This patch simplifies the verification of size arguments associated to
pointer arguments to helpers and kfuncs. Many helpers take a pointer
argument followed by the size of the memory access performed to be
performed through that pointer. Before this patch, the handling of the
size argument in check_mem_size_reg() was confusing and wasteful: if the
size register's lower bound was 0, then the verification was done twice:
once considering the size of the access to be the lower-bound of the
respective argument, and once considering the upper bound (even if the
two are the same). The upper bound checking is a super-set of the
lower-bound checking(*), except: the only point of the lower-bound check
is to handle the case where zero-sized-accesses are explicitly not
allowed and the lower-bound is zero. This static condition is now
checked explicitly, replacing a much more complex, expensive and
confusing verification call to check_helper_mem_access().
Now that check_mem_size_reg() deals directly with the zero_size_allowed
checking, the single remaining call to check_helper_mem_access() can
pass a static value for the zero_size_allowed arg, instead of
propagating a dynamic one. I think this is an improvement, as tracking
the wide propagation of zero_sized_allowed is already complicated.
This patch also results in better error messages for rejected zero-size
reads. Before, the message one would get depended on the type of the
pointer and on other conditions, and sometimes the message was plain
wrong: in some tests that changed you'll see that the old message was
something like "R1 min value is outside of the allowed memory range",
where R1 is the pointer register; the error was wrongly claiming that
the pointer was bad instead of the size being bad. Other times the
information that the size came for a register with a possible range of
values was wrong, and the error presented the size as a fixed zero.
(*) Besides standing to reason that the checks for a bigger size access
are a super-set of the checks for a smaller size access, I have also
mechanically verified this by reading the code for all types of
pointers. I could convince myself that it's true for all but
PTR_TO_BTF_ID (check_ptr_to_btf_access). There, simply looking
line-by-line does not immediately prove what we want. If anyone has any
qualms, let me know.
Signed-off-by: Andrei Matei <andreimatei1@xxxxxxxxx>
---
kernel/bpf/verifier.c | 85 +++++++++++++++++--
.../bpf/progs/verifier_helper_value_access.c | 45 +++++++++-
.../selftests/bpf/progs/verifier_raw_stack.c | 4 +-
3 files changed, 120 insertions(+), 14 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1863826a4ac3..cf2a09408bdc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7256,6 +7256,65 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
}
}
+/* Helper function for logging an error about an invalid attempt to perform a
+ * (possibly) zero-sized memory access. The pointer being dereferenced is in
+ * register @ptr_regno, and the size of the access is in register @size_regno.
+ * The size register is assumed to either be a constant zero or have a zero lower
+ * bound.
+ *
+ * Logs a message like:
+ * invalid zero-size read. Size comes from R2=0. Attempting to dereference *map_value R1: off=[0,4] value_size=48
+ */
+static void log_zero_size_access_err(struct bpf_verifier_env *env,
+ int ptr_regno,
+ int size_regno)
+{
+ struct bpf_reg_state *ptr_reg = &cur_regs(env)[ptr_regno];
+ struct bpf_reg_state *size_reg = &cur_regs(env)[size_regno];
+ const bool size_is_const = tnum_is_const(size_reg->var_off);
+ const char *ptr_type_str = reg_type_str(env, ptr_reg->type);
+ /* allocate a few buffers to be used as parts of the error message */
+ char size_range_buf[64] = {0}, max_size_buf[64] = {0}, off_buf[64] = {0};
+ s64 min_off, max_off;
+ if (!size_is_const) {
+ snprintf(size_range_buf, sizeof(size_range_buf),
+ "[0,%lld]", size_reg->umax_value);
+ }
+
+ if (tnum_is_const(ptr_reg->var_off)) {
+ min_off = (s64)ptr_reg->var_off.value + ptr_reg->off;
+ snprintf(off_buf, sizeof(off_buf), "%lld", min_off);
+ } else {
+ min_off = ptr_reg->smin_value + ptr_reg->off;
+ max_off = ptr_reg->smax_value + ptr_reg->off;
+ snprintf(off_buf, sizeof(off_buf), "[%lld,%lld]", min_off, max_off);
+ }
+
+ /* attempt to figure out info about the maximum offset that could be allowed */
+ switch (ptr_reg->type) {
+ case PTR_TO_MAP_KEY:
+ snprintf(max_size_buf, sizeof(max_size_buf), "key_size=%d", ptr_reg->map_ptr->key_size);
+ break;
+ case PTR_TO_MAP_VALUE:
+ snprintf(max_size_buf, sizeof(max_size_buf), "value_size=%d", ptr_reg->map_ptr->value_size);
+ break;
+ case PTR_TO_PACKET:
+ case PTR_TO_PACKET_META:
+ snprintf(max_size_buf, sizeof(max_size_buf), "packet_size=%d", ptr_reg->range);
+ break;
+ case PTR_TO_MEM:
+ default:
+ snprintf(max_size_buf, sizeof(max_size_buf), "max_size=N/A");
+ }
+
+ verbose(env, "invalid %szero-size read. Size comes from R%d=%s. "
+ "Attempting to dereference *%s R%d: off=%s %s\n",
+ size_is_const ? "" : "possibly ",
+ size_regno, size_is_const ? "0" : size_range_buf,
+ ptr_type_str, ptr_regno, off_buf, max_size_buf);
+}
+
+
/* verify arguments to helpers or kfuncs consisting of a pointer and an access
* size.
*
@@ -7268,6 +7327,7 @@ static int check_mem_size_reg(struct bpf_verifier_env *env,
struct bpf_call_arg_meta *meta)
{
int err;
+ const bool size_is_const = tnum_is_const(reg->var_off);
/* This is used to refine r0 return value bounds for helpers
* that enforce this value as an upper bound on return values.
@@ -7282,7 +7342,7 @@ static int check_mem_size_reg(struct bpf_verifier_env *env,
/* The register is SCALAR_VALUE; the access check
* happens using its boundaries.
*/
- if (!tnum_is_const(reg->var_off))
+ if (!size_is_const)
/* For unprivileged variable accesses, disable raw
* mode so that the program is required to
* initialize all the memory that the helper could
@@ -7296,12 +7356,9 @@ static int check_mem_size_reg(struct bpf_verifier_env *env,
return -EACCES;
}
- if (reg->umin_value == 0) {
- err = check_helper_mem_access(env, regno - 1, 0,
- zero_size_allowed,
- meta);
- if (err)
- return err;
+ if (reg->umin_value == 0 && !zero_size_allowed) {
+ log_zero_size_access_err(env, regno-1, regno);
+ return -EACCES;
}
if (reg->umax_value >= BPF_MAX_VAR_SIZ) {
@@ -7309,9 +7366,21 @@ static int check_mem_size_reg(struct bpf_verifier_env *env,
regno);
return -EACCES;
}
+ /* If !zero_size_allowed, we already checked that umin_value > 0, so
+ * umax_value should also be > 0.
+ */
+ if (reg->umax_value == 0 && !zero_size_allowed) {
+ verbose(env, "verifier bug: !zero_size_allowed should have been handled already\n");
+ return -EFAULT;
+ }
err = check_helper_mem_access(env, regno - 1,
reg->umax_value,
- zero_size_allowed, meta);
+ /* zero_size_allowed: we asserted above that umax_value is
+ * not zero if !zero_size_allowed, so we don't need any
+ * further checks.
+ */
+ true ,
+ meta);
if (!err)
err = mark_chain_precision(env, regno);
return err;
diff --git a/tools/testing/selftests/bpf/progs/verifier_helper_value_access.c b/tools/testing/selftests/bpf/progs/verifier_helper_value_access.c
index 692216c0ad3d..9fe10f63c931 100644
--- a/tools/testing/selftests/bpf/progs/verifier_helper_value_access.c
+++ b/tools/testing/selftests/bpf/progs/verifier_helper_value_access.c
@@ -89,9 +89,14 @@ l0_%=: exit; \
: __clobber_all);
}
+/* Call a function taking a pointer and a size which doesn't allow the size to
+ * be zero (i.e. bpf_trace_printk() declares the second argument to be
+ * ARG_CONST_SIZE, not ARG_CONST_SIZE_OR_ZERO). We attempt to pass zero for the
+ * size and expect to fail.
+ */
SEC("tracepoint")
__description("helper access to map: empty range")
-__failure __msg("invalid access to map value, value_size=48 off=0 size=0")
+__failure __msg("invalid zero-size read. Size comes from R2=0. Attempting to dereference *map_value R1: off=0 value_size=48")
__naked void access_to_map_empty_range(void)
{
asm volatile (" \
@@ -113,6 +118,38 @@ l0_%=: exit; \
: __clobber_all);
}
+/* Like the test above, but this time the size register is not known to be zero;
+ * its lower-bound is zero though, which is still unacceptible.
+ */
+SEC("tracepoint")
+__description("helper access to map: possibly-empty range")
+__failure __msg("invalid possibly zero-size read. Size comes from R2=[0,4]. Attempting to dereference *map_value R1: off=0 value_size=48")
+__naked void access_to_map_possibly_empty_range(void)
+{
+ asm volatile (" \
+ r2 = r10; \
+ r2 += -8; \
+ r1 = 0; \
+ *(u64*)(r2 + 0) = r1; \
+ r1 = %[map_hash_48b] ll; \
+ call %[bpf_map_lookup_elem]; \
+ if r0 == 0 goto l0_%=; \
+ r1 = r0; \
+ /* Read an unknown value */ \
+ r7 = *(u64*)(r0 + 0); \
+ /* Make it small and positive, to avoid other errors */ \
+ r7 &= 4; \
+ r2 = 0; \
+ r2 += r7; \
+ call %[bpf_trace_printk]; \
+l0_%=: exit; \
+" :
+ : __imm(bpf_map_lookup_elem),
+ __imm(bpf_trace_printk),
+ __imm_addr(map_hash_48b)
+ : __clobber_all);
+}
+
SEC("tracepoint")
__description("helper access to map: out-of-bound range")
__failure __msg("invalid access to map value, value_size=48 off=0 size=56")
@@ -221,7 +258,7 @@ l0_%=: exit; \
SEC("tracepoint")
__description("helper access to adjusted map (via const imm): empty range")
-__failure __msg("invalid access to map value, value_size=48 off=4 size=0")
+__failure __msg("invalid zero-size read. Size comes from R2=0. Attempting to dereference *map_value R1: off=4 value_size=48")
__naked void via_const_imm_empty_range(void)
{
asm volatile (" \
@@ -386,7 +423,7 @@ l0_%=: exit; \
SEC("tracepoint")
__description("helper access to adjusted map (via const reg): empty range")
-__failure __msg("R1 min value is outside of the allowed memory range")
+__failure __msg("invalid zero-size read. Size comes from R2=0. Attempting to dereference *map_value R1: off=0 value_size=48")
__naked void via_const_reg_empty_range(void)
{
asm volatile (" \
@@ -556,7 +593,7 @@ l0_%=: exit; \
SEC("tracepoint")
__description("helper access to adjusted map (via variable): empty range")
-__failure __msg("R1 min value is outside of the allowed memory range")
+__failure __msg("invalid zero-size read. Size comes from R2=0. Attempting to dereference *map_value R1: off=[0,4] value_size=48")
__naked void map_via_variable_empty_range(void)
{
asm volatile (" \
diff --git a/tools/testing/selftests/bpf/progs/verifier_raw_stack.c b/tools/testing/selftests/bpf/progs/verifier_raw_stack.c
index f67390224a9c..c133d9d2c45e 100644
--- a/tools/testing/selftests/bpf/progs/verifier_raw_stack.c
+++ b/tools/testing/selftests/bpf/progs/verifier_raw_stack.c
@@ -64,7 +64,7 @@ __naked void load_bytes_negative_len_2(void)
SEC("tc")
__description("raw_stack: skb_load_bytes, zero len")
-__failure __msg("invalid zero-sized read")
+__failure __msg("invalid zero-size read. Size comes from R4=0. Attempting to dereference *fp R3: off=-8 max_size=N/A")
__naked void skb_load_bytes_zero_len(void)
{
asm volatile (" \
@@ -333,7 +333,7 @@ __naked void load_bytes_invalid_access_5(void)
SEC("tc")
__description("raw_stack: skb_load_bytes, invalid access 6")
-__failure __msg("invalid zero-sized read")
+__failure __msg("invalid zero-size read. Size comes from R4=0. Attempting to dereference *fp R3: off=-512 max_size=N/A")
__naked void load_bytes_invalid_access_6(void)
{
asm volatile (" \
--
2.40.1
