lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aADw97YoFMGPGnJJ@krava>
Date: Thu, 17 Apr 2025 14:15:51 +0200
From: Jiri Olsa <olsajiri@...il.com>
To: KaFai Wan <mannkafai@...il.com>
Cc: martin.lau@...ux.dev, ast@...nel.org, daniel@...earbox.net,
	andrii@...nel.org, eddyz87@...il.com, song@...nel.org,
	yonghong.song@...ux.dev, john.fastabend@...il.com,
	kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com,
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
	pabeni@...hat.com, horms@...nel.org, mykolal@...com,
	shuah@...nel.org, memxor@...il.com, bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
	kafai.wan@...mail.com, leon.hwang@...ux.dev
Subject: Re: [PATCH bpf-next v2 1/2] bpf: Allow access to const void pointer
 arguments in tracing programs

On Thu, Apr 17, 2025 at 12:17:55AM +0800, KaFai Wan wrote:
> Adding support to access arguments with const void pointer arguments
> in tracing programs.
> 
> Currently we allow tracing programs to access void pointers. If we try to
> access argument which is pointer to const void like 2nd argument in kfree,
> verifier will fail to load the program with;
> 
> 0: R1=ctx() R10=fp0
> ; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
> 0: (79) r2 = *(u64 *)(r1 +8)
> func 'kfree' arg1 type UNKNOWN is not a struct
> 
> Changing the is_int_ptr to void and generic integer check and renaming
> it to is_void_or_int_ptr.
> 
> Cc: Leon Hwang <leon.hwang@...ux.dev>
> Signed-off-by: KaFai Wan <kafai.wan@...mail.com>
> ---
>  kernel/bpf/btf.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 16ba36f34dfa..0b1724453b75 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6383,12 +6383,12 @@ struct btf *bpf_prog_get_target_btf(const struct bpf_prog *prog)
>  		return prog->aux->attach_btf;
>  }
>  
> -static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
> +static bool is_void_or_int_ptr(struct btf *btf, const struct btf_type *t)
>  {
>  	/* skip modifiers */
>  	t = btf_type_skip_modifiers(btf, t->type, NULL);
>  
> -	return btf_type_is_int(t);
> +	return btf_type_is_void(t) || btf_type_is_int(t);
>  }
>  
>  static u32 get_ctx_arg_idx(struct btf *btf, const struct btf_type *func_proto,
> @@ -6783,7 +6783,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
>  		 */
>  		return true;

could we remove the above check then? 

        if (t->type == 0)
                /* This is a pointer to void.
                 * It is the same as scalar from the verifier safety pov.
                 * No further pointer walking is allowed.
                 */
                return true;

jirka

>  
> -	if (is_int_ptr(btf, t))
> +	if (is_void_or_int_ptr(btf, t))
>  		return true;
>  
>  	/* this is a pointer to another type */
> -- 
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ