On Tue, Jan 03, 2023 at 12:58:40AM IST, Eduard Zingerman wrote:
> On Sun, 2023-01-01 at 14:03 +0530, Kumar Kartikeya Dwivedi wrote:
> > The root of the problem is missing liveness marking for STACK_DYNPTR
> > slots. This leads to all kinds of problems inside stacksafe.
> >
> > The verifier by default inside stacksafe ignores spilled_ptr in stack
> > slots which do not have REG_LIVE_READ marks. Since this is being checked
> > in the 'old' explored state, it must have already done clean_live_states
> > for this old bpf_func_state. Hence, it won't be receiving any more
> > liveness marks from to be explored insns (it has received REG_LIVE_DONE
> > marking from liveness point of view).
> >
> > What this means is that verifier considers that it's safe to not compare
> > the stack slot if was never read by children states. While liveness
> > marks are usually propagated correctly following the parentage chain for
> > spilled registers (SCALAR_VALUE and PTR_* types), the same is not the
> > case for STACK_DYNPTR.
> >
> > clean_live_states hence simply rewrites these stack slots to the type
> > STACK_INVALID since it sees no REG_LIVE_READ marks.
> >
> > The end result is that we will never see STACK_DYNPTR slots in explored
> > state. Even if verifier was conservatively matching !REG_LIVE_READ
> > slots, very next check continuing the stacksafe loop on seeing
> > STACK_INVALID would again prevent further checks.
> >
> > Now as long as verifier stores an explored state which we can compare to
> > when reaching a pruning point, we can abuse this bug to make verifier
> > prune search for obviously unsafe paths using STACK_DYNPTR slots
> > thinking they are never used hence safe.
> >
> > Doing this in unprivileged mode is a bit challenging. add_new_state is
> > only set when seeing BPF_F_TEST_STATE_FREQ (which requires privileges)
> > or when jmps_processed difference is >= 2 and insn_processed difference
> > is >= 8. So coming up with the unprivileged case requires a little more
> > work, but it is still totally possible. The test case being discussed
> > below triggers the heuristic even in unprivileged mode.
> >
> > However, it no longer works since commit
> > 8addbfc7b308 ("bpf: Gate dynptr API behind CAP_BPF").
> >
> > Let's try to study the test step by step.
> >
> > Consider the following program (C style BPF ASM):
> >
> > 0 r0 = 0;
> > 1 r6 = &ringbuf_map;
> > 3 r1 = r6;
> > 4 r2 = 8;
> > 5 r3 = 0;
> > 6 r4 = r10;
> > 7 r4 -= -16;
> > 8 call bpf_ringbuf_reserve_dynptr;
> > 9 if r0 == 0 goto pc+1;
> > 10 goto pc+1;
> > 11 *(r10 - 16) = 0xeB9F;
> > 12 r1 = r10;
> > 13 r1 -= -16;
> > 14 r2 = 0;
> > 15 call bpf_ringbuf_discard_dynptr;
> > 16 r0 = 0;
> > 17 exit;
> >
> > We know that insn 12 will be a pruning point, hence if we force
> > add_new_state for it, it will first verify the following path as
> > safe in straight line exploration:
> > 0 1 3 4 5 6 7 8 9 -> 10 -> (12) 13 14 15 16 17
> >
> > Then, when we arrive at insn 12 from the following path:
> > 0 1 3 4 5 6 7 8 9 -> 11 (12)
> >
> > We will find a state that has been verified as safe already at insn 12.
> > Since register state is same at this point, regsafe will pass. Next, in
> > stacksafe, for spi = 0 and spi = 1 (location of our dynptr) is skipped
> > seeing !REG_LIVE_READ. The rest matches, so stacksafe returns true.
> > Next, refsafe is also true as reference state is unchanged in both
> > states.
> >
> > The states are considered equivalent and search is pruned.
> >
> > Hence, we are able to construct a dynptr with arbitrary contents and use
> > the dynptr API to operate on this arbitrary pointer and arbitrary size +
> > offset.
> >
> > To fix this, first define a mark_dynptr_read function that propagates
> > liveness marks whenever a valid initialized dynptr is accessed by dynptr
> > helpers. REG_LIVE_WRITTEN is marked whenever we initialize an
> > uninitialized dynptr. This is done in mark_stack_slots_dynptr. It allows
> > screening off mark_reg_read and not propagating marks upwards from that
> > point.
> >
> > This ensures that we either set REG_LIVE_READ64 on both dynptr slots, or
> > none, so clean_live_states either sets both slots to STACK_INVALID or
> > none of them. This is the invariant the checks inside stacksafe rely on.
> >
> > Next, do a complete comparison of both stack slots whenever they have
> > STACK_DYNPTR. Compare the dynptr type stored in the spilled_ptr, and
> > also whether both form the same first_slot. Only then is the later path
> > safe.
> >
> > Fixes: 97e03f521050 ("bpf: Add verifier support for dynptrs")
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > ---
> > kernel/bpf/verifier.c | 73 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 73 insertions(+)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 4a25375ebb0d..f7248235e119 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -781,6 +781,9 @@ static int mark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_
> > state->stack[spi - 1].spilled_ptr.ref_obj_id = id;
> > }
> >
> > + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
> > + state->stack[spi - 1].spilled_ptr.live |= REG_LIVE_WRITTEN;
> > +
> > return 0;
> > }
> >
> > @@ -805,6 +808,26 @@ static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_re
> >
> > __mark_reg_not_init(env, &state->stack[spi].spilled_ptr);
> > __mark_reg_not_init(env, &state->stack[spi - 1].spilled_ptr);
> > +
> > + /* Why do we need to set REG_LIVE_WRITTEN for STACK_INVALID slot?
> > + *
> > + * While we don't allow reading STACK_INVALID, it is still possible to
> > + * do <8 byte writes marking some but not all slots as STACK_MISC. Then,
> > + * helpers or insns can do partial read of that part without failing,
> > + * but check_stack_range_initialized, check_stack_read_var_off, and
> > + * check_stack_read_fixed_off will do mark_reg_read for all 8-bytes of
> > + * the slot conservatively. Hence we need to screen off those liveness
> > + * marking walks.
> > + *
> > + * This was not a problem before because STACK_INVALID is only set by
> > + * default, or in clean_live_states after REG_LIVE_DONE, not randomly
> > + * during verifier state exploration. Hence, for this case parentage
> > + * chain will still be live, while earlier reg->parent was NULL, so we
> > + * need REG_LIVE_WRITTEN to screen off read marker propagation.
> > + */
> > + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
> > + state->stack[spi - 1].spilled_ptr.live |= REG_LIVE_WRITTEN;
> > +
>
> This is purely to assist with verifier state pruning and does not
> affect correctness, right?
Yes, it should not affect correctness (to the best of my knowledge).
> Commenting the lines does not seem to fail any tests, maybe add one
> matching some "77 safe: ..." jump in the log?
>
I will, thanks.
> > return 0;
> > }
> >
> > @@ -2388,6 +2411,30 @@ static int mark_reg_read(struct bpf_verifier_env *env,
> > return 0;
> > }
> >
> > +static int mark_dynptr_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> > +{
> > + struct bpf_func_state *state = func(env, reg);
> > + int spi, ret;
> > +
> > + /* For CONST_PTR_TO_DYNPTR, it must have already been done by
> > + * check_reg_arg in check_helper_call and mark_btf_func_reg_size in
> > + * check_kfunc_call.
> > + */
> > + if (reg->type == CONST_PTR_TO_DYNPTR)
> > + return 0;
> > + spi = get_spi(reg->off);
> > + /* Caller ensures dynptr is valid and initialized, which means spi is in
> > + * bounds and spi is the first dynptr slot. Simply mark stack slot as
> > + * read.
> > + */
> > + ret = mark_reg_read(env, &state->stack[spi].spilled_ptr,
> > + state->stack[spi].spilled_ptr.parent, REG_LIVE_READ64);
> > + if (ret)
> > + return ret;
> > + return mark_reg_read(env, &state->stack[spi - 1].spilled_ptr,
> > + state->stack[spi - 1].spilled_ptr.parent, REG_LIVE_READ64);
> > +}
> > +
> > /* This function is supposed to be used by the following 32-bit optimization
> > * code only. It returns TRUE if the source or destination register operates
> > * on 64-bit, otherwise return FALSE.
> > @@ -5928,6 +5975,7 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno,
> > enum bpf_arg_type arg_type, struct bpf_call_arg_meta *meta)
> > {
> > struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
> > + int err;
> >
> > /* MEM_UNINIT and MEM_RDONLY are exclusive, when applied to an
> > * ARG_PTR_TO_DYNPTR (or ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_*):
> > @@ -6008,6 +6056,10 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno,
> > err_extra, regno);
> > return -EINVAL;
> > }
> > +
> > + err = mark_dynptr_read(env, reg);
> > + if (err)
> > + return err;
> > }
> > return 0;
> > }
> > @@ -13204,6 +13256,27 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
> > * return false to continue verification of this path
> > */
> > return false;
> > + /* Both are same slot_type, but STACK_DYNPTR requires more
> > + * checks before it can considered safe.
> > + */
> > + if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_DYNPTR) {
> > + /* If both are STACK_DYNPTR, type must be same */
> > + if (old->stack[spi].spilled_ptr.dynptr.type != cur->stack[spi].spilled_ptr.dynptr.type)
> > + return false;
> > + /* Both should also have first slot at same spi */
> > + if (old->stack[spi].spilled_ptr.dynptr.first_slot != cur->stack[spi].spilled_ptr.dynptr.first_slot)
> > + return false;
> > + /* ids should be same */
> > + if (!!old->stack[spi].spilled_ptr.ref_obj_id != !!cur->stack[spi].spilled_ptr.ref_obj_id)
> > + return false;
> > + if (old->stack[spi].spilled_ptr.ref_obj_id &&
> > + !check_ids(old->stack[spi].spilled_ptr.ref_obj_id,
> > + cur->stack[spi].spilled_ptr.ref_obj_id, idmap))
> > + return false;
> > + WARN_ON_ONCE(i % BPF_REG_SIZE);
> > + i += BPF_REG_SIZE - 1;
> > + continue;
> > + }
>
> Nitpick: maybe move the checks above inside regsafe() as all
> conditions operate on old/cur->stack[spi].spilled_ptr ?
Good suggestion, but may need to tweak the condition that falls through to
regsafe for is_spilled_reg, and include STACK_DYNPTR there. I'll check Andrii's
comments as well and see how the end result looks.
>
> Acked-by: Eduard Zingerman <eddyz@xxxxxxxxx>
>
> > if (i % BPF_REG_SIZE != BPF_REG_SIZE - 1)
> > continue;
> > if (!is_spilled_reg(&old->stack[spi]))
>
