Re: [bpf-next v3 1/2] bpf: Add bpf_copy_from_user_str kfunc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 12, 2024 at 6:26 PM Jordan Rome <linux@xxxxxxxxxxxxxx> wrote:
>
> This adds a kfunc wrapper around strncpy_from_user,
> which can be called from sleepable BPF programs.
>
> This matches the non-sleepable 'bpf_probe_read_user_str'
> helper.
>
> Signed-off-by: Jordan Rome <linux@xxxxxxxxxxxxxx>
> ---
>  kernel/bpf/helpers.c | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index d02ae323996b..e87d5df658cb 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2939,6 +2939,41 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
>         bpf_mem_free(&bpf_global_ma, kit->bits);
>  }
>
> +/**
> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address
> + * @dst:             Destination address, in kernel space.  This buffer must be at
> + *                   least @dst__szk bytes long.
> + * @dst__szk:        Maximum number of bytes to copy, including the trailing NUL.
> + * @unsafe_ptr__ign: Source address, in user space.
> + *
> + * Copies a NUL-terminated string from userspace to BPF space. If user string is
> + * too long this will still ensure zero termination in the dst buffer unless
> + * buffer size is 0.
> + */
> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign)
> +{
> +       int ret;
> +       int count;
> +
> +       if (unlikely(!dst__szk))
> +               return 0;
> +
> +       count = dst__szk - 1;
> +       if (unlikely(!count)) {
> +               ((char *)dst)[0] = '\0';
> +               return 1;
> +       }
> +
> +       ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
> +       if (ret >= 0) {
> +               if (ret == count)
> +                       ((char *)dst)[ret] = '\0';
> +               ret++;
> +       }
> +
> +       return ret;
> +}

The above will not pad the buffer and it will create instability
when the target buffer is a part of the map key. Consider:

struct map_key {
   char str[100];
};
struct {
        __uint(type, BPF_MAP_TYPE_HASH);
        __type(key, struct map_key);
} hash SEC(".maps");

struct map_key key;
bpf_copy_from_user_str(key.str, sizeof(key.str), user_string);

The verifier will think that all of the 'key' is initialized,
but for short strings the key will have garbage.

bpf_probe_read_kernel_str() has the same issue as above, but
let's fix it here first and update read_kernel_str() later.

pw-bot: cr
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux