| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 May 2019 10:45:53 +0100
From: Lorenz Bauer <lmb@...udflare.com>
To: Andrii Nakryiko <andriin@...com>
Cc: andrii.nakryiko@...il.com, netdev@...r.kernel.org,
bpf@...r.kernel.org, Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...com>, yhs@...com
Subject: Re: [PATCH bpf] libbpf: detect supported kernel BTF features and
sanitize BTF
On Fri, 10 May 2019 at 05:37, Andrii Nakryiko <andriin@...com> wrote:
>
> Depending on used versions of libbpf, Clang, and kernel, it's possible to
> have valid BPF object files with valid BTF information, that still won't
> load successfully due to Clang emitting newer BTF features (e.g.,
> BTF_KIND_FUNC, .BTF.ext's line_info/func_info, BTF_KIND_DATASEC, etc), that
> are not yet supported by older kernel.
For sys_bpf, we ignore a zero tail in struct bpf_attr, which gives us
backwards / forwards compatibility
as long as the user doesn't use the new fields.
Do we need a similar mechanism for BTF? Is it possible to discard
unknown types at load time?
>
> This patch adds detection of BTF features and sanitizes BPF object's BTF
> by substituting various supported BTF kinds, which have compatible layout:
> - BTF_KIND_FUNC -> BTF_KIND_TYPEDEF
> - BTF_KIND_FUNC_PROTO -> BTF_KIND_ENUM
> - BTF_KIND_VAR -> BTF_KIND_INT
> - BTF_KIND_DATASEC -> BTF_KIND_STRUCT
>
> Replacement is done in such a way as to preserve as much information as
> possible (names, sizes, etc) where possible without violating kernel's
> validation rules.
>
> Reported-by: Alexei Starovoitov <ast@...com>
> Signed-off-by: Andrii Nakryiko <andriin@...com>
> ---
> tools/lib/bpf/libbpf.c | 185 ++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 184 insertions(+), 1 deletion(-)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 11a65db4b93f..0813c4ad5d11 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -128,6 +128,10 @@ struct bpf_capabilities {
> __u32 name:1;
> /* v5.2: kernel support for global data sections. */
> __u32 global_data:1;
> + /* BTF_KIND_FUNC and BTF_KIND_FUNC_PROTO support */
> + __u32 btf_func:1;
> + /* BTF_KIND_VAR and BTF_KIND_DATASEC support */
> + __u32 btf_datasec:1;
> };
>
> /*
> @@ -1021,6 +1025,81 @@ static bool section_have_execinstr(struct bpf_object *obj, int idx)
> return false;
> }
>
> +static void bpf_object__sanitize_btf(struct bpf_object *obj)
> +{
> +#define BTF_INFO_ENC(kind, kind_flag, vlen) \
> + ((!!(kind_flag) << 31) | ((kind) << 24) | ((vlen) & BTF_MAX_VLEN))
> +#define BTF_INT_ENC(encoding, bits_offset, nr_bits) \
> + ((encoding) << 24 | (bits_offset) << 16 | (nr_bits))
> +
> + bool has_datasec = obj->caps.btf_datasec;
> + bool has_func = obj->caps.btf_func;
> + struct btf *btf = obj->btf;
> + struct btf_type *t;
> + int i, j, vlen;
> + __u16 kind;
> +
> + if (!obj->btf || (has_func && has_datasec))
> + return;
> +
> + for (i = 1; i <= btf__get_nr_types(btf); i++) {
> + t = (struct btf_type *)btf__type_by_id(btf, i);
> + kind = BTF_INFO_KIND(t->info);
> +
> + if (!has_datasec && kind == BTF_KIND_VAR) {
> + /* replace VAR with INT */
> + t->info = BTF_INFO_ENC(BTF_KIND_INT, 0, 0);
> + t->size = sizeof(int);
> + *(int *)(t+1) = BTF_INT_ENC(0, 0, 32);
> + } else if (!has_datasec && kind == BTF_KIND_DATASEC) {
> + /* replace DATASEC with STRUCT */
> + struct btf_var_secinfo *v = (void *)(t + 1);
> + struct btf_member *m = (void *)(t + 1);
> + struct btf_type *vt;
> + char *name;
> +
> + name = (char *)btf__name_by_offset(btf, t->name_off);
> + while (*name) {
> + if (*name == '.')
> + *name = '_';
> + name++;
> + }
> +
> + vlen = BTF_INFO_VLEN(t->info);
> + t->info = BTF_INFO_ENC(BTF_KIND_STRUCT, 0, vlen);
> + for (j = 0; j < vlen; j++, v++, m++) {
> + /* order of field assignments is important */
> + m->offset = v->offset * 8;
> + m->type = v->type;
> + /* preserve variable name as member name */
> + vt = (void *)btf__type_by_id(btf, v->type);
> + m->name_off = vt->name_off;
> + }
> + } else if (!has_func && kind == BTF_KIND_FUNC_PROTO) {
> + /* replace FUNC_PROTO with ENUM */
> + vlen = BTF_INFO_VLEN(t->info);
> + t->info = BTF_INFO_ENC(BTF_KIND_ENUM, 0, vlen);
> + t->size = sizeof(__u32); /* kernel enforced */
> + } else if (!has_func && kind == BTF_KIND_FUNC) {
> + /* replace FUNC with TYPEDEF */
> + t->info = BTF_INFO_ENC(BTF_KIND_TYPEDEF, 0, 0);
> + }
> + }
> +#undef BTF_INFO_ENC
> +#undef BTF_INT_ENC
> +}
> +
> +static void bpf_object__sanitize_btf_ext(struct bpf_object *obj)
> +{
> + if (!obj->btf_ext)
> + return;
> +
> + if (!obj->caps.btf_func) {
> + btf_ext__free(obj->btf_ext);
> + obj->btf_ext = NULL;
> + }
> +}
> +
> static int bpf_object__elf_collect(struct bpf_object *obj, int flags)
> {
> Elf *elf = obj->efile.elf;
> @@ -1164,8 +1243,10 @@ static int bpf_object__elf_collect(struct bpf_object *obj, int flags)
> obj->btf = NULL;
> } else {
> err = btf__finalize_data(obj, obj->btf);
> - if (!err)
> + if (!err) {
> + bpf_object__sanitize_btf(obj);
> err = btf__load(obj->btf);
> + }
> if (err) {
> pr_warning("Error finalizing and loading %s into kernel: %d. Ignored and continue.\n",
> BTF_ELF_SEC, err);
> @@ -1187,6 +1268,8 @@ static int bpf_object__elf_collect(struct bpf_object *obj, int flags)
> BTF_EXT_ELF_SEC,
> PTR_ERR(obj->btf_ext));
> obj->btf_ext = NULL;
> + } else {
> + bpf_object__sanitize_btf_ext(obj);
> }
> }
> }
> @@ -1556,12 +1639,112 @@ bpf_object__probe_global_data(struct bpf_object *obj)
> return 0;
> }
>
> +static int try_load_btf(const char *raw_types, size_t types_len,
> + const char *str_sec, size_t str_len)
> +{
> + char buf[1024];
> + struct btf_header hdr = {
> + .magic = BTF_MAGIC,
> + .version = BTF_VERSION,
> + .hdr_len = sizeof(struct btf_header),
> + .type_len = types_len,
> + .str_off = types_len,
> + .str_len = str_len,
> + };
> + int btf_fd, btf_len;
> + __u8 *raw_btf;
> +
> + btf_len = hdr.hdr_len + hdr.type_len + hdr.str_len;
> + raw_btf = malloc(btf_len);
> + if (!raw_btf)
> + return -ENOMEM;
> +
> + memcpy(raw_btf, &hdr, sizeof(hdr));
> + memcpy(raw_btf + hdr.hdr_len, raw_types, hdr.type_len);
> + memcpy(raw_btf + hdr.hdr_len + hdr.type_len, str_sec, hdr.str_len);
> +
> + btf_fd = bpf_load_btf(raw_btf, btf_len, buf, 1024, 0);
> + if (btf_fd < 0) {
> + free(raw_btf);
> + return 0;
> + }
> +
> + close(btf_fd);
> + free(raw_btf);
> + return 1;
> +}
> +
> +#define BTF_INFO_ENC(kind, kind_flag, vlen) \
> + ((!!(kind_flag) << 31) | ((kind) << 24) | ((vlen) & BTF_MAX_VLEN))
> +#define BTF_TYPE_ENC(name, info, size_or_type) (name), (info), (size_or_type)
> +#define BTF_INT_ENC(encoding, bits_offset, nr_bits) \
> + ((encoding) << 24 | (bits_offset) << 16 | (nr_bits))
> +#define BTF_TYPE_INT_ENC(name, encoding, bits_offset, bits, sz) \
> + BTF_TYPE_ENC(name, BTF_INFO_ENC(BTF_KIND_INT, 0, 0), sz), \
> + BTF_INT_ENC(encoding, bits_offset, bits)
> +#define BTF_PARAM_ENC(name, type) (name), (type)
> +#define BTF_VAR_SECINFO_ENC(type, offset, size) (type), (offset), (size)
> +static int bpf_object__probe_btf_func(struct bpf_object *obj)
> +{
> + const char strs[] = "\0int\0x\0a";
> + /* void x(int a) {} */
> + __u32 types[] = {
> + /* int */
> + BTF_TYPE_INT_ENC(1, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
> + /* FUNC_PROTO */ /* [2] */
> + BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_FUNC_PROTO, 0, 1), 0),
> + BTF_PARAM_ENC(7, 1),
> + /* FUNC x */ /* [3] */
> + BTF_TYPE_ENC(5, BTF_INFO_ENC(BTF_KIND_FUNC, 0, 0), 2),
> + };
> + int res;
> +
> + res = try_load_btf((char *)types, sizeof(types), strs, sizeof(strs));
> + if (res < 0)
> + return res;
> + if (res > 0)
> + obj->caps.btf_func = 1;
> + return 0;
> +}
> +
> +static int bpf_object__probe_btf_datasec(struct bpf_object *obj)
> +{
> + const char strs[] = "\0x\0.data";
> + /* static int a; */
> + __u32 types[] = {
> + /* int */
> + BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
> + /* VAR x */ /* [2] */
> + BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_VAR, 0, 0), 1),
> + BTF_VAR_STATIC,
> + /* DATASEC val */ /* [3] */
> + BTF_TYPE_ENC(3, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 1), 4),
> + BTF_VAR_SECINFO_ENC(2, 0, 4),
> + };
> + int res;
> +
> + res = try_load_btf((char *)&types, sizeof(types), strs, sizeof(strs));
> + if (res < 0)
> + return res;
> + if (res > 0)
> + obj->caps.btf_datasec = 1;
> + return 0;
> +}
> +#undef BTF_INFO_ENC
> +#undef BTF_TYPE_ENC
> +#undef BTF_INT_ENC
> +#undef BTF_TYPE_INT_ENC
> +#undef BTF_PARAM_ENC
> +#undef BTF_VAR_SECINFO_ENC
> +
> static int
> bpf_object__probe_caps(struct bpf_object *obj)
> {
> int (*probe_fn[])(struct bpf_object *obj) = {
> bpf_object__probe_name,
> bpf_object__probe_global_data,
> + bpf_object__probe_btf_func,
> + bpf_object__probe_btf_datasec,
> };
> int i, ret;
>
> --
> 2.17.1
>
--
Lorenz Bauer | Systems Engineer
25 Lavington St., London SE1 0NZ
www.cloudflare.com
Powered by blists - more mailing lists