On Tue, Jun 21, 2022 at 8:04 PM Joanne Koong <joannelkoong@xxxxxxxxx> wrote:
>
> On Mon, Jun 20, 2022 at 6:29 PM KP Singh <kpsingh@xxxxxxxxxx> wrote:
> >
> > kfuncs can handle pointers to memory when the next argument is
> > the size of the memory that can be read and verify these as
> > ARG_CONST_SIZE_OR_ZERO
> >
> > Similarly add support for string constants (const char *) and
> > verify it similar to ARG_PTR_TO_CONST_STR.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> > include/linux/bpf_verifier.h | 2 +
> > kernel/bpf/btf.c | 29 ++++++++++++
> > kernel/bpf/verifier.c | 85 ++++++++++++++++++++----------------
> > 3 files changed, 79 insertions(+), 37 deletions(-)
> >
> [...]
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 668ecf61649b..02d7951591ae 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -6162,6 +6162,26 @@ static bool is_kfunc_arg_mem_size(const struct btf *btf,
> > return true;
> > }
> >
> > +static bool btf_param_is_const_str_ptr(const struct btf *btf,
> > + const struct btf_param *param)
> > +{
> > + const struct btf_type *t;
> > +
> > + t = btf_type_by_id(btf, param->type);
> > + if (!btf_type_is_ptr(t))
> > + return false;
> > +
> > + t = btf_type_by_id(btf, t->type);
> > + if (!(BTF_INFO_KIND(t->info) == BTF_KIND_CONST))
> "if (BTF_INFO_KIND(t->info) != BTF_KIND_CONST)" looks clearer to me
> > + return false;
> > +
> > + t = btf_type_skip_modifiers(btf, t->type, NULL);
> > + if (!strcmp(btf_name_by_offset(btf, t->name_off), "char"))
> "return !strcmp(btf_name_by_offset(btf, t->name_off), "char")" looks
> clearer to me here too
Agreed. Updated.
> > + return true;
> > +
> > + return false;
> > +}
> > +
> > static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > const struct btf *btf, u32 func_id,
> > struct bpf_reg_state *regs,
> > @@ -6344,6 +6364,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > } else if (ptr_to_mem_ok) {
> > const struct btf_type *resolve_ret;
> > u32 type_size;
> > + int err;
> >
> > if (is_kfunc) {
> > bool arg_mem_size = i + 1 < nargs && is_kfunc_arg_mem_size(btf, &args[i + 1], ®s[regno + 1]);
> > @@ -6354,6 +6375,14 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > * When arg_mem_size is true, the pointer can be
> > * void *.
> > */
> > + if (btf_param_is_const_str_ptr(btf, &args[i])) {
> > + err = check_const_str(env, reg, regno);
> > + if (err < 0)
> > + return err;
> > + i++;
> > + continue;
> If I'm understanding it correctly, this patch is intended to allow
> helper functions to take in a kfunc as an arg as long as the next arg
> is the size of the memory. Do we need to check the memory size access
> here (eg like a call to check_mem_size_reg() in the verifier) to
> ensure that memory accesses of that size are safe?
No, this is different. We already have the verification for where we pair a
void * pointer to a size argument in the next arg.
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/btf.c#n6366
This logic is similar to the verification we do for ARG_PTR_TO_CONST_STR where
we do not need a matching size argument and we just check for a null
terminated string
passed via a R/O map.
> > + }
> > +
> > if (!btf_type_is_scalar(ref_t) &&
> > !__btf_type_is_scalar_struct(log, btf, ref_t, 0) &&
> > (arg_mem_size ? !btf_type_is_void(ref_t) : 1)) {
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 2859901ffbe3..14a434792d7b 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -5840,6 +5840,52 @@ static u32 stack_slot_get_id(struct bpf_verifier_env *env, struct bpf_reg_state
> > return state->stack[spi].spilled_ptr.id;
> > }
> [...]
> > +
> > static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> > struct bpf_call_arg_meta *meta,
> > const struct bpf_func_proto *fn)
> > @@ -6074,44 +6120,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> > return err;
> > err = check_ptr_alignment(env, reg, 0, size, true);
> > } else if (arg_type == ARG_PTR_TO_CONST_STR) {
> > - struct bpf_map *map = reg->map_ptr;
> > - int map_off;
> > - u64 map_addr;
> > - char *str_ptr;
> > -
> > - if (!bpf_map_is_rdonly(map)) {
> > - verbose(env, "R%d does not point to a readonly map'\n", regno);
> > - return -EACCES;
> > - }
> > -
> > - if (!tnum_is_const(reg->var_off)) {
> > - verbose(env, "R%d is not a constant address'\n", regno);
> > - return -EACCES;
> > - }
> > -
> > - if (!map->ops->map_direct_value_addr) {
> > - verbose(env, "no direct value access support for this map type\n");
> > - return -EACCES;
> > - }
> > -
> > - err = check_map_access(env, regno, reg->off,
> > - map->value_size - reg->off, false,
> > - ACCESS_HELPER);
> > - if (err)
> > - return err;
> > -
> > - map_off = reg->off + reg->var_off.value;
> > - err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
> > - if (err) {
> > - verbose(env, "direct value access on string failed\n");
> > + err = check_const_str(env, reg, regno);
> > + if (err < 0)
> > return err;
> nit: I don't think you need the if check here since thsi function will
> return err automatically in the next line
Makes sense. Fixed.
>
> > - }
> > -
> > - str_ptr = (char *)(long)(map_addr);
> > - if (!strnchr(str_ptr + map_off, map->value_size - map_off, 0)) {
> > - verbose(env, "string is not zero-terminated\n");
> > - return -EINVAL;
> > - }
> > } else if (arg_type == ARG_PTR_TO_KPTR) {
> > if (process_kptr_func(env, regno, meta))
> > return -EACCES;
> > --
> > 2.37.0.rc0.104.g0611611a94-goog
> >
