| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Apr 2021 14:35:12 +0200
From: Florent Revest <revest@...omium.org>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Yonghong Song <yhs@...com>, KP Singh <kpsingh@...nel.org>,
Brendan Jackman <jackmanb@...omium.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next v5 2/6] bpf: Add a ARG_PTR_TO_CONST_STR argument type
On Tue, Apr 20, 2021 at 12:54 AM Alexei Starovoitov
<alexei.starovoitov@...il.com> wrote:
>
> On Mon, Apr 19, 2021 at 05:52:39PM +0200, Florent Revest wrote:
> > This type provides the guarantee that an argument is going to be a const
> > pointer to somewhere in a read-only map value. It also checks that this
> > pointer is followed by a zero character before the end of the map value.
> >
> > Signed-off-by: Florent Revest <revest@...omium.org>
> > Acked-by: Andrii Nakryiko <andrii@...nel.org>
> > ---
> > include/linux/bpf.h | 1 +
> > kernel/bpf/verifier.c | 41 +++++++++++++++++++++++++++++++++++++++++
> > 2 files changed, 42 insertions(+)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index 77d1d8c65b81..c160526fc8bf 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -309,6 +309,7 @@ enum bpf_arg_type {
> > ARG_PTR_TO_PERCPU_BTF_ID, /* pointer to in-kernel percpu type */
> > ARG_PTR_TO_FUNC, /* pointer to a bpf program function */
> > ARG_PTR_TO_STACK_OR_NULL, /* pointer to stack or NULL */
> > + ARG_PTR_TO_CONST_STR, /* pointer to a null terminated read-only string */
> > __BPF_ARG_TYPE_MAX,
> > };
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 852541a435ef..5f46dd6f3383 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -4787,6 +4787,7 @@ static const struct bpf_reg_types spin_lock_types = { .types = { PTR_TO_MAP_VALU
> > static const struct bpf_reg_types percpu_btf_ptr_types = { .types = { PTR_TO_PERCPU_BTF_ID } };
> > static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
> > static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
> > +static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
> >
> > static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
> > [ARG_PTR_TO_MAP_KEY] = &map_key_value_types,
> > @@ -4817,6 +4818,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
> > [ARG_PTR_TO_PERCPU_BTF_ID] = &percpu_btf_ptr_types,
> > [ARG_PTR_TO_FUNC] = &func_ptr_types,
> > [ARG_PTR_TO_STACK_OR_NULL] = &stack_ptr_types,
> > + [ARG_PTR_TO_CONST_STR] = &const_str_ptr_types,
> > };
> >
> > static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
> > @@ -5067,6 +5069,45 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> > if (err)
> > return err;
> > err = check_ptr_alignment(env, reg, 0, size, true);
> > + } else if (arg_type == ARG_PTR_TO_CONST_STR) {
> > + struct bpf_map *map = reg->map_ptr;
> > + int map_off;
> > + u64 map_addr;
> > + char *str_ptr;
> > +
> > + if (reg->type != PTR_TO_MAP_VALUE || !map ||
>
> I think the 'type' check is redundant,
> since check_reg_type() did it via compatible_reg_types.
> If so it's probably better to remove it here ?
>
> '!map' looks unnecessary. Can it ever happen? If yes, it's a verifier bug.
> For example in check_mem_access() we just deref reg->map_ptr without checking
> which, I think, is correct.
I agree with all of the above. I only thought it's better to be safe
than sorry but if you'd like I could follow up with a patch that
removes some checks?
> > + !bpf_map_is_rdonly(map)) {
>
> This check is needed, of course.
>
> > + verbose(env, "R%d does not point to a readonly map'\n", regno);
> > + return -EACCES;
> > + }
> > +
> > + if (!tnum_is_const(reg->var_off)) {
> > + verbose(env, "R%d is not a constant address'\n", regno);
> > + return -EACCES;
> > + }
> > +
> > + if (!map->ops->map_direct_value_addr) {
> > + verbose(env, "no direct value access support for this map type\n");
> > + return -EACCES;
> > + }
> > +
> > + err = check_map_access(env, regno, reg->off,
> > + map->value_size - reg->off, false);
> > + if (err)
> > + return err;
> > +
> > + map_off = reg->off + reg->var_off.value;
> > + err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
> > + if (err) {
>
> since the code checks it here the same check in check_bpf_snprintf_call() should
> probably do:
> if (err) {
> verbose("verifier bug\n");
> return -EFAULT;
> }
>
> instead of just "return err;"
> ?
Sure, does not hurt. I can also follow up with a patch unless if you
prefer doing it yourself.
> > + verbose(env, "direct value access on string failed\n");
>
> I think the message doesn't tell users much, but they probably should never
> see it unless they try to do lookup from readonly array with
> more than one element.
> So I guess it's fine to keep this one as-is. Just flagging.
Ack
> Anyway the whole set looks great, so I've applied to bpf-next.
> Thanks!
Thank you :D
Powered by blists - more mailing lists