On Sat, 10 Feb 2024 at 05:35, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Fri, Feb 9, 2024 at 3:14 PM David Vernet <void@xxxxxxxxxxxxx> wrote: > > > > > + > > > +#ifndef arena_container_of > > > > Why is this ifndef required if we have a pragma once above? > > Just a habit to check for a macro before defining it. > > > Obviously it's way better for us to actually have arenas in the interim > > so this is fine for now, but UAF bugs could potentially be pretty > > painful until we get proper exception unwinding support. > > Detection that arena access faulted doesn't have to come after > exception unwinding. Exceptions vs cancellable progs are also different. What do you mean exactly by 'cancellable progs'? That they can be interrupted at any (or well-known) points and stopped? I believe whatever plumbing was done to enable exceptions will be useful there as well. The verifier would just need to know e.g. that a load into PTR_TO_ARENA may fault, and thus generate descriptors for all frames for that pc. Then, at runtime, you could technically release all resources by looking up the frame descriptor and unwind the stack and return back to the caller of the prog. > A record of the line in bpf prog that caused the first fault is probably > good enough for prog debugging. > I think it would make more sense to abort the program by default, because use-after-free in the arena most certainly means a bug in the program. There is no speed up from zeroing faults, it only papers over potential problems in the program. Something is being accessed in a page that has since been unallocated, or the pointer is bad/access is out-of-bounds. If not for all UAFs, especially for guard pages. In that case it is 100% a problem in the program. Unlike PROBE_MEM where we cannot reason about what kernel memory tracing programs may read from, there is no need for a best-effort continuation here. Now that the verifier will stop reasoning precisely about object lifetimes unlike bpf_obj_new objects, all bugs that happen in normal C have a possibility of surfacing in a BPF program using arenas as heaps, so it is more likely that these cases are hit. > [...]
