lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 6 May 2020 14:47:04 -0700
From:   Yonghong Song <yhs@...com>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
CC:     Andrii Nakryiko <andriin@...com>, bpf <bpf@...r.kernel.org>,
        Martin KaFai Lau <kafai@...com>,
        Networking <netdev@...r.kernel.org>,
        Alexei Starovoitov <ast@...com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Kernel Team <kernel-team@...com>
Subject: Re: [PATCH bpf-next v2 14/20] bpf: handle spilled PTR_TO_BTF_ID
 properly when checking stack_boundary



On 5/6/20 10:38 AM, Andrii Nakryiko wrote:
> On Sun, May 3, 2020 at 11:28 PM Yonghong Song <yhs@...com> wrote:
>>
>> This specifically to handle the case like below:
>>     // ptr below is a socket ptr identified by PTR_TO_BTF_ID
>>     u64 param[2] = { ptr, val };
>>     bpf_seq_printf(seq, fmt, sizeof(fmt), param, sizeof(param));
>>
>> In this case, the 16 bytes stack for "param" contains:
>>     8 bytes for ptr with spilled PTR_TO_BTF_ID
>>     8 bytes for val as STACK_MISC
>>
>> The current verifier will complain the ptr should not be visible
>> to the helper.
>>     ...
>>     16: (7b) *(u64 *)(r10 -64) = r2
>>     18: (7b) *(u64 *)(r10 -56) = r1
>>     19: (bf) r4 = r10
>>     ;
>>     20: (07) r4 += -64
>>     ; BPF_SEQ_PRINTF(seq, fmt1, (long)s, s->sk_protocol);
>>     21: (bf) r1 = r6
>>     22: (18) r2 = 0xffffa8d00018605a
>>     24: (b4) w3 = 10
>>     25: (b4) w5 = 16
>>     26: (85) call bpf_seq_printf#125
>>      R0=inv(id=0) R1_w=ptr_seq_file(id=0,off=0,imm=0)
>>      R2_w=map_value(id=0,off=90,ks=4,vs=144,imm=0) R3_w=inv10
>>      R4_w=fp-64 R5_w=inv16 R6=ptr_seq_file(id=0,off=0,imm=0)
>>      R7=ptr_netlink_sock(id=0,off=0,imm=0) R10=fp0 fp-56_w=mmmmmmmm
>>      fp-64_w=ptr_
>>     last_idx 26 first_idx 13
>>     regs=8 stack=0 before 25: (b4) w5 = 16
>>     regs=8 stack=0 before 24: (b4) w3 = 10
>>     invalid indirect read from stack off -64+0 size 16
>>
>> Let us permit this if the program is a tracing/iter program.
>>
>> Signed-off-by: Yonghong Song <yhs@...com>
>> ---
> 
> LGTM, but I wonder why enabling this only for iterator programs?
> 
> Acked-by: Andrii Nakryiko <andriin@...com>
> 
> 
>>   kernel/bpf/verifier.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 36b2a38a06fe..4884b6fd7bad 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3494,6 +3494,14 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
>>                          *stype = STACK_MISC;
>>                          goto mark;
>>                  }
>> +
>> +               /* pointer value can be visible to tracing/iter program */
>> +               if (env->prog->type == BPF_PROG_TYPE_TRACING &&
>> +                   env->prog->expected_attach_type == BPF_TRACE_ITER &&
> 
> What's the problem allowing this for all program types?

Just want to conservative here since we may leak kernel pointers.
But probably we are fine since the spill type is PTR_TO_BTF_ID
which means tracing/raw_tp related bpf programs which should
be okay. Will remove the above additional check, which I added
in v2 of the patch.

> 
>> +                   state->stack[spi].slot_type[0] == STACK_SPILL &&
>> +                   state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID)
>> +                       goto mark;
>> +
>>                  if (state->stack[spi].slot_type[0] == STACK_SPILL &&
>>                      state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
>>                          __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
>> --
>> 2.24.1
>>

Powered by blists - more mailing lists