| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211219031822.k2bfjhgazvvy5r7l@apollo.legion>
Date: Sun, 19 Dec 2021 08:48:22 +0530
From: Kumar Kartikeya Dwivedi <memxor@...il.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
Maxim Mikityanskiy <maximmi@...dia.com>,
Pablo Neira Ayuso <pablo@...filter.org>,
Florian Westphal <fw@...len.de>,
Jesper Dangaard Brouer <brouer@...hat.com>,
Toke Høiland-Jørgensen <toke@...hat.com>
Subject: Re: [PATCH bpf-next v4 06/10] bpf: Track provenance for pointers
formed from referenced PTR_TO_BTF_ID
On Sun, Dec 19, 2021 at 07:58:39AM IST, Alexei Starovoitov wrote:
> On Fri, Dec 17, 2021 at 07:20:27AM +0530, Kumar Kartikeya Dwivedi wrote:
> > diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> > index b80fe5bf2a02..a6ef11db6823 100644
> > --- a/include/linux/bpf_verifier.h
> > +++ b/include/linux/bpf_verifier.h
> > @@ -128,6 +128,16 @@ struct bpf_reg_state {
> > * allowed and has the same effect as bpf_sk_release(sk).
> > */
> > u32 ref_obj_id;
> > + /* This is set for pointers which are derived from referenced
> > + * pointer (e.g. PTR_TO_BTF_ID pointer walking), so that the
> > + * pointers obtained by walking referenced PTR_TO_BTF_ID
> > + * are appropriately invalidated when the lifetime of their
> > + * parent object ends.
> > + *
> > + * Only one of ref_obj_id and parent_ref_obj_id can be set,
> > + * never both at once.
> > + */
> > + u32 parent_ref_obj_id;
>
> How would it handle parent of parent?
When you do:
r1 = acquire();
it gets ref_obj_id as N, then when you load r1->next, it does mark_btf_ld_reg
with reg->ref_obj_id ?: reg->parent_ref_obj_id, the latter is zero so it copies
ref, but into parent_ref_obj_id.
r2 = r1->next;
>From here on, parent_ref_obj_id is propagated into all further mark_btf_ld_reg,
so if we do since ref_obj_id will be zero from previous mark_btf_ld_reg:
r3 = r2->next; // it will copy parent_ref_obj_id
I think it even works fine when you reach it indirectly, like foo->bar->foo,
if first foo is referenced.
... but maybe I missed some detail, do you see a problem in this approach?
> Did you consider map_uid approach ?
> Similar uid can be added for PTR_TO_BTF_ID.
> Then every such pointer will be unique. Each deref will get its own uid.
I'll look into it, I didn't consider it before. My idea was to invalidate
pointers obtained from a referenced ptr_to_btf_id so I copied the same
ref_obj_id into parent_ref_obj_id, so that it can be matched during release. How
would that work in the btf_uid approach if they are unique? Do we copy the same
ref_obj_id into btf_uid? Then it's not very different except being btf_id ptr
specific state, right?
Or we can copy ref_obj_id and also set uid to disallow it from being released,
but still allow invalidation.
> I think the advantage of parent_ref_obj_id approach is that the program
> can acquire a pointer through one kernel type, do some deref, and then
> release it through a deref of other type. I'm not sure how practical is that
> and it feels a bit dangerous.
I think I don't allow releasing when ref_obj_id is 0 (which would be the case
when parent_ref_obj_id is set), only indirectly invalidating them.
--
Kartikeya
Powered by blists - more mailing lists