr, offset, buffer__opt, buffer__szk);
 }
 
 __bpf_kfunc void *bpf_cast_to_kern_ctx(void *obj)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index fbcf5a4e2fcd..708ae7bca1fe 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9398,6 +9398,11 @@ static bool is_kfunc_arg_const_mem_size(const struct btf *btf,
 	return __kfunc_param_match_suffix(btf, arg, "__szk");
 }
 
+static bool is_kfunc_arg_optional(const struct btf *btf, const struct btf_param *arg)
+{
+	return __kfunc_param_match_suffix(btf, arg, "__opt");
+}
+
 static bool is_kfunc_arg_constant(const struct btf *btf, const struct btf_param *arg)
 {
 	return __kfunc_param_match_suffix(btf, arg, "__k");
@@ -10464,13 +10469,17 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			break;
 		case KF_ARG_PTR_TO_MEM_SIZE:
 		{
+			struct bpf_reg_state *buff_reg = &regs[regno];
+			const struct btf_param *buff_arg = &args[i];
 			struct bpf_reg_state *size_reg = &regs[regno + 1];
 			const struct btf_param *size_arg = &args[i + 1];
 
-			ret = check_kfunc_mem_size_reg(env, size_reg, regno + 1);
-			if (ret < 0) {
-				verbose(env, "arg#%d arg#%d memory, len pair leads to invalid memory access\n", i, i + 1);
-				return ret;
+			if (!register_is_null(buff_reg) || !is_kfunc_arg_optional(meta->btf, buff_arg)) {
+				ret = check_kfunc_mem_size_reg(env, size_reg, regno + 1);
+				if (ret < 0) {
+					verbose(env, "arg#%d arg#%d memory, len pair leads to invalid memory access\n", i, i + 1);
+					return ret;
+				}
 			}
 
 			if (is_kfunc_arg_const_mem_size(meta->btf, size_arg, size_reg)) {

From patchwork Tue May  2 00:52:17 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Rosenberg <drosen@google.com>
X-Patchwork-Id: 13228398
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F31E8C7EE24
	for <bpf@archiver.kernel.org>; Tue,  2 May 2023 00:52:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232490AbjEBAwb (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 1 May 2023 20:52:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47494 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232267AbjEBAwa (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 1 May 2023 20:52:30 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C8003588
        for <bpf@vger.kernel.org>; Mon,  1 May 2023 17:52:28 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-559d30ec7fcso66114667b3.2
        for <bpf@vger.kernel.org>; Mon, 01 May 2023 17:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1682988747; x=1685580747;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=jcg+ObY0uKE7Plv6+Kj2nIBfbZ7utIjukDPBrr4BYWc=;
        b=rYQSqPKozvop6FQA27tCKPMMocl2dT4bgtQrMsrykc/YWbzOREznkvJfsptxQWgLxw
         oO82Zx1edFTqiTXXK/v5aDAXURCmJ09vOhY+vO5I8xtNxt5WFfCp4m5EUphT4ZHKU3Ft
         VupyzUAvpbAYLoLeLRDy5Y2ZGrbi2CofICiADgLD0ZZ2tipa6AdBZVKxCySj9R6/+Uf+
         8M3XGSk9xQkov8XEL0PlXN3zdY6R2i+mz4kElqdnEh26AjfBdSb4khtwrKSf2QgJWFSa
         fs7UWy1gT0U988Ct3W6zTiWBgoi0XDTR/tJcLEWFxiVuuK8bqE/F4nznvKj0C9Zotm+B
         P5vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682988747; x=1685580747;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=jcg+ObY0uKE7Plv6+Kj2nIBfbZ7utIjukDPBrr4BYWc=;
        b=h+/J3FRhRPdw84cQi1WNfTfj/yFY37Ml8b3HMv6GXg5VPMudG4x2CFczLZLyAT/WHl
         WaLGhuw+0nch476c/mV24boDEePyQ2nvxvyRfsHiH+2NMCJiUQd606G1Uyhs9kW/Y3Py
         xGTAZUy8O6nnXnzIzy59TsqCEjjkERsKLKeTX6ye+PHMcm5husJ0j+8h3odGnT7mHiV7
         DBPdRzUEitDWpQ+yuQWAvdkI4U3lbzO9NO3q92rcrx/LC4oOddMvNu0dortF6omEPQtx
         A/9HMHmhj9XgcK+wekw9peKu666a43aLiVJ2bQMUmfgADoM+uBggk8yfI/tYSLd6E0e4
         SOfQ==
X-Gm-Message-State: AC+VfDxDXiG9uW/Pqr5ztMljQYdU0VFbOmjt3h4Uko6CSUOIYa7UyfEz
        wb6dCdUH3z6sq5Ep05lNoXkg4qSumeeRImLbCbM/jAff9gtUFbB5e3DWkm7XVI1F/WW++OYqctC
        20ZB0KrFcm71NYZVuM2j1yASbgiRKZ6g3Bcaz1jSuJmhJYsqbTSAlIAaAZQ==
X-Google-Smtp-Source: 
 ACHHUZ60Cpj1S0W+yNjZ+/1Bv5rIXv4w+qbwVSj8aJJ1+U1DafFfffYkJPJ9kC3zAgNVLJaeYWBqlX/tWOk=
X-Received: from drosen.mtv.corp.google.com
 ([2620:15c:211:201:908a:598a:7b5a:d40b])
 (user=drosen job=sendgmr) by 2002:a05:690c:725:b0:54f:bb71:c7b3 with SMTP id
 bt5-20020a05690c072500b0054fbb71c7b3mr9297919ywb.9.1682988747604; Mon, 01 May
 2023 17:52:27 -0700 (PDT)
Date: Mon,  1 May 2023 17:52:17 -0700
In-Reply-To: <20230502005218.3627530-1-drosen@google.com>
Mime-Version: 1.0
References: <20230502005218.3627530-1-drosen@google.com>
X-Mailer: git-send-email 2.40.1.495.gc816e09b53d-goog
Message-ID: <20230502005218.3627530-2-drosen@google.com>
Subject: [PATCH v2 2/3] selftests/bpf: Test allowing NULL buffer in dynptr
 slice
From: Daniel Rosenberg <drosen@google.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
        Shuah Khan <shuah@kernel.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Joanne Koong <joannelkoong@gmail.com>,
        Mykola Lysenko <mykolal@fb.com>, linux-kernel@vger.kernel.org,
        linux-kselftest@vger.kernel.org, kernel-team@android.com,
        Daniel Rosenberg <drosen@google.com>
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

bpf_dynptr_slice(_rw) no longer requires a buffer for verification. If the
buffer is needed, but not present, the function will return NULL.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
---
 tools/testing/selftests/bpf/prog_tests/dynptr.c |  1 +
 .../selftests/bpf/progs/dynptr_success.c        | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/dynptr.c b/tools/testing/selftests/bpf/prog_tests/dynptr.c
index d176c34a7d2e..ac1fcaddcddf 100644
--- a/tools/testing/selftests/bpf/prog_tests/dynptr.c
+++ b/tools/testing/selftests/bpf/prog_tests/dynptr.c
@@ -20,6 +20,7 @@ static struct {
 	{"test_ringbuf", SETUP_SYSCALL_SLEEP},
 	{"test_skb_readonly", SETUP_SKB_PROG},
 	{"test_dynptr_skb_data", SETUP_SKB_PROG},
+	{"test_dynptr_skb_no_buff", SETUP_SKB_PROG},
 };
 
 static void verify_success(const char *prog_name, enum test_setup_type setup_type)
diff --git a/tools/testing/selftests/bpf/progs/dynptr_success.c b/tools/testing/selftests/bpf/progs/dynptr_success.c
index b2fa6c47ecc0..16636a29242a 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_success.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_success.c
@@ -207,3 +207,20 @@ int test_dynptr_skb_data(struct __sk_buff *skb)
 
 	return 1;
 }
+
+SEC("?cgroup_skb/egress")
+int test_dynptr_skb_no_buff(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	__u64 *data;
+
+	if (bpf_dynptr_from_skb(skb, 0, &ptr)) {
+		err = 1;
+		return 1;
+	}
+
+	/* This may return NULL. SKB may require a buffer */
+	data = bpf_dynptr_slice(&ptr, 0, NULL, 1);
+
+	return !!data;
+}

From patchwork Tue May  2 00:52:18 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Rosenberg <drosen@google.com>
X-Patchwork-Id: 13228399
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8DA5EC77B7C
	for <bpf@archiver.kernel.org>; Tue,  2 May 2023 00:52:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232790AbjEBAwe (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 1 May 2023 20:52:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47524 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229653AbjEBAwc (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 1 May 2023 20:52:32 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com
 [IPv6:2607:f8b0:4864:20::b4a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76E9A30F6
        for <bpf@vger.kernel.org>; Mon,  1 May 2023 17:52:30 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id
 3f1490d57ef6-b8f324b3ef8so3787993276.0
        for <bpf@vger.kernel.org>; Mon, 01 May 2023 17:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1682988749; x=1685580749;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=rijO/xqtP62+kTHQFbkJP5lful9qOa3cZ4WzW7LFpEs=;
        b=EjKbiPmKz/D0CLJlw2T3t6DZlK1KGIuvF6NX00rIT6VVlKtCc0ynODJCR4qFM8CBpd
         Hykblxm7QyCqcgFJEFXv54jnEu+okCN5uYxLn6blk16FIBidZkK+Qtju7YgJ8by+lV2h
         3YqiggxPw/S23UQl624JELMifTQDK9dxEqoiNj1yQsc35vOW8NOkn9NL2BpCiSYX+9+B
         F2mmq2nmNIVKj1/oLAPz8KARJGM47bqMUqXg2VuNfYiIV6nH8U2ECkD9/Axv3+bpikud
         SIWtGpJRg9mWZbQm9gzDsTz25yhmgaWOInyyn/vtqhHQtqH6Hwel1at4Wy+aLHhY+o7d
         HAxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682988749; x=1685580749;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=rijO/xqtP62+kTHQFbkJP5lful9qOa3cZ4WzW7LFpEs=;
        b=XGNA3/DZ7GHRvEor51ToHNf1Q/f/aVTsyt2rsgxDm27Cjpn7Q/IUXbc4B9boE9I94Q
         1auMEhJsC0NziI1j4rDQOaeorUp2sG2cisS0IiJxad2V0yZgT00GOEmC1lZRX+lkKs7M
         40D5gbzw2eDj1+0HI2WqTonBikXZfD1vhmMBaXghSe178cvCB2duqceg+ZqxZqWf7yb6
         JSag9O6/JklonvtlSvRfxTiYGC54HGxqtraPI52D6KfmdrwuiulGTI+N3FXfkUM3k2Bk
         /1y/pdUI/BV3YbkYz7NDDpA/NcbbMBcNAEjQzFUSTzYmHd1K0SCcFWjcYQ1KbV/fqZDh
         Wwgw==
X-Gm-Message-State: AC+VfDxfZaKSNP9MORaFR18hMZ8dhNoOrQcikuba4pbLqCxXQC6mhvMZ
        6LanT6mC1Y4/ZHY4xPhKz49zyQkB5CcVB3VNtHX8c6goF2ZI6Yj1NG7mZgOsnO3O3h+jONREr7z
        6lyR09sO0rvxMx39wc4VRG7v/+lmd1icQG0x1iacGW5vM9JuTTb1WwjZgdA==
X-Google-Smtp-Source: 
 ACHHUZ7n5zq4WwCc7p8yjzM6u7iRD3ekgnKIsVQM/t4WotSBIWJT2O2TfGLlAeMOYhobkxdnWZJ45ShEFvQ=
X-Received: from drosen.mtv.corp.google.com
 ([2620:15c:211:201:908a:598a:7b5a:d40b])
 (user=drosen job=sendgmr) by 2002:a25:4683:0:b0:b92:1f3c:a212 with SMTP id
 t125-20020a254683000000b00b921f3ca212mr9414301yba.8.1682988749577; Mon, 01
 May 2023 17:52:29 -0700 (PDT)
Date: Mon,  1 May 2023 17:52:18 -0700
In-Reply-To: <20230502005218.3627530-1-drosen@google.com>
Mime-Version: 1.0
References: <20230502005218.3627530-1-drosen@google.com>
X-Mailer: git-send-email 2.40.1.495.gc816e09b53d-goog
Message-ID: <20230502005218.3627530-3-drosen@google.com>
Subject: [PATCH v2 3/3] selftests/bpf: Check overflow in optional buffer
From: Daniel Rosenberg <drosen@google.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
        Shuah Khan <shuah@kernel.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Joanne Koong <joannelkoong@gmail.com>,
        Mykola Lysenko <mykolal@fb.com>, linux-kernel@vger.kernel.org,
        linux-kselftest@vger.kernel.org, kernel-team@android.com,
        Daniel Rosenberg <drosen@google.com>
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

This ensures we still reject invalid memory accesses in buffers that are
marked optional.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
---
 .../testing/selftests/bpf/progs/dynptr_fail.c | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c b/tools/testing/selftests/bpf/progs/dynptr_fail.c
index 759eb5c245cd..ee98f7ce0b0d 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
@@ -1378,3 +1378,23 @@ int invalid_slice_rdwr_rdonly(struct __sk_buff *skb)
 
 	return 0;
 }
+
+/* Buffers that are provided must be sufficiently long */
+SEC("?cgroup_skb/egress")
+__failure __msg("memory, len pair leads to invalid memory access")
+int test_dynptr_skb_small_buff(struct __sk_buff *skb)
+{
+	struct bpf_dynptr ptr;
+	char buffer[8] = {};
+	__u64 *data;
+
+	if (bpf_dynptr_from_skb(skb, 0, &ptr)) {
+		err = 1;
+		return 1;
+	}
+
+	/* This may return NULL. SKB may require a buffer */
+	data = bpf_dynptr_slice(&ptr, 0, buffer, 9);
+
+	return !!data;
+}