Re: [PATCH bpf-next v5 2/6] bpf: Add a ARG_PTR_TO_CONST_STR argument type

Florent Revest <revest@xxxxxxxxxxxx> · Tue, 20 Apr 2021 14:35:12 +0200

On Tue, Apr 20, 2021 at 12:54 AM Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> On Mon, Apr 19, 2021 at 05:52:39PM +0200, Florent Revest wrote:
> > This type provides the guarantee that an argument is going to be a const
> > pointer to somewhere in a read-only map value. It also checks that this
> > pointer is followed by a zero character before the end of the map value.
> >
> > Signed-off-by: Florent Revest <revest@xxxxxxxxxxxx>
> > Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> > ---
> >  include/linux/bpf.h   |  1 +
> >  kernel/bpf/verifier.c | 41 +++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 42 insertions(+)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index 77d1d8c65b81..c160526fc8bf 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -309,6 +309,7 @@ enum bpf_arg_type {
> >       ARG_PTR_TO_PERCPU_BTF_ID,       /* pointer to in-kernel percpu type */
> >       ARG_PTR_TO_FUNC,        /* pointer to a bpf program function */
> >       ARG_PTR_TO_STACK_OR_NULL,       /* pointer to stack or NULL */
> > +     ARG_PTR_TO_CONST_STR,   /* pointer to a null terminated read-only string */
> >       __BPF_ARG_TYPE_MAX,
> >  };
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 852541a435ef..5f46dd6f3383 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -4787,6 +4787,7 @@ static const struct bpf_reg_types spin_lock_types = { .types = { PTR_TO_MAP_VALU
> >  static const struct bpf_reg_types percpu_btf_ptr_types = { .types = { PTR_TO_PERCPU_BTF_ID } };
> >  static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
> >  static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
> > +static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
> >
> >  static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
> >       [ARG_PTR_TO_MAP_KEY]            = &map_key_value_types,
> > @@ -4817,6 +4818,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
> >       [ARG_PTR_TO_PERCPU_BTF_ID]      = &percpu_btf_ptr_types,
> >       [ARG_PTR_TO_FUNC]               = &func_ptr_types,
> >       [ARG_PTR_TO_STACK_OR_NULL]      = &stack_ptr_types,
> > +     [ARG_PTR_TO_CONST_STR]          = &const_str_ptr_types,
> >  };
> >
> >  static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
> > @@ -5067,6 +5069,45 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> >               if (err)
> >                       return err;
> >               err = check_ptr_alignment(env, reg, 0, size, true);
> > +     } else if (arg_type == ARG_PTR_TO_CONST_STR) {
> > +             struct bpf_map *map = reg->map_ptr;
> > +             int map_off;
> > +             u64 map_addr;
> > +             char *str_ptr;
> > +
> > +             if (reg->type != PTR_TO_MAP_VALUE || !map ||
>
> I think the 'type' check is redundant,
> since check_reg_type() did it via compatible_reg_types.
> If so it's probably better to remove it here ?
>
> '!map' looks unnecessary. Can it ever happen? If yes, it's a verifier bug.
> For example in check_mem_access() we just deref reg->map_ptr without checking
> which, I think, is correct.

I agree with all of the above. I only thought it's better to be safe
than sorry but if you'd like I could follow up with a patch that
removes some checks?

> > +                 !bpf_map_is_rdonly(map)) {
>
> This check is needed, of course.
>
> > +                     verbose(env, "R%d does not point to a readonly map'\n", regno);
> > +                     return -EACCES;
> > +             }
> > +
> > +             if (!tnum_is_const(reg->var_off)) {
> > +                     verbose(env, "R%d is not a constant address'\n", regno);
> > +                     return -EACCES;
> > +             }
> > +
> > +             if (!map->ops->map_direct_value_addr) {
> > +                     verbose(env, "no direct value access support for this map type\n");
> > +                     return -EACCES;
> > +             }
> > +
> > +             err = check_map_access(env, regno, reg->off,
> > +                                    map->value_size - reg->off, false);
> > +             if (err)
> > +                     return err;
> > +
> > +             map_off = reg->off + reg->var_off.value;
> > +             err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
> > +             if (err) {
>
> since the code checks it here the same check in check_bpf_snprintf_call() should
> probably do:
>  if (err) {
>    verbose("verifier bug\n");
>    return -EFAULT;
>  }
>
> instead of just "return err;"
> ?

Sure, does not hurt. I can also follow up with a patch unless if you
prefer doing it yourself.

> > +                     verbose(env, "direct value access on string failed\n");
>
> I think the message doesn't tell users much, but they probably should never
> see it unless they try to do lookup from readonly array with
> more than one element.
> So I guess it's fine to keep this one as-is. Just flagging.

Ack

> Anyway the whole set looks great, so I've applied to bpf-next.
> Thanks!

Thank you :D