| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190405200736.ba2mzz42y7pecpsm@kafai-mbp.dhcp.thefacebook.com>
Date: Fri, 5 Apr 2019 20:07:38 +0000
From: Martin Lau <kafai@...com>
To: Stanislav Fomichev <sdf@...gle.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"ast@...nel.org" <ast@...nel.org>,
"daniel@...earbox.net" <daniel@...earbox.net>
Subject: Re: [PATCH bpf-next 1/3] bpf: support input __sk_buff context in
BPF_PROG_TEST_RUN
On Thu, Apr 04, 2019 at 11:51:31AM -0700, Stanislav Fomichev wrote:
> Add new set of arguments to bpf_attr for BPF_PROG_TEST_RUN:
> * ctx_in/ctx_size_in - input context
> * ctx_out/ctx_size_out - output context
>
> The intended use case is to pass some meta data to the test runs that
> operate on skb (this has being brought up on recent LPC).
>
> For programs that use bpf_prog_test_run_skb, support __sk_buff input and
> output. Initially, from input __sk_buff, copy _only_ cb and priority into
> skb, all other non-zero fields are prohibited (with EINVAL).
> If the user has set ctx_out/ctx_size_out, copy the potentially modified
> __sk_buff back to the userspace.
>
> We require all fields of input __sk_buff except the ones we explicitly
> support to be set to zero. The expectation is that in the future we might
> add support for more fields and we want to fail explicitly if the user
> runs the program on the kernel where we don't yet support them.
>
> The API is intentionally vague (i.e. we don't explicitly add __sk_buff
> to bpf_attr, but ctx_in) to potentially let other test_run types use
> this interface in the future (this can be xdp_md for xdp types for
> example).
>
> Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
> ---
> include/uapi/linux/bpf.h | 7 +++
> kernel/bpf/syscall.c | 2 +-
> net/bpf/test_run.c | 133 +++++++++++++++++++++++++++++++++++++--
> 3 files changed, 136 insertions(+), 6 deletions(-)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 837024512baf..8e96f99cebf8 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -396,6 +396,13 @@ union bpf_attr {
> __aligned_u64 data_out;
> __u32 repeat;
> __u32 duration;
> + __u32 ctx_size_in; /* input: len of ctx_in */
> + __u32 ctx_size_out; /* input/output: len of ctx_out
> + * returns ENOSPC if ctx_out
> + * is too small.
> + */
> + __aligned_u64 ctx_in;
> + __aligned_u64 ctx_out;
> } test;
>
> struct { /* anonymous struct used by BPF_*_GET_*_ID */
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 1d65e56594db..4ad754e2943a 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1949,7 +1949,7 @@ static int bpf_prog_query(const union bpf_attr *attr,
> return cgroup_bpf_prog_query(attr, uattr);
> }
>
> -#define BPF_PROG_TEST_RUN_LAST_FIELD test.duration
> +#define BPF_PROG_TEST_RUN_LAST_FIELD test.ctx_out
>
> static int bpf_prog_test_run(const union bpf_attr *attr,
> union bpf_attr __user *uattr)
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index fab142b796ef..593912a66d64 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -123,12 +123,121 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size,
> return data;
> }
>
> +static void *bpf_ctx_init(const union bpf_attr *kattr, u32 max_size)
> +{
> + void __user *data_in = u64_to_user_ptr(kattr->test.ctx_in);
> + u32 size = kattr->test.ctx_size_in;
> + void *data;
> +
> + if ((kattr->test.ctx_size_in && !kattr->test.ctx_in) ||
> + (!kattr->test.ctx_size_in && kattr->test.ctx_in))
> + return ERR_PTR(-EINVAL);
> +
> + if ((kattr->test.ctx_size_out && !kattr->test.ctx_out) ||
> + (!kattr->test.ctx_size_out && kattr->test.ctx_out))
> + return ERR_PTR(-EINVAL);
These attr checks belong to bpf_prog_test_run() in syscall.c.
> +
> + if (!size)
> + return NULL;
> +
> + if (size > max_size)
Not allowed even the tailing (size - max_size) bytes are zero?
> + return ERR_PTR(-EINVAL);
The convention should be -E2BIG if the userspace passed in something bigger
with tailing non-zero that the kernel cannot understand.
> +
> + data = kzalloc(max_size, GFP_USER);
> + if (!data)
> + return ERR_PTR(-ENOMEM);
> +
> + if (copy_from_user(data, data_in, size)) {
> + kfree(data);
> + return ERR_PTR(-EFAULT);
> + }
> + return data;
> +}
> +
> +static int bpf_ctx_finish(const union bpf_attr *kattr,
> + union bpf_attr __user *uattr, const void *data,
> + u32 size)
> +{
> + void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out);
> + u32 copy_size = size;
Is the "u32 copy_size = size;" needed?
I don't see "size" is changed.
> +
> + if (!kattr->test.ctx_size_out)
> + return 0;
> +
> + if (copy_size > kattr->test.ctx_size_out)
If I read both bpf_ctx_init() and btf_ctx_finish() correctly,
the kattr->test.ctx_size_in (input) can be smaller than
sizeof(struct __sk_buff) but the kattr->test.ctx_size_out (output)
cannot be smaller than sizeof(struct __sk_buff)?
> + return -ENOSPC;
> +
> + if (data_out && copy_to_user(data_out, data, copy_size))
"data_out" check is not needed.
> + return -EFAULT;
> + if (copy_to_user(&uattr->test.ctx_size_out, &size, sizeof(size)))
> + return -EFAULT;
> +
> + return 0;
> +}
> +
> +/**
> + * range_is_zero - test whether buffer is initialized
> + * @buf: buffer to check
> + * @from: check from this position
> + * @to: check up until (excluding) this position
> + *
> + * This function returns true if the there is a non-zero byte
> + * in the buf in the range [from,to).
> + */
> +static inline bool range_is_zero(void *buf, size_t from, size_t to)
> +{
> + return !memchr_inv((u8 *)buf + from, 0, to - from);
> +}
> +
> +static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
> +{
> + struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
> +
> + if (!__skb)
> + return 0;
> +
> + /* make sure the fields we don't use are zeroed */
> + if (!range_is_zero(__skb, 0, offsetof(struct __sk_buff, priority)))
> + return -EINVAL;
> +
> + /* priority is allowed */
> +
> + if (!range_is_zero(__skb, offsetof(struct __sk_buff, priority) +
> + FIELD_SIZEOF(struct __sk_buff, priority),
> + offsetof(struct __sk_buff, cb)))
> + return -EINVAL;
> +
> + /* cb is allowed */
> +
> + if (!range_is_zero(__skb, offsetof(struct __sk_buff, cb) +
> + FIELD_SIZEOF(struct __sk_buff, cb),
> + sizeof(struct __sk_buff)))
> + return -EINVAL;
> +
> + skb->priority = __skb->priority;
> + memcpy(&cb->data, __skb->cb, QDISC_CB_PRIV_LEN);
> +
> + return 0;
> +}
> +
> +static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb)
> +{
> + struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
> +
> + if (!__skb)
> + return;
> +
> + __skb->priority = skb->priority;
> + memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN);
> +}
> +
> int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> union bpf_attr __user *uattr)
> {
> bool is_l2 = false, is_direct_pkt_access = false;
> u32 size = kattr->test.data_size_in;
> u32 repeat = kattr->test.repeat;
> + struct __sk_buff *ctx = NULL;
> u32 retval, duration;
> int hh_len = ETH_HLEN;
> struct sk_buff *skb;
> @@ -141,6 +250,12 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> if (IS_ERR(data))
> return PTR_ERR(data);
>
> + ctx = bpf_ctx_init(kattr, sizeof(struct __sk_buff));
> + if (IS_ERR(ctx)) {
> + kfree(data);
> + return PTR_ERR(ctx);
> + }
> +
> switch (prog->type) {
> case BPF_PROG_TYPE_SCHED_CLS:
> case BPF_PROG_TYPE_SCHED_ACT:
> @@ -158,6 +273,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> sk = kzalloc(sizeof(struct sock), GFP_USER);
> if (!sk) {
> kfree(data);
> + kfree(ctx);
> return -ENOMEM;
> }
> sock_net_set(sk, current->nsproxy->net_ns);
> @@ -166,6 +282,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> skb = build_skb(data, 0);
> if (!skb) {
> kfree(data);
> + kfree(ctx);
> kfree(sk);
> return -ENOMEM;
> }
> @@ -180,12 +297,12 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> __skb_push(skb, hh_len);
> if (is_direct_pkt_access)
> bpf_compute_data_pointers(skb);
> + ret = convert___skb_to_skb(skb, ctx);
> + if (ret)
> + goto out;
> ret = bpf_test_run(prog, skb, repeat, &retval, &duration);
> - if (ret) {
> - kfree_skb(skb);
> - kfree(sk);
> - return ret;
> - }
> + if (ret)
> + goto out;
> if (!is_l2) {
> if (skb_headroom(skb) < hh_len) {
> int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb));
I think the following needs kfree(ctx) also (or goto out).
Copying the context here:
if (pskb_expand_head(skb, nhead, 0, GFP_USER)) {
kfree_skb(skb);
kfree(sk);
return -ENOMEM;
}
> @@ -198,14 +315,20 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> }
> memset(__skb_push(skb, hh_len), 0, hh_len);
> }
> + convert_skb_to___skb(skb, ctx);
>
> size = skb->len;
> /* bpf program can never convert linear skb to non-linear */
> if (WARN_ON_ONCE(skb_is_nonlinear(skb)))
> size = skb_headlen(skb);
> ret = bpf_test_finish(kattr, uattr, skb->data, size, retval, duration);
> + if (!ret)
> + ret = bpf_ctx_finish(kattr, uattr, ctx,
> + sizeof(struct __sk_buff));
> +out:
> kfree_skb(skb);
> kfree(sk);
> + kfree(ctx);
> return ret;
> }
>
> --
> 2.21.0.392.gf8f6787159e-goog
>
Powered by blists - more mailing lists