[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <mb61pzfursxjh.fsf@gmail.com>
Date: Thu, 21 Mar 2024 10:13:06 +0000
From: Puranjay Mohan <puranjay12@...il.com>
To: Ilya Leoshkevich <iii@...ux.ibm.com>, Alexei Starovoitov
<alexei.starovoitov@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>, David Ahern
<dsahern@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann
<daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai
Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu
<song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend
<john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav
Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa
<jolsa@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar
<mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
<dave.hansen@...ux.intel.com>, X86 ML <x86@...nel.org>, "H. Peter Anvin"
<hpa@...or.com>, Jean-Philippe Brucker <jean-philippe@...aro.org>, Network
Development <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>, LKML
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf] bpf: verifier: prevent userspace memory access
Ilya Leoshkevich <iii@...ux.ibm.com> writes:
> On Wed, Mar 20, 2024 at 11:08:00PM -0700, Alexei Starovoitov wrote:
>> On Wed, Mar 20, 2024 at 3:55 AM Puranjay Mohan <puranjay12@...ilcom> wrote:
>> >
>> > The JITs need to implement bpf_arch_uaddress_limit() to define where
>> > the userspace addresses end for that architecture or TASK_SIZE is taken
>> > as default.
>> >
>> > The implementation is as follows:
>> >
>> > REG_AX = SRC_REG
>> > if(offset)
>> > REG_AX += offset;
>> > REG_AX >>= 32;
>> > if (REG_AX <= (uaddress_limit >> 32))
>> > DST_REG = 0;
>> > else
>> > DST_REG = *(size *)(SRC_REG + offset);
>>
>> The patch looks good, but it seems to be causing s390 CI failures.
>>
>> Ilya,
>> could you help us understand is this check needed on s390
>> and if so, what should be the uaddress_limit ?
>
> s390x does not define ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
> Userspace and kernel run in completely different and isolated address
> spaces, so it's not possible to determine from a pointer value whether
> it's a user or a kernel pointer.
> But the good news is that whatever you deference without using
> special instruction sequences will refer to the kernel address space.
> So I wonder if we could somehow disable this check on s390x altogether?
> And if we are not sure whether it's a valid pointer, use BPF_PROBE_MEM
> as always.
Thanks for the details. I understand that s390x doesn't need this extra
check because all normal accesses are in the kernel address space and they
will be marked with BPF_PROBE_MEM by the verifier if the pointer is
untrusted.
I have sent v2 of this patch with this check disabled on s390x
https://lore.kernel.org/bpf/20240321101058.68530-1-puranjay12@gmail.com/
Thanks,
Puranjay
Powered by blists - more mailing lists