lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fsclbw3cvixxy3p3toxqegi55wew6mpqmkjs3uyhfxxgfwg5ic@k7g6iu6qgzze>
Date: Fri, 13 Dec 2024 13:02:06 -0700
From: Daniel Xu <dxu@...uu.xyz>
To: Eduard Zingerman <eddyz87@...il.com>
Cc: andrii@...nel.org, ast@...nel.org, shuah@...nel.org, 
	daniel@...earbox.net, john.fastabend@...il.com, martin.lau@...ux.dev, song@...nel.org, 
	yonghong.song@...ux.dev, kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com, 
	jolsa@...nel.org, mykolal@...com, bpf@...r.kernel.org, 
	linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v5 3/5] bpf: verifier: Refactor helper access
 type tracking

On Thu, Dec 12, 2024 at 08:04:28PM GMT, Eduard Zingerman wrote:
> On Thu, 2024-12-12 at 16:22 -0700, Daniel Xu wrote:
> > Previously, the verifier was treating all PTR_TO_STACK registers passed
> > to a helper call as potentially written to by the helper. However, all
> > calls to check_stack_range_initialized() already have precise access type
> > information available.
> > 
> > Rather than treat ACCESS_HELPER as a proxy for BPF_WRITE, pass
> > enum bpf_access_type to check_stack_range_initialized() to more
> > precisely track helper arguments.
> > 
> > One benefit from this precision is that registers tracked as valid
> > spills and passed as a read-only helper argument remain tracked after
> > the call.  Rather than being marked STACK_MISC afterwards.
> > 
> > An additional benefit is the verifier logs are also more precise. For
> > this particular error, users will enjoy a slightly clearer message. See
> > included selftest updates for examples.
> > 
> > Signed-off-by: Daniel Xu <dxu@...uu.xyz>
> > ---
> 
> I think this change is ok.
> With it there is only one use of 'enum bpf_access_src' remains,
> but it doesn't look like it could be removed.
> 
> Acked-by: Eduard Zingerman <eddyz87@...il.com>
> 
> [...]
> 
> > --- a/tools/testing/selftests/bpf/progs/uninit_stack.c
> > +++ b/tools/testing/selftests/bpf/progs/uninit_stack.c
> > @@ -55,33 +55,4 @@ exit_%=:	r0 = 0;					\
> >  		      : __clobber_all);
> >  }
> >  
> > -static __noinline void dummy(void) {}
> > -
> > -/* Pass a pointer to uninitialized stack memory to a helper.
> > - * Passed memory block should be marked as STACK_MISC after helper call.
> > - */
> > -SEC("socket")
> > -__log_level(7) __msg("fp-104=mmmmmmmm")
> > -__naked int helper_uninit_to_misc(void *ctx)
> 
> Is it possible to peek a helper that writes into memory and not delete
> this test?

Yeah, good idea. Will do.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ