| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jun 2022 23:04:03 +0530
From: Kumar Kartikeya Dwivedi <memxor@...il.com>
To: Toke Høiland-Jørgensen <toke@...hat.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Simon Sundberg <simon.sundberg@....se>, netdev@...r.kernel.org,
bpf@...r.kernel.org
Subject: Re: [PATCH bpf 1/2] bpf: Fix calling global functions from
BPF_PROG_TYPE_EXT programs
On Fri, Jun 03, 2022 at 09:10:26PM IST, Toke Høiland-Jørgensen wrote:
> The verifier allows programs to call global functions as long as their
> argument types match, using BTF to check the function arguments. One of the
> allowed argument types to such global functions is PTR_TO_CTX; however the
> check for this fails on BPF_PROG_TYPE_EXT functions because the verifier
> uses the wrong type to fetch the vmlinux BTF ID for the program context
> type. This failure is seen when an XDP program is loaded using
> libxdp (which loads it as BPF_PROG_TYPE_EXT and attaches it to a global XDP
> type program).
>
> Fix the issue by passing in the target program type instead of the
> BPF_PROG_TYPE_EXT type to bpf_prog_get_ctx() when checking function
> argument compatibility.
>
> The first Fixes tag refers to the latest commit that touched the code in
> question, while the second one points to the code that first introduced
> the global function call verification.
>
> Fixes: 3363bd0cfbb8 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support")
> Fixes: 51c39bb1d5d1 ("bpf: Introduce function-by-function verification")
> Reported-by: Simon Sundberg <simon.sundberg@....se>
> Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
> ---
> kernel/bpf/btf.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 7bccaa4646e5..361de7304c4d 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6054,6 +6054,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> struct bpf_reg_state *regs,
> bool ptr_to_mem_ok)
> {
> + enum bpf_prog_type prog_type = env->prog->type;
> struct bpf_verifier_log *log = &env->log;
> u32 i, nargs, ref_id, ref_obj_id = 0;
> bool is_kfunc = btf_is_kernel(btf);
> @@ -6095,6 +6096,9 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> BTF_KFUNC_TYPE_KPTR_ACQUIRE, func_id);
> }
>
> + if (prog_type == BPF_PROG_TYPE_EXT && env->prog->aux->dst_prog)
> + prog_type = env->prog->aux->dst_prog->type;
> +
nit: it might be better to reuse resolve_prog_type here.
> /* check that BTF function arguments match actual types that the
> * verifier sees.
> */
> @@ -6171,7 +6175,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> return -EINVAL;
> }
> /* rest of the arguments can be anything, like normal kfunc */
> - } else if (btf_get_prog_ctx_type(log, btf, t, env->prog->type, i)) {
> + } else if (btf_get_prog_ctx_type(log, btf, t, prog_type, i)) {
> /* If function expects ctx type in BTF check that caller
> * is passing PTR_TO_CTX.
> */
> --
> 2.36.1
>
--
Kartikeya
Powered by blists - more mailing lists