On Tue, Jun 21, 2022 at 2:50 PM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> On Tue, Jun 21, 2022 at 06:58:08AM IST, KP Singh wrote:
> > kfuncs can handle pointers to memory when the next argument is
> > the size of the memory that can be read and verify these as
> > ARG_CONST_SIZE_OR_ZERO
> >
> > Similarly add support for string constants (const char *) and
> > verify it similar to ARG_PTR_TO_CONST_STR.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
[...]
> > if (is_kfunc) {
> > bool arg_mem_size = i + 1 < nargs && is_kfunc_arg_mem_size(btf, &args[i + 1], ®s[regno + 1]);
> > @@ -6354,6 +6375,14 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > * When arg_mem_size is true, the pointer can be
> > * void *.
> > */
> > + if (btf_param_is_const_str_ptr(btf, &args[i])) {
>
> Here, we need to check whether reg is a PTR_TO_MAP_VALUE, otherwise in
> check_const_str, reg->map_ptr may be NULL. Probably best to do it in
> btf_param_is_const_str_ptr itself.
I added it to the check_const_str as:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 14a434792d7b..5300e022398a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5843,12 +5843,16 @@ static u32 stack_slot_get_id(struct
bpf_verifier_env *env, struct bpf_reg_state
int check_const_str(struct bpf_verifier_env *env,
const struct bpf_reg_state *reg, int regno)
{
- struct bpf_map *map = reg->map_ptr;
+ struct bpf_map *map;
int map_off;
u64 map_addr;
char *str_ptr;
int err;
+ if (reg->type != PTR_TO_MAP_VALUE)
+ return -EACCES;
+
+ map = reg->map_ptr;
if (!bpf_map_is_rdonly(map)) {
verbose(env, "R%d does not point to a readonly map'\n", regno);
return -EACCES;
>
> > + err = check_const_str(env, reg, regno);
> > + if (err < 0)
> > + return err;
> > + i++;
> > + continue;
> > + }
[...]
> > --
> > 2.37.0.rc0.104.g0611611a94-goog
> >
>
> --
> Kartikeya
