From nobody Sat Feb 7 15:40:06 2026 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E4E77BAF3 for ; Thu, 18 Apr 2024 23:20:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482431; cv=none; b=u+YlUGVAX/FnZJaoByglrI891298oaQtrUB7YGqYKkAcyDLw5oRdOfmJ6cBuVEIC3qg/MT2odprJ+Q/DK54cj5iNdL/Hm46JaTLY/hss+1JnfmgvhXp++Pj3JFbdFfNFpGIUBJCKka+viZcHy+wsMUXlQY6dI1KxiNRyk0gXvHY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482431; c=relaxed/simple; bh=NcUgjEVg58kGwkb+Jw41HUS9kEgKKWzCNIba4ZWXv2A=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=evyaYOWlUsIGSGtENZCopxCVufgnY/xnWYTXxWmYUay0xKkXThPI4nfnxqMUco1JbPFSWP8MWKaYnxVmtO3qtcfvn+PIMhvkNTcnB0aljSABipJRTUwUo+MMtiJ55Z3MmQeDstk0t6FWGKPu8dmCRnCaOcwfyq5Ggkjv/cbcHNI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=P9z5IBeK; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="P9z5IBeK" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-de465062289so2911530276.2 for ; Thu, 18 Apr 2024 16:20:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713482428; x=1714087228; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=q/YC6vY8cZ2knPVqCxWC6lAFUPFp69AYOLfV73QO6KQ=; b=P9z5IBeK68QY2BLELLAGvRdFsi2RK+7AUtkt+mKbmNAc5qy5Gb77gBezKJiJAsPxV0 Pl2V0QYYH/rSQAJI3tAyPWhPpMUFPbVBUoId+kJGcs3TvWrr88hhMKi6Z/xxQZSKKv3R q60Tcb8g3sxJXsBJY9apGTzi3bcNjouMJW1bnHM9+evADYc08J1NHIiAMbHNJyBaiiI0 4UBT8E6DzbM7JKBlHirdGBJnazosbN78d7R3oFoNpkxg6ctoYnmS1p5B2nCitGxtRPFt j2g+3ioEYqIbPzb7jwvecSUztKfvpcPUmGzbC96KyHa1384IKLoTv/AYrflEev3XnPyo Y21Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713482428; x=1714087228; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q/YC6vY8cZ2knPVqCxWC6lAFUPFp69AYOLfV73QO6KQ=; b=swJ0xRKFTEvNmm6k18V4Cv4VeXlfXHv3TVKE3Cf3LZnyXLXWyUlk7Gq/b08RjCWtek tDdN/dwZic6Ha+REhxZKrVxtcddkNBs+jOVSyjnOsMcw6GJ923SND4fAgXAuCVcGkS7g xrjCqJ/uZwFliEBFGXR5mvBOWC1MMGI9e+2f9FOvUoDRG9qbdPfJYc8t2sjP3ZSi6FEx 9siFAobEfEsGEFrhcxQTEsxJ5lzO/DjgenODpJQzjJ5moQAmuiBWNP5xzapiTZEvA/dj HIjNLeIS5ndebISEXWwvsIrwsadxxl+1DgnRSAFjTnZbovvVuB8PnxmyLsT0zKqAjfpH BIGg== X-Forwarded-Encrypted: i=1; AJvYcCWuh44k6mFOj1M9eYGbBPGJhvrT8T45NMeUkIAhmzsJH1E90Nm/9SYFf1t+efbLx7IBhHG+a8D6/+beAwUdnI3TK+4oR5KDoZePVqBr X-Gm-Message-State: AOJu0YzL+S5HAaUMjL8l6TipPVNmBuIBwUcCQkOAb93NYqWa5VtzOmzE R0Dsl/sMPGCgjI1WQ3X0txJ8jgqNgR6ekjlu/+bgQv0tTl5SASud6VhC8C/mFOKISOk+iDsXKnU 1XA== X-Google-Smtp-Source: AGHT+IHrxrrNUKm29ldT/oIgtUJU7kmFT8cDAHOqQdXSx4NR3b72oYNNm2fwp/UDMHZjPkZRE+Y5djysHRQ= X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a25:fc04:0:b0:dc6:cafd:dce5 with SMTP id v4-20020a25fc04000000b00dc6cafddce5mr91879ybd.12.1713482428464; Thu, 18 Apr 2024 16:20:28 -0700 (PDT) Date: Thu, 18 Apr 2024 23:19:47 +0000 In-Reply-To: <20240418232005.34244-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418232005.34244-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418232005.34244-2-edliaw@google.com> Subject: [PATCH 5.15.y v3 1/5] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , Yonghong Song , linux-kernel@vger.kernel.org, Kumar Kartikeya Dwivedi Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Allow passing PTR_TO_CTX, if the kfunc expects a matching struct type, and punt to PTR_TO_MEM block if reg->type does not fall in one of PTR_TO_BTF_ID or PTR_TO_SOCK* types. This will be used by future commits to get access to XDP and TC PTR_TO_CTX, and pass various data (flags, l4proto, netns_id, etc.) encoded in opts struct passed as pointer to kfunc. For PTR_TO_MEM support, arguments are currently limited to pointer to scalar, or pointer to struct composed of scalars. This is done so that unsafe scenarios (like passing PTR_TO_MEM where PTR_TO_BTF_ID of in-kernel valid structure is expected, which may have pointers) are avoided. Since the argument checking happens basd on argument register type, it is not easy to ascertain what the expected type is. In the future, support for PTR_TO_MEM for kfunc can be extended to serve other usecases. The struct type whose pointer is passed in may have maximum nesting depth of 4, all recursively composed of scalars or struct with scalars. Future commits will add negative tests that check whether these restrictions imposed for kfunc arguments are duly rejected by BPF verifier or not. [edliaw: merged with changes from 45ce4b4f90091 ("bpf: Fix crash due to out of bounds access into reg2btf_ids.") and f858c2b2ca04 ("bpf: Fix calling global functions from BPF_PROG_TYPE_EXT programs")] Signed-off-by: Kumar Kartikeya Dwivedi Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20211217015031.1278167-4-memxor@gmail.com (cherry picked from commit 3363bd0cfbb80dfcd25003cd3815b0ad8b68d0ff) Signed-off-by: Edward Liaw --- kernel/bpf/btf.c | 93 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 73 insertions(+), 20 deletions(-) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 5d4bea53ac1f..77929fd7bcef 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -5447,6 +5447,46 @@ static u32 *reg2btf_ids[__BPF_REG_TYPE_MAX] =3D { #endif }; +/* Returns true if struct is composed of scalars, 4 levels of nesting allo= wed */ +static bool __btf_type_is_scalar_struct(struct bpf_verifier_log *log, + const struct btf *btf, + const struct btf_type *t, int rec) +{ + const struct btf_type *member_type; + const struct btf_member *member; + u32 i; + + if (!btf_type_is_struct(t)) + return false; + + for_each_member(i, t, member) { + const struct btf_array *array; + + member_type =3D btf_type_skip_modifiers(btf, member->type, NULL); + if (btf_type_is_struct(member_type)) { + if (rec >=3D 3) { + bpf_log(log, "max struct nesting depth exceeded\n"); + return false; + } + if (!__btf_type_is_scalar_struct(log, btf, member_type, rec + 1)) + return false; + continue; + } + if (btf_type_is_array(member_type)) { + array =3D btf_type_array(member_type); + if (!array->nelems) + return false; + member_type =3D btf_type_skip_modifiers(btf, array->type, NULL); + if (!btf_type_is_scalar(member_type)) + return false; + continue; + } + if (!btf_type_is_scalar(member_type)) + return false; + } + return true; +} + static int btf_check_func_arg_match(struct bpf_verifier_env *env, const struct btf *btf, u32 func_id, struct bpf_reg_state *regs, @@ -5455,6 +5495,7 @@ static int btf_check_func_arg_match(struct bpf_verifi= er_env *env, enum bpf_prog_type prog_type =3D env->prog->type =3D=3D BPF_PROG_TYPE_EXT= ? env->prog->aux->dst_prog->type : env->prog->type; struct bpf_verifier_log *log =3D &env->log; + bool is_kfunc =3D btf_is_kernel(btf); const char *func_name, *ref_tname; const struct btf_type *t, *ref_t; const struct btf_param *args; @@ -5507,7 +5548,20 @@ static int btf_check_func_arg_match(struct bpf_verif= ier_env *env, ref_t =3D btf_type_skip_modifiers(btf, t->type, &ref_id); ref_tname =3D btf_name_by_offset(btf, ref_t->name_off); - if (btf_is_kernel(btf)) { + if (btf_get_prog_ctx_type(log, btf, t, prog_type, i)) { + /* If function expects ctx type in BTF check that caller + * is passing PTR_TO_CTX. + */ + if (reg->type !=3D PTR_TO_CTX) { + bpf_log(log, + "arg#%d expected pointer to ctx, but got %s\n", + i, btf_type_str(t)); + return -EINVAL; + } + if (check_ctx_reg(env, reg, regno)) + return -EINVAL; + } else if (is_kfunc && (reg->type =3D=3D PTR_TO_BTF_ID || + (reg2btf_ids[base_type(reg->type)] && !type_flag(reg->type)))) { const struct btf_type *reg_ref_t; const struct btf *reg_btf; const char *reg_ref_tname; @@ -5523,14 +5577,9 @@ static int btf_check_func_arg_match(struct bpf_verif= ier_env *env, if (reg->type =3D=3D PTR_TO_BTF_ID) { reg_btf =3D reg->btf; reg_ref_id =3D reg->btf_id; - } else if (reg2btf_ids[base_type(reg->type)]) { + } else { reg_btf =3D btf_vmlinux; reg_ref_id =3D *reg2btf_ids[base_type(reg->type)]; - } else { - bpf_log(log, "kernel function %s args#%d expected pointer to %s %s but= R%d is not a pointer to btf_id\n", - func_name, i, - btf_type_str(ref_t), ref_tname, regno); - return -EINVAL; } reg_ref_t =3D btf_type_skip_modifiers(reg_btf, reg_ref_id, @@ -5546,22 +5595,24 @@ static int btf_check_func_arg_match(struct bpf_veri= fier_env *env, reg_ref_tname); return -EINVAL; } - } else if (btf_get_prog_ctx_type(log, btf, t, prog_type, i)) { - /* If function expects ctx type in BTF check that caller - * is passing PTR_TO_CTX. - */ - if (reg->type !=3D PTR_TO_CTX) { - bpf_log(log, - "arg#%d expected pointer to ctx, but got %s\n", - i, btf_type_str(t)); - return -EINVAL; - } - if (check_ctx_reg(env, reg, regno)) - return -EINVAL; } else if (ptr_to_mem_ok) { const struct btf_type *resolve_ret; u32 type_size; + if (is_kfunc) { + /* Permit pointer to mem, but only when argument + * type is pointer to scalar, or struct composed + * (recursively) of scalars. + */ + if (!btf_type_is_scalar(ref_t) && + !__btf_type_is_scalar_struct(log, btf, ref_t, 0)) { + bpf_log(log, + "arg#%d pointer type %s %s must point to scalar or struct with scala= r\n", + i, btf_type_str(ref_t), ref_tname); + return -EINVAL; + } + } + resolve_ret =3D btf_resolve_size(btf, ref_t, &type_size); if (IS_ERR(resolve_ret)) { bpf_log(log, @@ -5574,6 +5625,8 @@ static int btf_check_func_arg_match(struct bpf_verifi= er_env *env, if (check_mem_reg(env, reg, regno, type_size)) return -EINVAL; } else { + bpf_log(log, "reg type unsupported for arg#%d %sfunction %s#%d\n", i, + is_kfunc ? "kernel " : "", func_name, func_id); return -EINVAL; } } @@ -5623,7 +5676,7 @@ int btf_check_kfunc_arg_match(struct bpf_verifier_env= *env, const struct btf *btf, u32 func_id, struct bpf_reg_state *regs) { - return btf_check_func_arg_match(env, btf, func_id, regs, false); + return btf_check_func_arg_match(env, btf, func_id, regs, true); } /* Convert BTF of a function into bpf_reg_state if possible -- 2.44.0.769.g3c40516874-goog From nobody Sat Feb 7 15:40:06 2026 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08BA97C0A9 for ; Thu, 18 Apr 2024 23:20:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482434; cv=none; b=h+vSOsveBK4CuPJ8ga9bO/+xp/mKfXh07bDlj9vsjyAiLXGJf30xeKcf9VtsziUzhyR+7jvbNVAzcLNA20mYk0TVZIpFHQ6zHf321488A/qKTiLM4fUdxf8BPS5OG0VRZ3iGY5ZyBWV5lvFZKl78egteaXmnibZ2rOwg+5aAQQo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482434; c=relaxed/simple; bh=7WAgsmWa8I2nRXxoayOV0F/ehsyZq3cQzYa0hL40wdw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Otg5/IevzsfTKqthaI/RW7pQhGLlBP8GIvc/PMWWTzfFerPwlBaNDP4gn3EfYN3KpUUhxvjqhcUbA6t9g4h24JTmgRnafKoo/HRmtPITlpBXnRXuYJAmDLb04CQSZ2Tod2+MBIeH5q19V8Wo4WnFZZ952Gqqi/oNkOJp3DwDRCQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pn2WQmcr; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pn2WQmcr" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-5f7c0bb1b95so407769a12.0 for ; Thu, 18 Apr 2024 16:20:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713482432; x=1714087232; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=PJWz1uvQTzKPjGuvX+wqPQBpUoIACARU5eow85W6RVU=; b=pn2WQmcr1AACnBg5t7LFSPJCbfvLviyF4Z/jvnKO/HCaMnH1ATHN6yAHg6D7ZHxJwY PSlVz3VxmPq1Q0MZHJFL4+Ors94G/RF1eCOVBSgSowkwFf0AsPMrhu+3dsMlQHqZcU9n QK93oCqiqWGkMRwvvuIn6AREpdkTtn755Wa0K+f7a6AVhxKkXc+QH7t5H2dyTRrXnNZg 9g1aozYqfFpkW2jUBsni5riM7COFPRRTiJukt7UEWjVpXlT24DmudVdVTyW8IR+Ft1IR ofGN3MCSIneVRslKtO61lu7/px2RxXjgigal61k7wT/k8sTn/fkj2rJPzyn7o8IHzk3/ Y9Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713482432; x=1714087232; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PJWz1uvQTzKPjGuvX+wqPQBpUoIACARU5eow85W6RVU=; b=fH1+GsKjqZ/Q47lOzs2Q1DbacE3VYWQy8h8iyB2+/IH2EpdYHdcQ92Bgbc+D4vMqZ4 86XbXZxrH/Chu/HSbqGkntEEkoTsq5xmfcVIgREFYF+9P9RDIydn1PeoX5j/bwUCSH2T FLjhIAUzEC7VjSPqjLGpkI/SDfTx1kAHTFBHMGn/zg3pFr9bbGGHsz3snUKHnTYsA9Co iVS/wuqhhmpWpyFjxo4bKsmrF/ES391W7sey1EaoPYI4d7fl1sfX4E8IoLo1E3yICAdY jLXnM/02flLwhgjuq3k0QzLWOs8QIGxx4sQH9+NzorwgO8KFWfH3NqnefRqJt9IO8G3V lBLw== X-Forwarded-Encrypted: i=1; AJvYcCWJizEQNuLPP4m1hyOgLoAg7eNBs7l35EauM05r8Vq7/Mm5F/enyeFFORkdksTa/ZgJxNMcNEfmXGPXG83pYka3aJUlD+Yk3NvqgklP X-Gm-Message-State: AOJu0YyI1a68bKpj9oNvdrsyXKwmOPCOMtYFyz7NWqWMKaIX0ePw23ka 8T89X2vruIZ6+icTxE7BpjEf6XZeDr1zwF4DXsftdmrVdmwdJaCmvrcldwK0FFAVLOZzZ/8Ws+n Biw== X-Google-Smtp-Source: AGHT+IGZvpipb458KhuKNr2lT6l2L7v8w6uv6b7TY6/fKUTAKy1KSarqOpYJWvLTO6PRPcEY1aRIn/XdgRg= X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a17:90a:3d4f:b0:2a2:bcae:83c1 with SMTP id o15-20020a17090a3d4f00b002a2bcae83c1mr28422pjf.3.1713482432421; Thu, 18 Apr 2024 16:20:32 -0700 (PDT) Date: Thu, 18 Apr 2024 23:19:48 +0000 In-Reply-To: <20240418232005.34244-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418232005.34244-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418232005.34244-3-edliaw@google.com> Subject: [PATCH 5.15.y v3 2/5] bpf: Generalize check_ctx_reg for reuse with other types From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , Yonghong Song , linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daniel Borkmann Generalize the check_ctx_reg() helper function into a more generic named one so that it can be reused for other register types as well to check whether their offset is non-zero. No functional change. Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov (cherry picked from commit be80a1d3f9dbe5aee79a325964f7037fe2d92f30) Signed-off-by: Edward Liaw --- include/linux/bpf_verifier.h | 4 ++-- kernel/bpf/btf.c | 2 +- kernel/bpf/verifier.c | 21 +++++++++++---------- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 3d04b48e502d..c0993b079ab5 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -541,8 +541,8 @@ bpf_prog_offload_replace_insn(struct bpf_verifier_env *= env, u32 off, void bpf_prog_offload_remove_insns(struct bpf_verifier_env *env, u32 off, u32 c= nt); =20 -int check_ctx_reg(struct bpf_verifier_env *env, - const struct bpf_reg_state *reg, int regno); +int check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno); int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg, u32 regno, u32 mem_size); =20 diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 77929fd7bcef..a0c7e13e0ab4 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -5558,7 +5558,7 @@ static int btf_check_func_arg_match(struct bpf_verifi= er_env *env, i, btf_type_str(t)); return -EINVAL; } - if (check_ctx_reg(env, reg, regno)) + if (check_ptr_off_reg(env, reg, regno)) return -EINVAL; } else if (is_kfunc && (reg->type =3D=3D PTR_TO_BTF_ID || (reg2btf_ids[base_type(reg->type)] && !type_flag(reg->type)))) { diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 008ddb694c8a..6fe805b559c0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3980,16 +3980,16 @@ static int get_callee_stack_depth(struct bpf_verifi= er_env *env, } #endif =20 -int check_ctx_reg(struct bpf_verifier_env *env, - const struct bpf_reg_state *reg, int regno) +int check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno) { - /* Access to ctx or passing it to a helper is only allowed in - * its original, unmodified form. + /* Access to this pointer-typed register or passing it to a helper + * is only allowed in its original, unmodified form. */ =20 if (reg->off) { - verbose(env, "dereference of modified ctx ptr R%d off=3D%d disallowed\n", - regno, reg->off); + verbose(env, "dereference of modified %s ptr R%d off=3D%d disallowed\n", + reg_type_str(env, reg->type), regno, reg->off); return -EACCES; } =20 @@ -3997,7 +3997,8 @@ int check_ctx_reg(struct bpf_verifier_env *env, char tn_buf[48]; =20 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); - verbose(env, "variable ctx access var_off=3D%s disallowed\n", tn_buf); + verbose(env, "variable %s access var_off=3D%s disallowed\n", + reg_type_str(env, reg->type), tn_buf); return -EACCES; } =20 @@ -4447,7 +4448,7 @@ static int check_mem_access(struct bpf_verifier_env *= env, int insn_idx, u32 regn return -EACCES; } =20 - err =3D check_ctx_reg(env, reg, regno); + err =3D check_ptr_off_reg(env, reg, regno); if (err < 0) return err; =20 @@ -5327,7 +5328,7 @@ static int check_func_arg(struct bpf_verifier_env *en= v, u32 arg, return err; =20 if (type =3D=3D PTR_TO_CTX) { - err =3D check_ctx_reg(env, reg, regno); + err =3D check_ptr_off_reg(env, reg, regno); if (err < 0) return err; } @@ -9561,7 +9562,7 @@ static int check_ld_abs(struct bpf_verifier_env *env,= struct bpf_insn *insn) return err; } =20 - err =3D check_ctx_reg(env, ®s[ctx_reg], ctx_reg); + err =3D check_ptr_off_reg(env, ®s[ctx_reg], ctx_reg); if (err < 0) return err; =20 --=20 2.44.0.769.g3c40516874-goog From nobody Sat Feb 7 15:40:06 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19F3D7E0EB for ; Thu, 18 Apr 2024 23:20:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482438; cv=none; b=ni6wov4t2Fk3rS29UEapSNYFTH1bRtkhS9RtNVwbK/+6gpXts9kLP8P4DLfuhpIPXr4bSTyZSwV7ANY+Kv3f/fDkss/PEO60gfHeK8xVVrowNYTDVLwKZwpr+kJr2ntf32qMj8xBjcjyCNaPn8AxoLlbXlFTkaumZOZbHd1yplE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482438; c=relaxed/simple; bh=YScO9mwjaHbzHT2vhYW5LqoeHviUzo+lvVpjgG9XQ3k=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=iUrUAeV35qLdo5MvStJIAmWAVjyOCLsYe/q2jCTJSHL6pMxEoJPoPVvmYvL29svytFhdbt5a2gJi2fTgIAFTam5Ousz0wqJPrCNVzXPboLEAzTt8UsnSdG4+D1C5v1gNIWn3C/X5TlOgZL/yJb+oPhYDXEN9Q87UkMA5eAFEMSY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=it1g4hNp; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="it1g4hNp" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2a4b48d7a19so1338265a91.1 for ; Thu, 18 Apr 2024 16:20:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713482436; x=1714087236; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ntuKGIhl78pmHpDhVuljrWxMFgXG8nBQtJyZ9nYPDms=; b=it1g4hNp5Ye5qfYuW65zW8uvK0L6dEJ3uvlUK0L7gUqk33IndCQLQbDV+gGqxx+mYk TtunhcYOjysRW3f4qQOOFzKymnrizD1uSM99FjxkuejmOQ8vVVCgoDA6roLcvF4P2wFq g9Jskq54AdT11spq3Y+parmkFFC5jt8iRN3y1gyxSw3pE23Vl+ytU/K8hBcr7ZPDOxwk 1Hmf9lui5dUG1Sm1wPfL0OPXwMOBWHfuYOMOx/8+jPhK2oG9bO35R/i1mkE4R+3bhNcZ ODSSKk1Wwt1ozOsB5qCz77QrkrShZczi+4QMlxlmmFg5w2CaRjuR4k+yxnHEZv+TiN6O dxAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713482436; x=1714087236; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ntuKGIhl78pmHpDhVuljrWxMFgXG8nBQtJyZ9nYPDms=; b=JRVQtdnEIyc/+IlvV2yI2du9pCFzdcT4VMYfuu3pSjS72Hy0g915W6djRzkL69H0Ql /I/e3emBCV4stxkI1e7E6hc5ZSyHAlkbsHixuDRdqcDX7fDnqnmzbJ+zlP79R52h+l1o jOrewsrQ4Jc0iogsnLy/VWV9q+MLzC5gxAPuH1UpYJESsIDaKn1JbujLYDliHfqKUS4n hTmintOkFl4KR+p41QUCDEM7mkNbXRtBTSRcJEQPWsK8O4tElCUIV3NNiInzCmlmRdwT FQhYG7OnH0cMFvXSXN2iTFucxsyVVQ9D4+1B69J5eSTzCqFpazoUpPpc/vJJEjH8UOjK oe/A== X-Forwarded-Encrypted: i=1; AJvYcCXw3cZi9OSf6JoIgTaUYzZbHfXNhD5BukrXIibnz0gqT73oFYJ9YeiCIE4WZ/j26UxPbBgFIr4JSGu6sOwAbf45I1deGAP87ZAKQbl/ X-Gm-Message-State: AOJu0YwxBeAb+15phfN9A1UsI+Ltrt/OjjfK7V0zxpHrt/DhV3EPWCI/ SJQvjbTSxeK3E2svKO048vBRjpTY2peTUu24qf/pxKYVgyBNR1ot3MVJMOXVZ3DrRPmEsEU3Stg RSw== X-Google-Smtp-Source: AGHT+IGX3+sK2ZbRibyfYYT7GKwhF6+fOJueP20+WYShxN73szU+fckNs7zUrZwu4bQuzEjoGpGQlExREJI= X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a17:90a:8a96:b0:2aa:ab39:fcb6 with SMTP id x22-20020a17090a8a9600b002aaab39fcb6mr8739pjn.1.1713482436246; Thu, 18 Apr 2024 16:20:36 -0700 (PDT) Date: Thu, 18 Apr 2024 23:19:49 +0000 In-Reply-To: <20240418232005.34244-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418232005.34244-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418232005.34244-4-edliaw@google.com> Subject: [PATCH 5.15.y v3 3/5] bpf: Generally fix helper register offset check From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , Yonghong Song , linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daniel Borkmann Right now the assertion on check_ptr_off_reg() is only enforced for register types PTR_TO_CTX (and open coded also for PTR_TO_BTF_ID), however, this is insufficient since many other PTR_TO_* register types such as PTR_TO_FUNC do not handle/expect register offsets when passed to helper functions. Given this can slip-through easily when adding new types, make this an expl= icit allow-list and reject all other current and future types by default if this= is encountered. Also, extend check_ptr_off_reg() to handle PTR_TO_BTF_ID as well instead of duplicating it. For PTR_TO_BTF_ID, reg->off is used for BTF to match expect= ed BTF ids if struct offset is used. This part still needs to be allowed, but = the dynamic off from the tnum must be rejected. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Fixes: eaa6bcb71ef6 ("bpf: Introduce bpf_per_cpu_ptr()") Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov (cherry picked from commit 6788ab23508bddb0a9d88e104284922cb2c22b77) Signed-off-by: Edward Liaw --- kernel/bpf/verifier.c | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 6fe805b559c0..8cd265d1df34 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3980,14 +3980,15 @@ static int get_callee_stack_depth(struct bpf_verifi= er_env *env, } #endif =20 -int check_ptr_off_reg(struct bpf_verifier_env *env, - const struct bpf_reg_state *reg, int regno) +static int __check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno, + bool fixed_off_ok) { /* Access to this pointer-typed register or passing it to a helper * is only allowed in its original, unmodified form. */ =20 - if (reg->off) { + if (!fixed_off_ok && reg->off) { verbose(env, "dereference of modified %s ptr R%d off=3D%d disallowed\n", reg_type_str(env, reg->type), regno, reg->off); return -EACCES; @@ -4005,6 +4006,12 @@ int check_ptr_off_reg(struct bpf_verifier_env *env, return 0; } =20 +int check_ptr_off_reg(struct bpf_verifier_env *env, + const struct bpf_reg_state *reg, int regno) +{ + return __check_ptr_off_reg(env, reg, regno, false); +} + static int __check_buffer_access(struct bpf_verifier_env *env, const char *buf_info, const struct bpf_reg_state *reg, @@ -5267,12 +5274,6 @@ static int check_reg_type(struct bpf_verifier_env *e= nv, u32 regno, kernel_type_name(btf_vmlinux, *arg_btf_id)); return -EACCES; } - - if (!tnum_is_const(reg->var_off) || reg->var_off.value) { - verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset= \n", - regno); - return -EACCES; - } } =20 return 0; @@ -5327,10 +5328,26 @@ static int check_func_arg(struct bpf_verifier_env *= env, u32 arg, if (err) return err; =20 - if (type =3D=3D PTR_TO_CTX) { - err =3D check_ptr_off_reg(env, reg, regno); + switch ((u32)type) { + case SCALAR_VALUE: + /* Pointer types where reg offset is explicitly allowed: */ + case PTR_TO_PACKET: + case PTR_TO_PACKET_META: + case PTR_TO_MAP_KEY: + case PTR_TO_MAP_VALUE: + case PTR_TO_MEM: + case PTR_TO_MEM | MEM_RDONLY: + case PTR_TO_BUF: + case PTR_TO_BUF | MEM_RDONLY: + case PTR_TO_STACK: + break; + /* All the rest must be rejected: */ + default: + err =3D __check_ptr_off_reg(env, reg, regno, + type =3D=3D PTR_TO_BTF_ID); if (err < 0) return err; + break; } =20 skip_type_check: --=20 2.44.0.769.g3c40516874-goog From nobody Sat Feb 7 15:40:06 2026 Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 297D5762D7 for ; Thu, 18 Apr 2024 23:20:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482442; cv=none; b=qEgv5jYAEvXPYBYnImgzQj9uEz+4jJpK9r2vD3CWQvRx5196ARnSaWmvHeu6KtBewNW63BB1GIOUY2NbX4WPJWEG0nk4VR1g+bOimPOcywHN5C1tQRENx9G7N78gZmTU8iZozGYr/WL5puXNazaWyx4XqGGR837vIGo7iAJ9Lhk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482442; c=relaxed/simple; bh=Q+72qrXtm3Xqm1QYlQ/ARcpBQmoPZPgK3ApUYdbDx7c=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=R9jxBbxjMU6eq3UnFYLx7pQCCdjOJfiSj1U9Xu3VPWVML4TKvUZ4hZd2OiBo4F7q4M7zgnJWNLd2Hl35/s9KWmn4zLszO/ZgxOWQumJH1uL7R+HAXW/faw62K8BA5VA4Esdr1FelLHijwFgjzB7o94+yhWTDAmXbZCntzIYNH9c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=2WSGbe+l; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="2WSGbe+l" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-61aecbcb990so27440577b3.1 for ; Thu, 18 Apr 2024 16:20:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713482440; x=1714087240; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=K9HSeHzPuGtWyHVXG0SBH6UyvQOr79hE7Vg79sXvjgU=; b=2WSGbe+lgquQp/VFNauRnLmTTFiykoWFbsEvN+waloQqhnLNwhTtv3BW8m7p01mHc6 qrZMi8sTe0gHcP5yJLjJmUK+l3teVVlKkaxqIk3FaN/Q2CyImGqm8HKNsVlPnFUr0/GO p1SYqqOkZ/DH+zELOqjK9988QGyDtb109H7gZZrOErLmqZEmvolgix0+dwNCXZlK7+1e OhIVoZFMd40HoPYXmC53bm8UTLsu2GB4AdkcBw+tU9KIJ+odi49mvS0hzrhJYa2twhvP u/arTdaX/rsMpnTbubG/pi2SdL5Zx/RSOY98YIFt48nrZ1UajoTEMua7wonnhf938YZd 48sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713482440; x=1714087240; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=K9HSeHzPuGtWyHVXG0SBH6UyvQOr79hE7Vg79sXvjgU=; b=slzQY+YpexKDlIniys36UYJp3WVMyjoqVFtUE3yNQo+VTe8RmEh8dZNLKGcPLUjRZb jDPYsPZW2SnBjhia/o4Z+VdmbAk3/BJV+XM9Ix4oCAdsHAz6DM4png3pQrpSqIzjW9/W 165vGg71LL5Eo+20h69qzEYfqYn/AJlZyNOdWlbif+MxTdEGwlpNDyHRNuNnG9PUoMqv wVnuQp9Ed2WFR71xRj/HW3Zf1qLPgCLti5oEOZwPYm7UaaGxumB/El+If86B033ZHmu5 KQJEJJbtjLXXluTo9XyvwuwLbAjWTPx46O7E4hu6Wcq436pYJ5qr1RYyZqe5OFK5p9/j +rMw== X-Forwarded-Encrypted: i=1; AJvYcCWeDn3R0q0PRI8B84fSu7unowrm2NbSLD+6ewpUOaLehfPZk0dBJeCaUXYOmVZuITE4GsBmMAO9PHn84u67AB+1PoJUIqa0hyVc6SnI X-Gm-Message-State: AOJu0Yw/+LAtlwcg4GP8dbDEhgkGbwuiJcOMo6UQf3IdkmmI9DC3hN07 SFOsi4qMk5NK7de98S3Yswq+8tSLDEc9KI58Ok9waivZnLPyL+u58iQRPEf5CwekMOSGjm5HKZC kCw== X-Google-Smtp-Source: AGHT+IFVENWOQrhyE9ZFDpAXDlThECm3CQcbnYXp2g9WsRBiAe+oNdRYITno5N/z+Nt1e8YR6fxhOoF7uMs= X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a81:52c6:0:b0:61b:3a8:330f with SMTP id g189-20020a8152c6000000b0061b03a8330fmr112441ywb.5.1713482440230; Thu, 18 Apr 2024 16:20:40 -0700 (PDT) Date: Thu, 18 Apr 2024 23:19:50 +0000 In-Reply-To: <20240418232005.34244-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418232005.34244-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418232005.34244-5-edliaw@google.com> Subject: [PATCH 5.15.y v3 4/5] bpf: Fix out of bounds access for ringbuf helpers From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , Yonghong Song , linux-kernel@vger.kernel.org, tr3e.wang@gmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daniel Borkmann Both bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_M= EM in their bpf_func_proto definition as their first argument. They both expect the result from a prior bpf_ringbuf_reserve() call which has a return type = of RET_PTR_TO_ALLOC_MEM_OR_NULL. Meaning, after a NULL check in the code, the verifier will promote the regi= ster type in the non-NULL branch to a PTR_TO_MEM and in the NULL branch to a kno= wn zero scalar. Generally, pointer arithmetic on PTR_TO_MEM is allowed, so the latter could have an offset. The ARG_PTR_TO_ALLOC_MEM expects a PTR_TO_MEM register type. However, the n= on- zero result from bpf_ringbuf_reserve() must be fed into either bpf_ringbuf_= submit() or bpf_ringbuf_discard() but with the original offset given it will then re= ad out the struct bpf_ringbuf_hdr mapping. The verifier missed to enforce a zero offset, so that out of bounds access can be triggered which could be used to escalate privileges if unprivileged BPF was enabled (disabled by default in kernel). Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support f= or it") Reported-by: (SecCoder Security Lab) Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov (cherry picked from commit 64620e0a1e712a778095bd35cbb277dc2259281f) Signed-off-by: Edward Liaw --- kernel/bpf/verifier.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 8cd265d1df34..33fb379b9f58 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5340,9 +5340,15 @@ static int check_func_arg(struct bpf_verifier_env *e= nv, u32 arg, case PTR_TO_BUF: case PTR_TO_BUF | MEM_RDONLY: case PTR_TO_STACK: + /* Some of the argument types nevertheless require a + * zero register offset. + */ + if (arg_type =3D=3D ARG_PTR_TO_ALLOC_MEM) + goto force_off_check; break; /* All the rest must be rejected: */ default: +force_off_check: err =3D __check_ptr_off_reg(env, reg, regno, type =3D=3D PTR_TO_BTF_ID); if (err < 0) --=20 2.44.0.769.g3c40516874-goog From nobody Sat Feb 7 15:40:06 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF1AD7EF04 for ; Thu, 18 Apr 2024 23:20:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482446; cv=none; b=al1XeP+ESu6mLmPqubOqTw83DpEaSjiP6i5Slr6l93/HkoetpxCucgVUl34gLOZzRDWzPysG9C/lZrUduv1EFdo0dPfdZq4rnFxEmCd+mA1GQDWOHfmsHRRPO3iPp/mmdImGkVgWaotBPxygyRrp7xuWzOG7nMUSPlppm8LkjB8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713482446; c=relaxed/simple; bh=zL0IOoCobZDTZUsmgY7nEkobUjMzIyGPYXzHlOIP8G0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qawkyzZ1gy9ufhTALGkKRwoQez+aVsCfqrAAkJ4l986tIII8DWWBSeVs2dV6twIzgvEwl38bbjNpM5zHul5kEqqqdu2eQLDSqtTlvVYmuVImhrIUiXKRoVpI9CxGl3XNDSQ+d39KR1rcLQo9jXENZF0NS3CAms52rqEGL4wccOc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ttOHZScW; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edliaw.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ttOHZScW" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2a517457163so1589844a91.3 for ; Thu, 18 Apr 2024 16:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713482444; x=1714087244; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=kPcj1Y72oL0YYRAb0yR7vLtHAgm/BnGjHu6ktOeso8Y=; b=ttOHZScW0ujDrq2DfIxckZlOlLOZMzhZtWidnNPMN6UiswgVfHVeTBH2kNZ+PD0500 JchMGSuFGr5Y/TiAC+KPCYc24Hw+goHBHFvEUYhk7l4AhCxjNKD2vmw+GwgRUDwBxbI+ WmhZXpdrbXoA9A1Zxkgwij2IJsYIT1NNf15ZL1bqVFTcBNdRs13AaGYA0eGLFqCbxQZw LMtNyeiLIUHnR0O72/qta+00h/aTYv4HdDYsBfPSZ5xkhd8LoatHCz6ns/M54Imi5lgR t/oaXFP4OXN29exKLNQVk4dR+l2mwh8xFv1b9L4b22IZBBY9bpb3mfD0WKrVha1kZ7F0 SH8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713482444; x=1714087244; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kPcj1Y72oL0YYRAb0yR7vLtHAgm/BnGjHu6ktOeso8Y=; b=Mm0OKE3tmXytegsxNJW4875HFxCJ+ZF8NY4cFGA6GqIpOxvSViKAGc+dsu1DAH6eQv 3QIH8eCHJGTzcYKsZhHy+/0iH3/Il2t7F2XcHeXexios2RDt8A2p12tUhqFCizJ+rJpC kBbBkrDd/kqhKcLcakMMmjOifiVrpKtSKyg7vuHJgsj6n+iI15AwuMB5J8Ot0CwV4ivl RtsYbOAdR9P9YZkaPHgyZaibbWsDphoUpkRMbE/rFipiOw3pl7Nql66Utvy0OMlcllaK QNvJRQSGp+sTi0a9jJ/2HSDlTTW8tn3KuyU+sJSF5QR4hnshIPEWUu99pdLVe3+OKKH8 G+Gw== X-Forwarded-Encrypted: i=1; AJvYcCWDkYd4HOiwfqJ90VhPs+n+7l6suqpj4/VfhzJT7ydZ0gTOe/3Mi+OThAt/osihOSY5Rx21WZIFDHhIpWMkV8W4ViGXQdgQBiKXZGjy X-Gm-Message-State: AOJu0YyrNblaycBhmNEpQD4JsdLv6q8caCqOR2FzZhmLYDA8iRtKH6GK obKcz4xsfD8xM/sVEifKz5fU0v5XD09lx9nnP0k+xeXTfUxKibZpQK3aidtEjtliUuR+IUMlQpG Nyw== X-Google-Smtp-Source: AGHT+IEEzy9e5oCLBFWlB6Une2LnpsXUA9NbXktsIkQ6j7clNh0qpXI1n6gnG31DeYQV8W7REduewhCPvyA= X-Received: from edliaw.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:305d]) (user=edliaw job=sendgmr) by 2002:a17:90a:46c8:b0:2ab:e1ae:d4c4 with SMTP id x8-20020a17090a46c800b002abe1aed4c4mr2052pjg.5.1713482444029; Thu, 18 Apr 2024 16:20:44 -0700 (PDT) Date: Thu, 18 Apr 2024 23:19:51 +0000 In-Reply-To: <20240418232005.34244-1-edliaw@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <16430256912363@kroah.com> <20240418232005.34244-1-edliaw@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240418232005.34244-6-edliaw@google.com> Subject: [PATCH 5.15.y v3 5/5] bpf: Fix ringbuf memory type confusion when passing to helpers From: Edward Liaw To: stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf@vger.kernel.org, kernel-team@android.com, Edward Liaw , Yonghong Song , linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daniel Borkmann The bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM in their bpf_func_proto definition as their first argument, and thus both e= xpect the result from a prior bpf_ringbuf_reserve() call which has a return type = of RET_PTR_TO_ALLOC_MEM_OR_NULL. While the non-NULL memory from bpf_ringbuf_reserve() can be passed to other helpers, the two sinks (bpf_ringbuf_submit(), bpf_ringbuf_discard()) right = now only enforce a register type of PTR_TO_MEM. This can lead to potential type confusion since it would allow other PTR_TO= _MEM memory to be passed into the two sinks which did not come from bpf_ringbuf_= reserve(). Add a new MEM_ALLOC composable type attribute for PTR_TO_MEM, and enforce t= hat: - bpf_ringbuf_reserve() returns NULL or PTR_TO_MEM | MEM_ALLOC - bpf_ringbuf_submit() and bpf_ringbuf_discard() only take PTR_TO_MEM | ME= M_ALLOC but not plain PTR_TO_MEM arguments via ARG_PTR_TO_ALLOC_MEM - however, other helpers might treat PTR_TO_MEM | MEM_ALLOC as plain PTR_T= O_MEM to populate the memory area when they use ARG_PTR_TO_{UNINIT_,}MEM in th= eir func proto description Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support f= or it") Reported-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov (cherry picked from commit a672b2e36a648afb04ad3bda93b6bda947a479a5) Signed-off-by: Edward Liaw --- include/linux/bpf.h | 9 +++++++-- kernel/bpf/verifier.c | 6 +++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index df15d4d445dd..74a26cabc084 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -321,7 +321,12 @@ enum bpf_type_flag { */ MEM_RDONLY =3D BIT(1 + BPF_BASE_TYPE_BITS), =20 - __BPF_TYPE_LAST_FLAG =3D MEM_RDONLY, + /* MEM was "allocated" from a different helper, and cannot be mixed + * with regular non-MEM_ALLOC'ed MEM types. + */ + MEM_ALLOC =3D BIT(2 + BPF_BASE_TYPE_BITS), + + __BPF_TYPE_LAST_FLAG =3D MEM_ALLOC, }; =20 /* Max number of base types. */ @@ -405,7 +410,7 @@ enum bpf_return_type { RET_PTR_TO_SOCKET_OR_NULL =3D PTR_MAYBE_NULL | RET_PTR_TO_SOCKET, RET_PTR_TO_TCP_SOCK_OR_NULL =3D PTR_MAYBE_NULL | RET_PTR_TO_TCP_SOCK, RET_PTR_TO_SOCK_COMMON_OR_NULL =3D PTR_MAYBE_NULL | RET_PTR_TO_SOCK_COMMO= N, - RET_PTR_TO_ALLOC_MEM_OR_NULL =3D PTR_MAYBE_NULL | RET_PTR_TO_ALLOC_MEM, + RET_PTR_TO_ALLOC_MEM_OR_NULL =3D PTR_MAYBE_NULL | MEM_ALLOC | RET_PTR_TO_= ALLOC_MEM, RET_PTR_TO_BTF_ID_OR_NULL =3D PTR_MAYBE_NULL | RET_PTR_TO_BTF_ID, =20 /* This must be the last entry. Its purpose is to ensure the enum is diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 33fb379b9f58..67b325427022 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -573,6 +573,8 @@ static const char *reg_type_str(struct bpf_verifier_env= *env, =20 if (type & MEM_RDONLY) strncpy(prefix, "rdonly_", 16); + if (type & MEM_ALLOC) + strncpy(prefix, "alloc_", 16); =20 snprintf(env->type_str_buf, TYPE_STR_BUF_LEN, "%s%s%s", prefix, str[base_type(type)], postfix); @@ -5157,6 +5159,7 @@ static const struct bpf_reg_types mem_types =3D { PTR_TO_MAP_KEY, PTR_TO_MAP_VALUE, PTR_TO_MEM, + PTR_TO_MEM | MEM_ALLOC, PTR_TO_BUF, }, }; @@ -5174,7 +5177,7 @@ static const struct bpf_reg_types int_ptr_types =3D { static const struct bpf_reg_types fullsock_types =3D { .types =3D { PTR_TO= _SOCKET } }; static const struct bpf_reg_types scalar_types =3D { .types =3D { SCALAR_V= ALUE } }; static const struct bpf_reg_types context_types =3D { .types =3D { PTR_TO_= CTX } }; -static const struct bpf_reg_types alloc_mem_types =3D { .types =3D { PTR_T= O_MEM } }; +static const struct bpf_reg_types alloc_mem_types =3D { .types =3D { PTR_T= O_MEM | MEM_ALLOC } }; static const struct bpf_reg_types const_map_ptr_types =3D { .types =3D { C= ONST_PTR_TO_MAP } }; static const struct bpf_reg_types btf_ptr_types =3D { .types =3D { PTR_TO_= BTF_ID } }; static const struct bpf_reg_types spin_lock_types =3D { .types =3D { PTR_T= O_MAP_VALUE } }; @@ -5337,6 +5340,7 @@ static int check_func_arg(struct bpf_verifier_env *en= v, u32 arg, case PTR_TO_MAP_VALUE: case PTR_TO_MEM: case PTR_TO_MEM | MEM_RDONLY: + case PTR_TO_MEM | MEM_ALLOC: case PTR_TO_BUF: case PTR_TO_BUF | MEM_RDONLY: case PTR_TO_STACK: --=20 2.44.0.769.g3c40516874-goog