Re: [PATCH bpf-next v3 4/8] bpf: Harden register offset checks for release helpers and kfuncs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 04, 2022 at 05:35:04AM +0530, Kumar Kartikeya Dwivedi wrote:
> Let's ensure that the PTR_TO_BTF_ID reg being passed in to release BPF
> helpers and kfuncs always has its offset set to 0. While not a real
> problem now, there's a very real possibility this will become a problem
> when more and more kfuncs are exposed, and more BPF helpers are added
> which can release PTR_TO_BTF_ID.
> 
> Previous commits already protected against non-zero var_off. One of the
> case we are concerned about now is when we have a type that can be
> returned by e.g. an acquire kfunc:
> 
> struct foo {
> 	int a;
> 	int b;
> 	struct bar b;
> };
> 
> ... and struct bar is also a type that can be returned by another
> acquire kfunc.
> 
> Then, doing the following sequence:
> 
> 	struct foo *f = bpf_get_foo(); // acquire kfunc
> 	if (!f)
> 		return 0;
> 	bpf_put_bar(&f->b); // release kfunc
> 
> ... would work with the current code, since the btf_struct_ids_match
> takes reg->off into account for matching pointer type with release kfunc
> argument type, but would obviously be incorrect, and most likely lead to
> a kernel crash. A test has been included later to prevent regressions in
> this area.
> 
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> ---
>  include/linux/bpf_verifier.h |  3 ++-
>  kernel/bpf/btf.c             | 13 +++++++++----
>  kernel/bpf/verifier.c        | 27 +++++++++++++++++++++++----
>  3 files changed, 34 insertions(+), 9 deletions(-)
> 
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 38b24ee8d8c2..7a684050495a 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -523,7 +523,8 @@ int check_ptr_off_reg(struct bpf_verifier_env *env,
>  		      const struct bpf_reg_state *reg, int regno);
>  int check_func_arg_reg_off(struct bpf_verifier_env *env,
>  			   const struct bpf_reg_state *reg, int regno,
> -			   enum bpf_arg_type arg_type);
> +			   enum bpf_arg_type arg_type,
> +			   bool is_release_function);
>  int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
>  			     u32 regno);
>  int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 7f6a0ae5028b..c9a1019dc60d 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -5753,6 +5753,9 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>  		return -EINVAL;
>  	}
>  
> +	if (is_kfunc)
> +		rel = btf_kfunc_id_set_contains(btf, resolve_prog_type(env->prog),
> +						BTF_KFUNC_TYPE_RELEASE, func_id);
>  	/* check that BTF function arguments match actual types that the
>  	 * verifier sees.
>  	 */
> @@ -5777,7 +5780,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>  		ref_t = btf_type_skip_modifiers(btf, t->type, &ref_id);
>  		ref_tname = btf_name_by_offset(btf, ref_t->name_off);
>  
> -		ret = check_func_arg_reg_off(env, reg, regno, ARG_DONTCARE);
> +		ret = check_func_arg_reg_off(env, reg, regno, ARG_DONTCARE, rel);
>  		if (ret < 0)
>  			return ret;
>  
> @@ -5809,7 +5812,11 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>  			if (reg->type == PTR_TO_BTF_ID) {
>  				reg_btf = reg->btf;
>  				reg_ref_id = reg->btf_id;
> -				/* Ensure only one argument is referenced PTR_TO_BTF_ID */
> +				/* Ensure only one argument is referenced
> +				 * PTR_TO_BTF_ID, check_func_arg_reg_off relies
> +				 * on only one referenced register being allowed
> +				 * for kfuncs.
> +				 */
>  				if (reg->ref_obj_id) {
>  					if (ref_obj_id) {
>  						bpf_log(log, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
> @@ -5892,8 +5899,6 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
>  	/* Either both are set, or neither */
>  	WARN_ON_ONCE((ref_obj_id && !ref_regno) || (!ref_obj_id && ref_regno));
>  	if (is_kfunc) {
This test is no longer needed?

> -		rel = btf_kfunc_id_set_contains(btf, resolve_prog_type(env->prog),
> -						BTF_KFUNC_TYPE_RELEASE, func_id);
>  		/* We already made sure ref_obj_id is set only for one argument */
>  		if (rel && !ref_obj_id) {
>  			bpf_log(log, "release kernel function %s expects refcounted PTR_TO_BTF_ID\n",
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e55bfd23e81b..c31407d156e7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -5367,11 +5367,28 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
>  
>  int check_func_arg_reg_off(struct bpf_verifier_env *env,
>  			   const struct bpf_reg_state *reg, int regno,
> -			   enum bpf_arg_type arg_type)
> +			   enum bpf_arg_type arg_type,
> +			   bool is_release_func)
>  {
>  	enum bpf_reg_type type = reg->type;
> +	bool fixed_off_ok = false;
>  	int err;
>  
> +	/* When referenced PTR_TO_BTF_ID is passed to release function, it's
> +	 * fixed offset must be 0. We rely on the property that only one
> +	 * referenced register can be passed to BPF helpers and kfuncs.
> +	 */
> +	if (type == PTR_TO_BTF_ID) {
> +		bool release_reg = is_release_func && reg->ref_obj_id;
> +
> +		if (release_reg && reg->off) {
iiuc, the reason for not going through __check_ptr_off_reg() is
because it prefers a different verifier log message for release_reg
case for fixed off.  How about var_off?

> +			verbose(env, "R%d must have zero offset when passed to release func\n",
> +				regno);
> +			return -EINVAL;
> +		}
> +		fixed_off_ok = release_reg ? false : true;
nit.
		fixed_off_ok = !release_reg;

but this is a bit moot here considering the reg->off
check has already been done for the release_reg case.

> +	}
> +
>  	switch ((u32)type) {
>  	case SCALAR_VALUE:
>  	/* Pointer types where reg offset is explicitly allowed: */
> @@ -5394,8 +5411,7 @@ int check_func_arg_reg_off(struct bpf_verifier_env *env,
>  	/* All the rest must be rejected: */
>  	default:
>  force_off_check:
> -		err = __check_ptr_off_reg(env, reg, regno,
> -					  type == PTR_TO_BTF_ID);
> +		err = __check_ptr_off_reg(env, reg, regno, fixed_off_ok);
>  		if (err < 0)
>  			return err;
>  		break;
> @@ -5452,11 +5468,14 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>  	if (err)
>  		return err;
>  
> -	err = check_func_arg_reg_off(env, reg, regno, arg_type);
> +	err = check_func_arg_reg_off(env, reg, regno, arg_type, is_release_function(meta->func_id));
>  	if (err)
>  		return err;
>  
>  skip_type_check:
> +	/* check_func_arg_reg_off relies on only one referenced register being
> +	 * allowed for BPF helpers.
> +	 */
>  	if (reg->ref_obj_id) {
>  		if (meta->ref_obj_id) {
>  			verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
> -- 
> 2.35.1
> 



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux