On Mon, Mar 13, 2023 at 04:58:44PM -0700, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@xxxxxxxxxx>
>
> The verifier rejects the code:
> bpf_strncmp(task->comm, 16, "my_task");
> with the message:
> 16: (85) call bpf_strncmp#182
> R1 type=trusted_ptr_ expected=fp, pkt, pkt_meta, map_key, map_value, mem, ringbuf_mem, buf
>
> Teach the verifier that such access pattern is safe.
> Do not allow untrusted and legacy ptr_to_btf_id to be passed into helpers.
>
> Reported-by: David Vernet <void@xxxxxxxxxxxxx>
> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Acked-by: David Vernet <void@xxxxxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 883d4ff2e288..2bbd89279070 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6303,6 +6303,9 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
> env,
> regno, reg->off, access_size,
> zero_size_allowed, ACCESS_HELPER, meta);
> + case PTR_TO_BTF_ID:
> + return check_ptr_to_btf_access(env, regs, regno, reg->off,
> + access_size, BPF_READ, -1);
> case PTR_TO_CTX:
> /* in case the function doesn't know how to access the context,
> * (because we are in a program of type SYSCALL for example), we
> @@ -7014,6 +7017,7 @@ static const struct bpf_reg_types mem_types = {
> PTR_TO_MEM,
> PTR_TO_MEM | MEM_RINGBUF,
> PTR_TO_BUF,
> + PTR_TO_BTF_ID | PTR_TRUSTED,
> },
> };
>
> @@ -7145,6 +7149,17 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
> if (base_type(reg->type) != PTR_TO_BTF_ID)
> return 0;
>
> + if (compatible == &mem_types) {
> + if (!(arg_type & MEM_RDONLY)) {
> + verbose(env,
> + "%s() may write into memory pointed by R%d type=%s\n",
> + func_id_name(meta->func_id),
> + regno, reg_type_str(env, reg->type));
> + return -EACCES;
> + }
> + return 0;
> + }
> +
> switch ((int)reg->type) {
> case PTR_TO_BTF_ID:
> case PTR_TO_BTF_ID | PTR_TRUSTED:
> --
> 2.34.1
>
