Re: [PATCH bpf-next v2 1/5] bpf: Support __nullable argument suffix for tp_btf

Philo Lu <lulie@xxxxxxxxxxxxxxxxx> · Sat, 7 Sep 2024 11:26:49 +0800

On 2024/9/7 05:25, Andrii Nakryiko wrote:
On Thu, Sep 5, 2024 at 12:56 AM Philo Lu <lulie@xxxxxxxxxxxxxxxxx> wrote:

Pointers passed to tp_btf were trusted to be valid, but some tracepoints
do take NULL pointer as input, such as trace_tcp_send_reset(). Then the
invalid memory access cannot be detected by verifier.

This patch fix it by add a suffix "__nullable" to the unreliable
argument. The suffix is shown in btf, and PTR_MAYBE_NULL will be added
to nullable arguments. Then users must check the pointer before use it.

A problem here is that we use "btf_trace_##call" to search func_proto.
As it is a typedef, argument names as well as the suffix are not
recorded. To solve this, I use bpf_raw_event_map to find
"__bpf_trace##template" from "btf_trace_##call", and then we can see the
suffix.

Suggested-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Signed-off-by: Philo Lu <lulie@xxxxxxxxxxxxxxxxx>
---
  kernel/bpf/btf.c      | 13 +++++++++++++
  kernel/bpf/verifier.c | 36 +++++++++++++++++++++++++++++++++---
  2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 1e29281653c62..157f5e1247c81 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6385,6 +6385,16 @@ static bool prog_args_trusted(const struct bpf_prog *prog)
         }
  }

+static bool prog_arg_maybe_null(const struct bpf_prog *prog, const struct btf *btf,
+                               const struct btf_param *arg)
+{
+       if (prog->type != BPF_PROG_TYPE_TRACING ||
+           prog->expected_attach_type != BPF_TRACE_RAW_TP)
+               return false;
+
+       return btf_param_match_suffix(btf, arg, "__nullable");

why does this need to be BPF_TRACE_RAW_TP-specific logic? Are we
afraid that there might be "some_arg__nullable" argument name?..


Yes. I don't think the check is necessary but I'm not quite sure if it 
affects other prog/attach types. It's ok for me to remove the check. I 
added it just because this __nullable suffix only serves tp_btf now.

And thanks for your nice suggestions. I'll fix them in the next version.

Also, thanks for the information about retsnoop. Our solutions seem to 
be similar, and I'll look into it further. Honestly, it takes me some 
time to get argument names from tp_btf, and I cannot find a better 
solution but to use btp->bpf_func with kallsyms...

--
Philo








