Re: [PATCH 1/3] bpf: Add BPF_F_VERIFY_ELEM to require signature verification on map values

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Roberto,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on bpf-next/master]
[also build test WARNING on bpf/master horms-ipvs/master net/master net-next/master v5.18 next-20220525]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/intel-lab-lkp/linux/commits/Roberto-Sassu/bpf-Add-support-for-maps-with-authenticated-values/20220525-212552
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
config: x86_64-rhel-8.3-kselftests (https://download.01.org/0day-ci/archive/20220526/202205260606.VXzztn2R-lkp@xxxxxxxxx/config)
compiler: gcc-11 (Debian 11.3.0-1) 11.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.4-14-g5a0004b5-dirty
        # https://github.com/intel-lab-lkp/linux/commit/196e68e5ddfa50f40efaf20c8df37f3420e38b72
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Roberto-Sassu/bpf-Add-support-for-maps-with-authenticated-values/20220525-212552
        git checkout 196e68e5ddfa50f40efaf20c8df37f3420e38b72
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=x86_64 SHELL=/bin/bash kernel/bpf/

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@xxxxxxxxx>


sparse warnings: (new ones prefixed by >>)
   kernel/bpf/syscall.c:590:25: sparse: sparse: Using plain integer as NULL pointer
>> kernel/bpf/syscall.c:1386:19: sparse: sparse: cast to restricted __be32
   kernel/bpf/syscall.c: note: in included file (through include/linux/bpf.h):
   include/linux/bpfptr.h:52:47: sparse: sparse: cast to non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast from non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast to non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast from non-scalar
   include/linux/bpfptr.h:81:43: sparse: sparse: cast to non-scalar
   include/linux/bpfptr.h:81:43: sparse: sparse: cast from non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast to non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast from non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast to non-scalar
   include/linux/bpfptr.h:52:47: sparse: sparse: cast from non-scalar

vim +1386 kernel/bpf/syscall.c

  1369	
  1370	int bpf_map_verify_value_sig(const void *mod, size_t modlen, bool verify)
  1371	{
  1372		const size_t marker_len = strlen(MODULE_SIG_STRING);
  1373		struct module_signature ms;
  1374		size_t sig_len;
  1375		u32 _modlen;
  1376		int ret;
  1377	
  1378		/*
  1379		 * Format of mod:
  1380		 *
  1381		 * verified data+sig size (be32), verified data, sig, unverified data
  1382		 */
  1383		if (modlen <= sizeof(u32))
  1384			return -ENOENT;
  1385	
> 1386		_modlen = be32_to_cpu(*(u32 *)(mod));
  1387	
  1388		if (_modlen > modlen - sizeof(u32))
  1389			return -EINVAL;
  1390	
  1391		modlen = _modlen;
  1392		mod += sizeof(u32);
  1393	
  1394		if (modlen <= marker_len)
  1395			return -ENOENT;
  1396	
  1397		if (memcmp(mod + modlen - marker_len, MODULE_SIG_STRING, marker_len))
  1398			return -ENOENT;
  1399	
  1400		modlen -= marker_len;
  1401	
  1402		if (modlen <= sizeof(ms))
  1403			return -EBADMSG;
  1404	
  1405		memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
  1406	
  1407		ret = mod_check_sig(&ms, modlen, "bpf_map_value");
  1408		if (ret)
  1409			return ret;
  1410	
  1411		sig_len = be32_to_cpu(ms.sig_len);
  1412		modlen -= sig_len + sizeof(ms);
  1413	
  1414		if (verify) {
  1415			ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
  1416						     VERIFY_USE_SECONDARY_KEYRING,
  1417						     VERIFYING_UNSPECIFIED_SIGNATURE,
  1418						     NULL, NULL);
  1419			if (ret < 0)
  1420				return ret;
  1421		}
  1422	
  1423		return modlen;
  1424	}
  1425	EXPORT_SYMBOL_GPL(bpf_map_verify_value_sig);
  1426	

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux