| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzYn0xRf6SwKHLbbqsDTueC-r_UxYOAX3+o-jswq7=a8sA@mail.gmail.com>
Date: Wed, 23 Apr 2025 11:27:52 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: KaFai Wan <mannkafai@...il.com>
Cc: alexei.starovoitov@...il.com, martin.lau@...ux.dev, ast@...nel.org,
daniel@...earbox.net, andrii@...nel.org, eddyz87@...il.com, song@...nel.org,
yonghong.song@...ux.dev, john.fastabend@...il.com, kpsingh@...nel.org,
sdf@...ichev.me, haoluo@...gle.com, jolsa@...nel.org, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
mykolal@...com, shuah@...nel.org, memxor@...il.com, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-kselftest@...r.kernel.org, leon.hwang@...ux.dev
Subject: Re: [PATCH bpf-next v4 1/2] bpf: Allow access to const void pointer
arguments in tracing programs
On Wed, Apr 23, 2025 at 5:14 AM KaFai Wan <mannkafai@...il.com> wrote:
>
> Adding support to access arguments with const void pointer arguments
> in tracing programs.
>
> Currently we allow tracing programs to access void pointers. If we try to
> access argument which is pointer to const void like 2nd argument in kfree,
> verifier will fail to load the program with;
>
> 0: R1=ctx() R10=fp0
> ; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
> 0: (79) r2 = *(u64 *)(r1 +8)
> func 'kfree' arg1 type UNKNOWN is not a struct
>
> Changing the is_int_ptr to void and generic integer check and renaming
> it to is_void_or_int_ptr.
>
> Cc: Leon Hwang <leon.hwang@...ux.dev>
> Signed-off-by: KaFai Wan <mannkafai@...il.com>
> Acked-by: Jiri Olsa <jolsa@...nel.org>
> ---
> kernel/bpf/btf.c | 13 +++----------
> 1 file changed, 3 insertions(+), 10 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 16ba36f34dfa..14cdefc15f0e 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6383,12 +6383,12 @@ struct btf *bpf_prog_get_target_btf(const struct bpf_prog *prog)
> return prog->aux->attach_btf;
> }
>
> -static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
> +static bool is_void_or_int_ptr(struct btf *btf, const struct btf_type *t)
> {
> /* skip modifiers */
> t = btf_type_skip_modifiers(btf, t->type, NULL);
>
> - return btf_type_is_int(t);
> + return btf_type_is_void(t) || btf_type_is_int(t);
> }
>
> static u32 get_ctx_arg_idx(struct btf *btf, const struct btf_type *func_proto,
> @@ -6776,14 +6776,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
> }
> }
>
> - if (t->type == 0)
> - /* This is a pointer to void.
> - * It is the same as scalar from the verifier safety pov.
> - * No further pointer walking is allowed.
I preserved this comment (with slight rewording to make sense in a
combined check context). Applied to bpf-next, thanks.
> - */
> - return true;
> -
> - if (is_int_ptr(btf, t))
> + if (is_void_or_int_ptr(btf, t))
> return true;
>
> /* this is a pointer to another type */
> --
> 2.43.0
>
Powered by blists - more mailing lists