| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z5r0Q-JXYPb3mCL-@google.com>
Date: Thu, 30 Jan 2025 03:38:43 +0000
From: Peilin Ye <yepeilin@...gle.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: bpf <bpf@...r.kernel.org>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
bpf@...f.org, Xu Kuohai <xukuohai@...weicloud.com>,
Eduard Zingerman <eddyz87@...il.com>,
David Vernet <void@...ifault.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>,
Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
Jonathan Corbet <corbet@....net>,
"Paul E. McKenney" <paulmck@...nel.org>,
Puranjay Mohan <puranjay@...nel.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, Quentin Monnet <qmo@...nel.org>,
Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>,
Josh Don <joshdon@...gle.com>, Barret Rhoden <brho@...gle.com>,
Neel Natu <neelnatu@...gle.com>,
Benjamin Segall <bsegall@...gle.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next v1 3/8] bpf: Introduce load-acquire and
store-release instructions
Hi Alexei,
On Wed, Jan 29, 2025 at 04:41:31PM -0800, Alexei Starovoitov wrote:
> > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> > index da729cbbaeb9..ab082ab9d535 100644
> > --- a/kernel/bpf/core.c
> > +++ b/kernel/bpf/core.c
> > @@ -1663,14 +1663,17 @@ EXPORT_SYMBOL_GPL(__bpf_call_base);
> > INSN_3(JMP, JSET, K), \
> > INSN_2(JMP, JA), \
> > INSN_2(JMP32, JA), \
> > + /* Atomic operations. */ \
> > + INSN_3(STX, ATOMIC, B), \
> > + INSN_3(STX, ATOMIC, H), \
> > + INSN_3(STX, ATOMIC, W), \
> > + INSN_3(STX, ATOMIC, DW), \
> > /* Store instructions. */ \
> > /* Register based. */ \
> > INSN_3(STX, MEM, B), \
> > INSN_3(STX, MEM, H), \
> > INSN_3(STX, MEM, W), \
> > INSN_3(STX, MEM, DW), \
> > - INSN_3(STX, ATOMIC, W), \
> > - INSN_3(STX, ATOMIC, DW), \
> > /* Immediate based. */ \
> > INSN_3(ST, MEM, B), \
> > INSN_3(ST, MEM, H), \
> > @@ -2169,6 +2172,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
> >
> > STX_ATOMIC_DW:
> > STX_ATOMIC_W:
> > + STX_ATOMIC_H:
> > + STX_ATOMIC_B:
> > switch (IMM) {
> > ATOMIC_ALU_OP(BPF_ADD, add)
> > ATOMIC_ALU_OP(BPF_AND, and)
>
> STX_ATOMI_[BH] looks wrong.
> It will do atomic64_*() ops in wrong size.
> BPF_INSN_MAP() applies to bpf_opcode_in_insntable()
> and the verifier will allow such new insns.
We still have this check in check_atomic():
if (BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) {
verbose(env, "invalid atomic operand size\n");
return -EINVAL;
}
(moved to check_atomic_rmw() in PATCH 2/8)
Looks like it cannot be triggered before this patch, since
STX_ATOMIC_[BH] would've already been rejected by that
bpf_opcode_in_insntable() check before reaching check_atomic().
I agree that the interpreter code handling RMW atomics might now look a
bit confusing though. In v2 I'll refactor that part and/or add comments
to make it clearer in the code that:
* only W and DW are allowed for atomic RMW
* all of B, H, W and DW are allowed for atomic load/store
Thanks,
Peilin Ye
Powered by blists - more mailing lists