Re: [PATCH bpf v3 2/3] bpf: Do not mark NULL-checked raw_tp arg as scalar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 6 Dec 2024 at 18:59, Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> On Fri, Dec 6, 2024 at 8:11 AM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote:
> >
> > An implication of this fix, which follows from the way the raw_tp fixes
> > were implemented, is that all PTR_MAYBE_NULL trusted PTR_TO_BTF_ID are
> > engulfed by these checks, and PROBE_MEM will apply to all of them, incl.
> > those coming from helpers with KF_ACQUIRE returning maybe null trusted
> > pointers. This NULL tagging after this commit will be sticky. Compared
> > to a solution which only specially tagged raw_tp args with a different
> > special maybe null tag (like PTR_SOFT_NULL), it's a consequence of
> > overloading PTR_MAYBE_NULL with this meaning.
> >
> > Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL")
> > Reported-by: Manu Bretelle <chantra@xxxxxxxx>
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > ---
> >  kernel/bpf/verifier.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 82f40d63ad7b..556fb609d4a4 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -15365,6 +15365,12 @@ static void mark_ptr_or_null_reg(struct bpf_verifier_env *env,
> >                         return;
> >
> >                 if (is_null) {
> > +                       /* We never mark a raw_tp trusted pointer as scalar, to
> > +                        * preserve backwards compatibility, instead just leave
> > +                        * it as is.
> > +                        */
> > +                       if (mask_raw_tp_reg_cond(env, reg))
> > +                               return;
>
> The blast radius is getting too big.
> Patch 1 is ok, but here we're doubling down on
> the hack in commit
> cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL")

There are two concerns:
First, it applies whether or not a register is a raw_tp arg. There is
a way to detect that (with some register state, instead of using a
separate tag).
Second, we treat the program in the == NULL branch as if the pointer
_maybe_ null, and in the != NULL as definitively not NULL.
I don't really see how that's too different, given we already allow direct
access etc. when the pointer is _unchecked_ after entry, and the state
is same as
the case where == NULL branch is explored.

>
> I think we need to revert the raw_tp masking hack and
> go with denylist the way Jiri proposed:
> https://lore.kernel.org/bpf/ZrIj9jkXqpKXRuS7@krava/
>
> denylist is certainly less safer and it's a whack-a-mole
> comparing to allowlist, but it's much much shorter
> according to Jiri's analysis:
> https://lore.kernel.org/bpf/Zr3q8ihbe8cUdpfp@krava/

Ok, let's revert.
Jiri, do you have the diff around for that attempt? Could you post a
revert of the patches and then the diff you shared?
If not, I can carry it as well with the revert, if you share it with
me (keeping the attribution etc.). Either is fine, lmk.

Thanks


>
> Eduard had an idea how to auto generate such allow/denylist
> during the build.
> That could be a follow up.





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux