lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAADnVQ+xPtq=kw_MKPaQkeAhdPndhJs1S5DRBGtByBQ-BgdFmA@mail.gmail.com>
Date: Fri, 7 Jun 2024 09:57:20 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Benjamin Tissoires <bentiss@...nel.org>
Cc: Shuah Khan <shuah@...nel.org>, Jiri Kosina <jikos@...nel.org>, Jonathan Corbet <corbet@....net>, 
	Alexei Starovoitov <ast@...nel.org>, 
	"open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	bpf <bpf@...r.kernel.org>, 
	"open list:HID CORE LAYER" <linux-input@...r.kernel.org>, 
	"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>
Subject: Re: [PATCH HID v2 15/16] HID: bpf: rework hid_bpf_ops_btf_struct_access

On Fri, Jun 7, 2024 at 8:29 AM Benjamin Tissoires <bentiss@...nel.org> wrote:
>
> The idea is to provide a list of stucts and their editable fields.
>
> Currently no functional changes are introduced here, we will add some
> more writeable fields in the next patch.
>
> Signed-off-by: Benjamin Tissoires <bentiss@...nel.org>
>
> ---
>
> new in v2
> ---
>  drivers/hid/bpf/hid_bpf_struct_ops.c | 91 +++++++++++++++++++++++++++---------
>  1 file changed, 69 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/hid/bpf/hid_bpf_struct_ops.c b/drivers/hid/bpf/hid_bpf_struct_ops.c
> index 056d05d96962..944e6d91a36b 100644
> --- a/drivers/hid/bpf/hid_bpf_struct_ops.c
> +++ b/drivers/hid/bpf/hid_bpf_struct_ops.c
> @@ -16,6 +16,7 @@
>  #include <linux/hid_bpf.h>
>  #include <linux/init.h>
>  #include <linux/module.h>
> +#include <linux/stddef.h>
>  #include <linux/workqueue.h>
>  #include "hid_bpf_dispatch.h"
>
> @@ -52,40 +53,86 @@ static int hid_bpf_ops_check_member(const struct btf_type *t,
>         return 0;
>  }
>
> +struct hid_bpf_offset_write_range {
> +       const char *struct_name;
> +       u32 struct_length;
> +       u32 start;
> +       u32 end;
> +};
> +
>  static int hid_bpf_ops_btf_struct_access(struct bpf_verifier_log *log,
>                                            const struct bpf_reg_state *reg,
>                                            int off, int size)
>  {
> -       const struct btf_type *state;
> -       const struct btf_type *t;
> -       s32 type_id;
> +#define WRITE_RANGE(_name, _field, _start_offset, _end_offset)                 \
> +       {                                                                       \
> +               .struct_name = #_name,                                          \
> +               .struct_length = sizeof(struct _name),                          \
> +               .start = offsetof(struct _name, _field) + _start_offset,        \
> +               .end = offsetofend(struct _name, _field) + _end_offset,         \
> +       }

reading comment /* minus 1 to ensure \0 at the end */
in the next patch...
I don't see this logic below.
In general the manual byte offset adjustment
looks like a footgun. Maybe add a flag for \0 and avoid
messing with offsets?

>
> -       type_id = btf_find_by_name_kind(reg->btf, "hid_bpf_ctx",
> -                                       BTF_KIND_STRUCT);
> -       if (type_id < 0)
> -               return -EINVAL;
> +       const struct hid_bpf_offset_write_range write_ranges[] = {
> +               WRITE_RANGE(hid_bpf_ctx, retval, 0, 0),
> +       };
> +#undef WRITE_RANGE
> +       const struct btf_type *state = NULL;
> +       const struct btf_type *t;
> +       const char *cur = NULL;
> +       int i;
>
>         t = btf_type_by_id(reg->btf, reg->btf_id);
> -       state = btf_type_by_id(reg->btf, type_id);
> -       if (t != state) {
> -               bpf_log(log, "only access to hid_bpf_ctx is supported\n");
> -               return -EACCES;
> -       }
>
> -       /* out-of-bound access in hid_bpf_ctx */
> -       if (off + size > sizeof(struct hid_bpf_ctx)) {
> -               bpf_log(log, "write access at off %d with size %d\n", off, size);
> -               return -EACCES;
> +       for (i = 0; i < ARRAY_SIZE(write_ranges); i++) {
> +               const struct hid_bpf_offset_write_range *write_range = &write_ranges[i];
> +               s32 type_id;
> +
> +               /* we already found a writeable struct, but there is a
> +                * new one, let's break the loop.
> +                */
> +               if (t == state && write_range->struct_name != cur)
> +                       break;
> +
> +               /* new struct to look for */
> +               if (write_range->struct_name != cur) {
> +                       type_id = btf_find_by_name_kind(reg->btf, write_range->struct_name,
> +                                                       BTF_KIND_STRUCT);
> +                       if (type_id < 0)
> +                               return -EINVAL;
> +
> +                       state = btf_type_by_id(reg->btf, type_id);
> +               }
> +
> +               /* this is not the struct we are looking for */
> +               if (t != state) {
> +                       cur = write_range->struct_name;
> +                       continue;
> +               }
> +
> +               /* first time we see this struct, check for out of bounds */
> +               if (cur != write_range->struct_name &&
> +                   off + size > write_range->struct_length) {
> +                       bpf_log(log, "write access for struct %s at off %d with size %d\n",
> +                               write_range->struct_name, off, size);
> +                       return -EACCES;
> +               }
> +
> +               /* now check if we are in our boundaries */
> +               if (off >= write_range->start && off + size <= write_range->end)
> +                       return NOT_INIT;
> +
> +               cur = write_range->struct_name;
>         }
>
> -       if (off < offsetof(struct hid_bpf_ctx, retval)) {
> +
> +       if (t != state)
> +               bpf_log(log, "write access to this struct is not supported\n");
> +       else
>                 bpf_log(log,
> -                       "write access at off %d with size %d on read-only part of hid_bpf_ctx\n",
> -                       off, size);
> -               return -EACCES;
> -       }
> +                       "write access at off %d with size %d on read-only part of %s\n",
> +                       off, size, cur);
>
> -       return NOT_INIT;
> +       return -EACCES;
>  }
>
>  static const struct bpf_verifier_ops hid_bpf_verifier_ops = {
>
> --
> 2.44.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ