lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAP01T75rQZvnk8y+AJr9KDjra1JO8=Q_kuD5TnxJ+4dp455Gyg@mail.gmail.com>
Date:   Fri, 26 Aug 2022 22:36:46 +0200
From:   Kumar Kartikeya Dwivedi <memxor@...il.com>
To:     Roberto Sassu <roberto.sassu@...weicloud.com>
Cc:     ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
        martin.lau@...ux.dev, song@...nel.org, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
        haoluo@...gle.com, jolsa@...nel.org, mykolal@...com,
        corbet@....net, dhowells@...hat.com, jarkko@...nel.org,
        rostedt@...dmis.org, mingo@...hat.com, paul@...l-moore.com,
        jmorris@...ei.org, serge@...lyn.com, shuah@...nel.org,
        bpf@...r.kernel.org, linux-doc@...r.kernel.org,
        keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
        deso@...teo.net, Roberto Sassu <roberto.sassu@...wei.com>,
        Joanne Koong <joannelkoong@...il.com>
Subject: Re: [PATCH v13 02/10] btf: Handle dynamic pointer parameter in kfuncs

On Tue, 23 Aug 2022 at 19:27, Roberto Sassu
<roberto.sassu@...weicloud.com> wrote:
>
> From: Roberto Sassu <roberto.sassu@...wei.com>
>
> Allow the bpf_dynptr_kern parameter to be specified in kfuncs. Also, ensure
> that the dynamic pointer is valid and initialized.
>
> To properly detect whether a parameter is of the desired type, introduce
> the stringify_struct() macro to compare the returned structure name with
> the desired name. In addition, protect against structure renames, by
> halting the build with BUILD_BUG_ON(), so that developers have to revisit
> the code.
>
> Cc: Joanne Koong <joannelkoong@...il.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
>  include/linux/bpf_verifier.h |  3 +++
>  include/linux/btf.h          |  9 +++++++++
>  kernel/bpf/btf.c             | 18 ++++++++++++++++++
>  kernel/bpf/verifier.c        |  4 ++--
>  4 files changed, 32 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 2e3bad8640dc..55876fbdbae2 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -560,6 +560,9 @@ int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state
>                              u32 regno);
>  int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
>                    u32 regno, u32 mem_size);
> +bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env,
> +                             struct bpf_reg_state *reg,
> +                             enum bpf_arg_type arg_type);
>
>  /* this lives here instead of in bpf.h because it needs to dereference tgt_prog */
>  static inline u64 bpf_trampoline_compute_key(const struct bpf_prog *tgt_prog,
> diff --git a/include/linux/btf.h b/include/linux/btf.h
> index ad93c2d9cc1c..f546d368ac5d 100644
> --- a/include/linux/btf.h
> +++ b/include/linux/btf.h
> @@ -52,6 +52,15 @@
>  #define KF_SLEEPABLE    (1 << 5) /* kfunc may sleep */
>  #define KF_DESTRUCTIVE  (1 << 6) /* kfunc performs destructive actions */
>
> +/*
> + * Return the name of the passed struct, if exists, or halt the build if for
> + * example the structure gets renamed. In this way, developers have to revisit
> + * the code using that structure name, and update it accordingly.
> + */
> +#define stringify_struct(x)                    \
> +       ({ BUILD_BUG_ON(sizeof(struct x) < 0);  \
> +          __stringify(x); })
> +
>  struct btf;
>  struct btf_member;
>  struct btf_type;
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index e49b3b6d48ad..26cb548420af 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6362,15 +6362,20 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>
>                         if (is_kfunc) {
>                                 bool arg_mem_size = i + 1 < nargs && is_kfunc_arg_mem_size(btf, &args[i + 1], &regs[regno + 1]);
> +                               bool arg_dynptr = btf_type_is_struct(ref_t) &&
> +                                                 !strcmp(ref_tname,
> +                                                         stringify_struct(bpf_dynptr_kern));
>
>                                 /* Permit pointer to mem, but only when argument
>                                  * type is pointer to scalar, or struct composed
>                                  * (recursively) of scalars.
>                                  * When arg_mem_size is true, the pointer can be
>                                  * void *.
> +                                * Also permit initialized dynamic pointers.
>                                  */
>                                 if (!btf_type_is_scalar(ref_t) &&
>                                     !__btf_type_is_scalar_struct(log, btf, ref_t, 0) &&
> +                                   !arg_dynptr &&
>                                     (arg_mem_size ? !btf_type_is_void(ref_t) : 1)) {
>                                         bpf_log(log,
>                                                 "arg#%d pointer type %s %s must point to %sscalar, or struct with scalar\n",
> @@ -6378,6 +6383,19 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>                                         return -EINVAL;
>                                 }
>
> +                               if (arg_dynptr) {
> +                                       if (!is_dynptr_reg_valid_init(env, reg,
> +                                                       ARG_PTR_TO_DYNPTR)) {

Do you intend to really accept all kinds of dynptr here? In the future
we will get more, and by default ARG_PTR_TO_DYNPTR accepts all, so it
seems better to start with a small strict subset.

Secondly, you need to also check whether reg is a PTR_TO_STACK inside
this arg_dynptr branch. It is incorrect to call
is_dynptr_reg_valid_init for any other type of register. It would also
be nice to include some tests for that.



> +                                               bpf_log(log,
> +                                                       "arg#%d pointer type %s %s must be initialized\n",
> +                                                       i, btf_type_str(ref_t),
> +                                                       ref_tname);
> +                                               return -EINVAL;
> +                                       }
> +
> +                                       continue;
> +                               }
> +
>                                 /* Check for mem, len pair */
>                                 if (arg_mem_size) {
>                                         if (check_kfunc_mem_size_reg(env, &regs[regno + 1], regno + 1)) {
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2c1f8069f7b7..aa834e7bb296 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -779,8 +779,8 @@ static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_
>         return true;
>  }
>
> -static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> -                                    enum bpf_arg_type arg_type)
> +bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> +                             enum bpf_arg_type arg_type)
>  {
>         struct bpf_func_state *state = func(env, reg);
>         int spi = get_spi(reg->off);
> --
> 2.25.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ