On Mon, Nov 21, 2022 at 01:46:04AM IST, Alexei Starovoitov wrote:
> On Sun, Nov 20, 2022 at 11:57 AM Yonghong Song <yhs@xxxxxx> wrote:
> >
> > @@ -8938,6 +8941,24 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> > regs[BPF_REG_0].type = PTR_TO_BTF_ID | PTR_TRUSTED;
> > regs[BPF_REG_0].btf = desc_btf;
> > regs[BPF_REG_0].btf_id = meta.ret_btf_id;
> > + } else if (meta.func_id == special_kfunc_list[KF_bpf_rdonly_cast]) {
> > + if (!capable(CAP_PERFMON)) {
> > + verbose(env,
> > + "kfunc bpf_rdonly_cast requires CAP_PERFMON capability\n");
> > + return -EACCES;
> > + }
>
> Just realized that bpf_cast_to_kern_ctx() has to be
> gated by cap_perfmon as well.
>
> Also the direct capable(CAP_PERFMON) is not quite correct.
> It should at least be perfmon_capable().
> But even better to use env->allow_ptr_leaks here.
Based on this, I wonder if this needs to be done for bpf_obj_new as well? It
doesn't zero initialize the memory it returns (except special fields, which is
required for correctness), so technically it allows leaking kernel addresses
with just CAP_BPF (apart from capabilities needed for the specific program types
it is available to).
Should that also have a env->allow_ptr_leaks check?
