lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed,  6 May 2020 15:29:42 +0200
From:   Jiri Olsa <jolsa@...nel.org>
To:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org,
        Yonghong Song <yhs@...com>, Martin KaFai Lau <kafai@...com>,
        David Miller <davem@...hat.com>,
        John Fastabend <john.fastabend@...il.com>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        Wenbo Zhang <ethercflow@...il.com>,
        KP Singh <kpsingh@...omium.org>,
        Andrii Nakryiko <andriin@...com>, bgregg@...flix.com,
        Florent Revest <revest@...omium.org>,
        Al Viro <viro@...iv.linux.org.uk>
Subject: [PATCH 5/9] bpf: Add support to check on BTF id whitelist for d_path helper

The BPF helper whitelist checking works as follows:

  - helper's whitelist is defined as list of functions in file:
    kernel/bpf/helpers-whitelist/helper

  - at vmlinux linking time, the bpfwl tool reads the whitelist
    and translates functions into BTF IDs, which are compiled as
    following data section into vmlinux object:

      .BTF_whitelist
          BTF_whitelist_<helper1>
          BTF_whitelist_<helper2>
          BTF_whitelist_<helper3>

    Each BTF_whitelist_<helperX> data is a sorted array of BTF ids.

  - new 'allowed' function is added to 'struct bpf_func_proto',
    which is used by verifier code to check (if defined) on whether
    the helper is called from allowed function (from whitelist).

Currently it's needed and implemented only for d_path helper,
but it's easy to add for another helper.

Signed-off-by: Jiri Olsa <jolsa@...nel.org>
---
 include/asm-generic/vmlinux.lds.h |  5 +++++
 include/linux/bpf.h               |  1 +
 kernel/bpf/verifier.c             |  5 +++++
 kernel/trace/bpf_trace.c          | 23 +++++++++++++++++++++++
 4 files changed, 34 insertions(+)

diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 71e387a5fe90..6f7ca4f36ed7 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -631,6 +631,11 @@
 		__start_BTF = .;					\
 		*(.BTF)							\
 		__stop_BTF = .;						\
+	}								\
+	.BTF_whitelist : AT(ADDR(.BTF_whitelist) - LOAD_OFFSET) {	\
+		__start_BTF_whitelist_d_path = .;			\
+		*(.BTF_whitelist_d_path)				\
+		__stop_BTF_whitelist_d_path = .;			\
 	}
 #else
 #define BTF
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index bc589cdd8c34..ccacf488429f 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -275,6 +275,7 @@ struct bpf_func_proto {
 		enum bpf_arg_type arg_type[5];
 	};
 	int *btf_id; /* BTF ids of arguments */
+	bool (*allowed)(const struct bpf_prog *prog);
 };
 
 /* bpf_context is intentionally undefined structure. Pointer to bpf_context is
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b988df5ada20..55995de954a0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4525,6 +4525,11 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
 		return -EINVAL;
 	}
 
+	if (fn->allowed && !fn->allowed(env->prog)) {
+		verbose(env, "helper call is not allowed in probe\n");
+		return -EINVAL;
+	}
+
 	/* With LD_ABS/IND some JITs save/restore skb from r1. */
 	changes_data = bpf_helper_changes_pkt_data(fn->func);
 	if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 3097ab04bdc4..55682d610534 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -13,6 +13,7 @@
 #include <linux/kprobes.h>
 #include <linux/syscalls.h>
 #include <linux/error-injection.h>
+#include <linux/bsearch.h>
 
 #include <asm/tlb.h>
 
@@ -797,6 +798,27 @@ BPF_CALL_3(bpf_d_path, struct path *, path, char *, buf, u32, sz)
 	return len;
 }
 
+extern char __weak __start_BTF_whitelist_d_path[];
+extern char __weak __stop_BTF_whitelist_d_path[];
+
+static int btf_id_cmp_func(const void *a, const void *b)
+{
+	const unsigned long *pa = a;
+	const unsigned long *pb = b;
+
+	return *pa - *pb;
+}
+
+static bool bpf_d_path_allowed(const struct bpf_prog *prog)
+{
+	unsigned long *start = (unsigned long *) __start_BTF_whitelist_d_path;
+	unsigned long *stop  = (unsigned long *) __stop_BTF_whitelist_d_path;
+	unsigned long id = prog->aux->attach_btf_id;
+
+	return bsearch(&id, start, stop - start, sizeof(unsigned long),
+		       btf_id_cmp_func) != NULL;
+}
+
 static u32 bpf_d_path_btf_ids[3];
 static const struct bpf_func_proto bpf_d_path_proto = {
 	.func		= bpf_d_path,
@@ -806,6 +828,7 @@ static const struct bpf_func_proto bpf_d_path_proto = {
 	.arg2_type	= ARG_PTR_TO_MEM,
 	.arg3_type	= ARG_CONST_SIZE,
 	.btf_id		= bpf_d_path_btf_ids,
+	.allowed	= bpf_d_path_allowed,
 };
 
 const struct bpf_func_proto *
-- 
2.25.4

Powered by blists - more mailing lists