lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 8 Jan 2020 12:20:44 -0800
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Song Liu <songliubraving@...com>
Cc:     Alexei Starovoitov <ast@...nel.org>,
        David Miller <davem@...emloft.net>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        Kernel Team <Kernel-team@...com>
Subject: Re: [PATCH bpf-next 3/6] bpf: Introduce function-by-function
 verification

On Wed, Jan 08, 2020 at 07:10:59PM +0000, Song Liu wrote:
> 
> 
> > On Jan 7, 2020, at 11:25 PM, Alexei Starovoitov <ast@...nel.org> wrote:
> > 
> > New llvm and old llvm with libbpf help produce BTF that distinguish global and
> > static functions. Unlike arguments of static function the arguments of global
> > functions cannot be removed or optimized away by llvm. The compiler has to use
> > exactly the arguments specified in a function prototype. The argument type
> > information allows the verifier validate each global function independently.
> > For now only supported argument types are pointer to context and scalars. In
> > the future pointers to structures, sizes, pointer to packet data can be
> > supported as well. Consider the following example:
> 
> [...]
> 
> > The type information and static/global kind is preserved after the verification
> > hence in the above example global function f2() and f3() can be replaced later
> > by equivalent functions with the same types that are loaded and verified later
> > without affecting safety of this main() program. Such replacement (re-linking)
> > of global functions is a subject of future patches.
> > 
> > Signed-off-by: Alexei Starovoitov <ast@...nel.org>
> > ---
> > include/linux/bpf.h          |   7 +-
> > include/linux/bpf_verifier.h |   7 +-
> > include/uapi/linux/btf.h     |   6 +
> > kernel/bpf/btf.c             | 147 +++++++++++++++++-----
> > kernel/bpf/verifier.c        | 228 +++++++++++++++++++++++++++--------
> > 5 files changed, 317 insertions(+), 78 deletions(-)
> > 
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index b14e51d56a82..ceb5b6c13abc 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -558,6 +558,7 @@ static inline void bpf_dispatcher_change_prog(struct bpf_dispatcher *d,
> > #endif
> > 
> > struct bpf_func_info_aux {
> > +	u32 linkage;
> 
> How about we use u16 or even u8 for linkage? We are using BTF_INFO_VLEN() which 
> is 16-bit long. Maybe we should save some bits for future extensions?

sure. u16 is fine.
Will also introduce btf_func_kind() helper to avoid misleading BTF_INFO_VLEN macro.

> > -int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog)
> > +/* Compare BTF of a function with given bpf_reg_state */
> > +int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog,
> > +			     struct bpf_reg_state *reg)
> 
> I think we need more comments for the retval of btf_check_func_arg_match().

sure.

> > {
> > -	struct bpf_verifier_state *st = env->cur_state;
> > -	struct bpf_func_state *func = st->frame[st->curframe];
> > -	struct bpf_reg_state *reg = func->regs;
> > 	struct bpf_verifier_log *log = &env->log;
> > 	struct bpf_prog *prog = env->prog;
> > 	struct btf *btf = prog->aux->btf;
> [...]
> > +
> > +/* Convert BTF of a function into bpf_reg_state if possible */
> > +int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog,
> > +			  struct bpf_reg_state *reg)
> > +{
> > +	struct bpf_verifier_log *log = &env->log;
> > +	struct bpf_prog *prog = env->prog;
> > +	struct btf *btf = prog->aux->btf;
> > +	const struct btf_param *args;
> > +	const struct btf_type *t;
> > +	u32 i, nargs, btf_id;
> > +	const char *tname;
> > +
> > +	if (!prog->aux->func_info ||
> > +	    prog->aux->func_info_aux[subprog].linkage != BTF_FUNC_GLOBAL) {
> > +		bpf_log(log, "Verifier bug\n");
> 
> IIUC, this should never happen? Maybe we need more details in the log, and 
> maybe also WARN_ONCE()?

Should never happen and I think it's pretty clear from the diff, since
this function is called after == FUNC_GLOBAL check in the caller.
I didn't add WARN to avoid wasting .text even more here.
Single 'if' above already feels a bit overly defensive.
It's not like other cases in the verifier where we have WARN_ONCE.
Those are for complex things. Here it's one callsite and trivial control flow.

> > +	if (prog->aux->func_info_aux[subprog].unreliable) {
> > +		bpf_log(log, "Verifier bug in function %s()\n", tname);
> > +		return -EFAULT;
> 
> Why -EFAULT instead of -EINVAL? I think we treat them the same? 

EFAULT is a verifier bug like in all other places in the verifier
where EFAULT is returned. EINVAL is normal error.

Powered by blists - more mailing lists