| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AM6PR03MB5848FD2C06A4AEF4D142EE91998C2@AM6PR03MB5848.eurprd03.prod.outlook.com> Date: Mon, 19 Aug 2024 11:13:52 +0100 From: Juntong Deng <juntong.deng@...look.com> To: ast@...nel.org, daniel@...earbox.net, john.fastabend@...il.com, andrii@...nel.org, martin.lau@...ux.dev, eddyz87@...il.com, song@...nel.org, yonghong.song@...ux.dev, kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com, jolsa@...nel.org, memxor@...il.com Cc: bpf@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH bpf-next v2 1/2] bpf: Make the pointer returned by iter next method valid Currently we cannot pass the pointer returned by iter next method as argument to KF_TRUSTED_ARGS or KF_RCU kfuncs, because the pointer returned by iter next method is not "valid". This patch sets the pointer returned by iter next method to be valid. This is based on the fact that if the iterator is implemented correctly, then the pointer returned from the iter next method should be valid. This does not make NULL pointer valid. If the iter next method has KF_RET_NULL flag, then the verifier will ask the ebpf program to check NULL pointer. KF_RCU_PROTECTED iterator is a special case, the pointer returned by iter next method should only be valid within RCU critical section, so it should be with MEM_RCU, not PTR_TRUSTED. The pointer returned by iter next method of other types of iterators is with PTR_TRUSTED. Signed-off-by: Juntong Deng <juntong.deng@...look.com> --- v1 -> v2: Handle KF_RCU_PROTECTED case and add corresponding test cases kernel/bpf/verifier.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ebec74c28ae3..d083925c2ba8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8233,6 +8233,12 @@ static int process_iter_next_call(struct bpf_verifier_env *env, int insn_idx, verbose(env, "bug: bad parent state for iter next call"); return -EFAULT; } + + if (cur_iter->type & MEM_RCU) /* KF_RCU_PROTECTED */ + cur_fr->regs[BPF_REG_0].type |= MEM_RCU; + else + cur_fr->regs[BPF_REG_0].type |= PTR_TRUSTED; + /* Note cur_st->parent in the call below, it is necessary to skip * checkpoint created for cur_st by is_state_visited() * right at this instruction. -- 2.39.2
Powered by blists - more mailing lists