Re: [PATCH bpf v3 2/3] bpf: Do not mark NULL-checked raw_tp arg as scalar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 6, 2024 at 11:10 AM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> On Fri, 6 Dec 2024 at 19:37, Alexei Starovoitov
> <alexei.starovoitov@xxxxxxxxx> wrote:
> >
> > On Fri, Dec 6, 2024 at 10:15 AM Eduard Zingerman <eddyz87@xxxxxxxxx> wrote:
> > >
> > > On Fri, 2024-12-06 at 09:59 -0800, Alexei Starovoitov wrote:
> > > > On Fri, Dec 6, 2024 at 8:11 AM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote:
> > > > >
> > > > > An implication of this fix, which follows from the way the raw_tp fixes
> > > > > were implemented, is that all PTR_MAYBE_NULL trusted PTR_TO_BTF_ID are
> > > > > engulfed by these checks, and PROBE_MEM will apply to all of them, incl.
> > > > > those coming from helpers with KF_ACQUIRE returning maybe null trusted
> > > > > pointers. This NULL tagging after this commit will be sticky. Compared
> > > > > to a solution which only specially tagged raw_tp args with a different
> > > > > special maybe null tag (like PTR_SOFT_NULL), it's a consequence of
> > > > > overloading PTR_MAYBE_NULL with this meaning.
> > > > >
> > > > > Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL")
> > > > > Reported-by: Manu Bretelle <chantra@xxxxxxxx>
> > > > > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > > > > ---
> > > > >  kernel/bpf/verifier.c | 6 ++++++
> > > > >  1 file changed, 6 insertions(+)
> > > > >
> > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > > > index 82f40d63ad7b..556fb609d4a4 100644
> > > > > --- a/kernel/bpf/verifier.c
> > > > > +++ b/kernel/bpf/verifier.c
> > > > > @@ -15365,6 +15365,12 @@ static void mark_ptr_or_null_reg(struct bpf_verifier_env *env,
> > > > >                         return;
> > > > >
> > > > >                 if (is_null) {
> > > > > +                       /* We never mark a raw_tp trusted pointer as scalar, to
> > > > > +                        * preserve backwards compatibility, instead just leave
> > > > > +                        * it as is.
> > > > > +                        */
> > > > > +                       if (mask_raw_tp_reg_cond(env, reg))
> > > > > +                               return;
> > > >
> > > > The blast radius is getting too big.
> > > > Patch 1 is ok, but here we're doubling down on
> > > > the hack in commit
> > > > cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL")
> > > >
> > > > I think we need to revert the raw_tp masking hack and
> > > > go with denylist the way Jiri proposed:
> > > > https://lore.kernel.org/bpf/ZrIj9jkXqpKXRuS7@krava/
> > > >
> > > > denylist is certainly less safer and it's a whack-a-mole
> > > > comparing to allowlist, but it's much much shorter
> > > > according to Jiri's analysis:
> > > > https://lore.kernel.org/bpf/Zr3q8ihbe8cUdpfp@krava/
> > > >
> > > > Eduard had an idea how to auto generate such allow/denylist
> > > > during the build.
> > > > That could be a follow up.
> > >
> > > If the sole goal is to avoid dead code elimination for tracepoint
> > > parameter null check, there might be another hack. Not sure if it was
> > > discussed:
> > > - don't add PTR_MAYBE_NULL (but maybe add a new tag, PTR_SOFT_NULL
> > >   from Kumar's original RFC);
> > > - in is_branch_taken() don't predict anything when tracepoint
> > >   parameters are compared;
> >
> > this part was discussed, but we didn't realize we need below bit...
> >
> > > - in mark_ptr_or_null_regs() don't propagate null for pointers to
> > >   tracepoint parameters (as in this patch).
> >
> > ... and here the 'for tp args' filter is hard to do.
> > mark_ptr_or_null_regs() is generic. arg vs non-arg is lost long ago.
>
> It is not lost. If only args are marked PTR_SOFT_NULL or
> reg->btf.is_raw_tp_arg (or w/e else), it can still be seen when we are
> in that function, and all its copies will have the same information.

ok. fair. still such PTR_SOFT_NULL can only be a temporary workaround.
We still need to revert cb4158ce8ec8.
And if we're reverting and adding soft_null knowingly to revert
later that's just too much.
The cb4158ce8ec8 approach felt ok-ish initially, but two issues
were found. soft_null looks ok-ish today, but it may have issues too.
revert plus denylist is a better way long term.
Especially with automation of allow/deny lists.





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux