lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEf4Bzam8yp9ciDDY0jye+zE1jM-sbe1+LSjby9ChRvWbeXmbw@mail.gmail.com>
Date:   Mon, 23 Dec 2019 12:05:40 -0800
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Martin KaFai Lau <kafai@...com>
Cc:     bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        David Miller <davem@...emloft.net>,
        Kernel Team <kernel-team@...com>,
        Networking <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next v2 04/11] bpf: Support bitfield read access in btf_struct_access

On Fri, Dec 20, 2019 at 10:26 PM Martin KaFai Lau <kafai@...com> wrote:
>
> This patch allows bitfield access as a scalar.
>
> Signed-off-by: Martin KaFai Lau <kafai@...com>
> ---
>  kernel/bpf/btf.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 6e652643849b..da73b63acfc5 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3744,10 +3744,6 @@ int btf_struct_access(struct bpf_verifier_log *log,
>         }
>
>         for_each_member(i, t, member) {
> -               if (btf_member_bitfield_size(t, member))
> -                       /* bitfields are not supported yet */
> -                       continue;
> -
>                 /* offset of the field in bytes */
>                 moff = btf_member_bit_offset(t, member) / 8;
>                 if (off + size <= moff)
> @@ -3757,6 +3753,12 @@ int btf_struct_access(struct bpf_verifier_log *log,
>                 if (off < moff)
>                         continue;
>
> +               if (btf_member_bitfield_size(t, member)) {
> +                       if (off == moff && off + size <= t->size)
> +                               return SCALAR_VALUE;
> +                       continue;
> +               }

Shouldn't this check be done before (off < moff) above?

Imagine this situation:

struct {
  int :16;
  int x:8;
};

Compiler will generate 4-byte load with offset 0, and then bit shifts
to extract third byte. From kernel perspective, you'll see that off=0,
but moff=2, which will get skipped.

So there are two problems, I think:
1. if member is bitfield, special handle that before (off < moff) case.
2. off == moff is too precise, I think it should be `off <= moff`, but
also check that it covers entire bitfield, e.g.:

  (off + size) * 8 >= btf_member_bit_offset(t, member) +
btf_member_bitfield_size(t, member)

Make sense or am I missing anything?

> +
>                 /* type of the field */
>                 mtype = btf_type_by_id(btf_vmlinux, member->type);
>                 mname = __btf_name_by_offset(btf_vmlinux, member->name_off);
> --
> 2.17.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ