lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 6 May 2020 10:38:24 -0700
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Yonghong Song <yhs@...com>
Cc:     Andrii Nakryiko <andriin@...com>, bpf <bpf@...r.kernel.org>,
        Martin KaFai Lau <kafai@...com>,
        Networking <netdev@...r.kernel.org>,
        Alexei Starovoitov <ast@...com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Kernel Team <kernel-team@...com>
Subject: Re: [PATCH bpf-next v2 14/20] bpf: handle spilled PTR_TO_BTF_ID
 properly when checking stack_boundary

On Sun, May 3, 2020 at 11:28 PM Yonghong Song <yhs@...com> wrote:
>
> This specifically to handle the case like below:
>    // ptr below is a socket ptr identified by PTR_TO_BTF_ID
>    u64 param[2] = { ptr, val };
>    bpf_seq_printf(seq, fmt, sizeof(fmt), param, sizeof(param));
>
> In this case, the 16 bytes stack for "param" contains:
>    8 bytes for ptr with spilled PTR_TO_BTF_ID
>    8 bytes for val as STACK_MISC
>
> The current verifier will complain the ptr should not be visible
> to the helper.
>    ...
>    16: (7b) *(u64 *)(r10 -64) = r2
>    18: (7b) *(u64 *)(r10 -56) = r1
>    19: (bf) r4 = r10
>    ;
>    20: (07) r4 += -64
>    ; BPF_SEQ_PRINTF(seq, fmt1, (long)s, s->sk_protocol);
>    21: (bf) r1 = r6
>    22: (18) r2 = 0xffffa8d00018605a
>    24: (b4) w3 = 10
>    25: (b4) w5 = 16
>    26: (85) call bpf_seq_printf#125
>     R0=inv(id=0) R1_w=ptr_seq_file(id=0,off=0,imm=0)
>     R2_w=map_value(id=0,off=90,ks=4,vs=144,imm=0) R3_w=inv10
>     R4_w=fp-64 R5_w=inv16 R6=ptr_seq_file(id=0,off=0,imm=0)
>     R7=ptr_netlink_sock(id=0,off=0,imm=0) R10=fp0 fp-56_w=mmmmmmmm
>     fp-64_w=ptr_
>    last_idx 26 first_idx 13
>    regs=8 stack=0 before 25: (b4) w5 = 16
>    regs=8 stack=0 before 24: (b4) w3 = 10
>    invalid indirect read from stack off -64+0 size 16
>
> Let us permit this if the program is a tracing/iter program.
>
> Signed-off-by: Yonghong Song <yhs@...com>
> ---

LGTM, but I wonder why enabling this only for iterator programs?

Acked-by: Andrii Nakryiko <andriin@...com>


>  kernel/bpf/verifier.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 36b2a38a06fe..4884b6fd7bad 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3494,6 +3494,14 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
>                         *stype = STACK_MISC;
>                         goto mark;
>                 }
> +
> +               /* pointer value can be visible to tracing/iter program */
> +               if (env->prog->type == BPF_PROG_TYPE_TRACING &&
> +                   env->prog->expected_attach_type == BPF_TRACE_ITER &&

What's the problem allowing this for all program types?

> +                   state->stack[spi].slot_type[0] == STACK_SPILL &&
> +                   state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID)
> +                       goto mark;
> +
>                 if (state->stack[spi].slot_type[0] == STACK_SPILL &&
>                     state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
>                         __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
> --
> 2.24.1
>

Powered by blists - more mailing lists