lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOdmtv2EdNQz+c_DZm_47EEibkaXfDW8dGPwNPA3OrcoC9g@mail.gmail.com>
Date:   Wed, 8 Jul 2020 10:10:14 -0700
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Alex Elder <elder@...aro.org>, Jakub Kicinski <kuba@...nel.org>
Cc:     "David S . Miller" <davem@...emloft.net>,
        "# 3.4.x" <stable@...r.kernel.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        Andrii Nakryiko <andriin@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...omium.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        bpf <bpf@...r.kernel.org>
Subject: Re: [PATCH] bitfield.h: don't compile-time validate _val in FIELD_FIT

On Tue, Jul 7, 2020 at 3:43 PM Alex Elder <elder@...aro.org> wrote:
>
> On 7/7/20 4:16 PM, Nick Desaulniers wrote:
> > From: Jakub Kicinski <kuba@...nel.org>
> >
> > When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the
> > compiler to deduce a case where _val can only have the value of -1 at
> > compile time. Specifically,
> >
> > /* struct bpf_insn: _s32 imm */
> > u64 imm = insn->imm; /* sign extend */
> > if (imm >> 32) { /* non-zero only if insn->imm is negative */
> >   /* inlined from ur_load_imm_any */
> >   u32 __imm = imm >> 32; /* therefore, always 0xffffffff */
> >   if (__builtin_constant_p(__imm) && __imm > 255)
> >     compiletime_assert_XXX()
> >
> > This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that
> > checks that a given value is representable in one byte (interpreted as
> > unsigned).

Hi Alex,
Thanks for taking a look. They're good and fair questions.

>
> Why does FIELD_FIT() pass an unsigned long long value as the second
> argument to __BF_FIELD_CHECK()?

Was Jakub's suggestion; I don't feel strongly against it either way, though...

> Could it pass (typeof(_mask))0 instead?

...might be nice to avoid implicit promotions and conversions if _mask
is not the same sizeof _val.

> It wouldn't fix this particular case, because UR_REG_IMM_MAX is also
> defined with that type.  But (without working through this in more
> detail) it seems like there might be a solution that preserves the
> compile-time checking.

I'd argue the point of the patch is to not check at compile time for
FIELD_FIT, since we have a case in
drivers/net/ethernet/netronome/nfp/bpf/jit.c (jeq_imm()) that will
always pass -1 (unintentionally due to compiler optimization).

> A second comment about this is that it might be nice to break
> __BF_FIELD_CHECK() into the parts that verify the mask (which
> could be used by FIELD_FIT() here) and the parts that verify
> other things.

Like so? Jakub, WDYT? Or do you prefer v1+Alex's suggestion about
using `(typeof(_mask))0` in place of 0ULL?

diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp_eth.c
b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp_eth.c
index 311a5be25acb..938fc733fccb 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp_eth.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp_eth.c
@@ -492,11 +492,12 @@ nfp_eth_set_bit_config(struct nfp_nsp *nsp,
unsigned int raw_idx,
        return 0;
 }

-#define NFP_ETH_SET_BIT_CONFIG(nsp, raw_idx, mask, val, ctrl_bit)      \
-       ({                                                              \
-               __BF_FIELD_CHECK(mask, 0ULL, val, "NFP_ETH_SET_BIT_CONFIG: "); \
-               nfp_eth_set_bit_config(nsp, raw_idx, mask, __bf_shf(mask), \
-                                      val, ctrl_bit);                  \
+#define NFP_ETH_SET_BIT_CONFIG(nsp, raw_idx, mask, val, ctrl_bit)
         \
+       ({
         \
+               __BF_FIELD_CHECK_MASK(mask, "NFP_ETH_SET_BIT_CONFIG:
");        \
+               __BF_FIELD_CHECK_VAL(mask, val,
"NFP_ETH_SET_BIT_CONFIG: ");    \
+               nfp_eth_set_bit_config(nsp, raw_idx, mask,
__bf_shf(mask),      \
+                                      val, ctrl_bit);
         \
        })

 /**
diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h
index 48ea093ff04c..79651867beb3 100644
--- a/include/linux/bitfield.h
+++ b/include/linux/bitfield.h
@@ -41,18 +41,26 @@

 #define __bf_shf(x) (__builtin_ffsll(x) - 1)

-#define __BF_FIELD_CHECK(_mask, _reg, _val, _pfx)                      \
+#define __BF_FIELD_CHECK_MASK(_mask, _pfx)                             \
        ({                                                              \
                BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask),          \
                                 _pfx "mask is not constant");          \
                BUILD_BUG_ON_MSG((_mask) == 0, _pfx "mask is zero");    \
+               __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) +                 \
+                                             (1ULL << __bf_shf(_mask))); \
+       })
+
+#define __BF_FIELD_CHECK_VAL(_mask, _val, _pfx)
         \
+       ({                                                              \
                BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ?           \
                                 ~((_mask) >> __bf_shf(_mask)) & (_val) : 0, \
                                 _pfx "value too large for the field"); \
-               BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull,         \
+       })
+
+#define __BF_FIELD_CHECK_REG(_mask, _reg, _pfx)
         \
+       ({                                                              \
+               BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ULL,         \
                                 _pfx "type of reg too small for mask"); \
-               __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) +                 \
-                                             (1ULL << __bf_shf(_mask))); \
        })

 /**
@@ -64,7 +72,7 @@
  */
 #define FIELD_MAX(_mask)                                               \
        ({                                                              \
-               __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_MAX: ");     \
+               __BF_FIELD_CHECK_MASK(_mask, "FIELD_MAX: ");            \
                (typeof(_mask))((_mask) >> __bf_shf(_mask));            \
        })

@@ -77,7 +85,7 @@
  */
 #define FIELD_FIT(_mask, _val)                                         \
        ({                                                              \
-               __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: ");     \
+               __BF_FIELD_CHECK_MASK(_mask, "FIELD_FIT: ");            \
                !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \
        })
 @@ -91,7 +99,8 @@
  */
 #define FIELD_PREP(_mask, _val)
         \
        ({                                                              \
-               __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_PREP: ");    \
+               __BF_FIELD_CHECK_MASK(_mask, "FIELD_PREP: ");           \
+               __BF_FIELD_CHECK_VAL(_mask, _val, "FIELD_PREP: ");      \
                ((typeof(_mask))(_val) << __bf_shf(_mask)) & (_mask);   \
        })

@@ -105,7 +114,8 @@
  */
 #define FIELD_GET(_mask, _reg)                                         \
        ({                                                              \
-               __BF_FIELD_CHECK(_mask, _reg, 0U, "FIELD_GET: ");       \
+               __BF_FIELD_CHECK_MASK(_mask, "FIELD_GET: ");            \
+               __BF_FIELD_CHECK_REG(_mask, _reg,  "FIELD_GET: ");      \
                (typeof(_mask))(((_reg) & (_mask)) >> __bf_shf(_mask)); \
        })



>
> That's all--just questions, I have no problem with the patch...
>
>                                         -Alex
>
>
>
>
> > FIELD_FIT() should return true or false at runtime for whether a value
> > can fit for not. Don't break the build over a value that's too large for
> > the mask. We'd prefer to keep the inlining and compiler optimizations
> > though we know this case will always return false.
> >
> > Cc: stable@...r.kernel.org
> > Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/
> > Reported-by: Masahiro Yamada <masahiroy@...nel.org>
> > Debugged-by: Sami Tolvanen <samitolvanen@...gle.com>
> > Signed-off-by: Jakub Kicinski <kuba@...nel.org>
> > Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>
> > ---
> >  include/linux/bitfield.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h
> > index 48ea093ff04c..4e035aca6f7e 100644
> > --- a/include/linux/bitfield.h
> > +++ b/include/linux/bitfield.h
> > @@ -77,7 +77,7 @@
> >   */
> >  #define FIELD_FIT(_mask, _val)                                               \
> >       ({                                                              \
> > -             __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: ");     \
> > +             __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_FIT: ");     \
> >               !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \
> >       })
> >
> >
>


--
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ