Re: [PATCH HID v2 15/16] HID: bpf: rework hid_bpf_ops_btf_struct_access

Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> · Fri, 7 Jun 2024 09:57:20 -0700

On Fri, Jun 7, 2024 at 8:29 AM Benjamin Tissoires <bentiss@xxxxxxxxxx> wrote:
>
> The idea is to provide a list of stucts and their editable fields.
>
> Currently no functional changes are introduced here, we will add some
> more writeable fields in the next patch.
>
> Signed-off-by: Benjamin Tissoires <bentiss@xxxxxxxxxx>
>
> ---
>
> new in v2
> ---
>  drivers/hid/bpf/hid_bpf_struct_ops.c | 91 +++++++++++++++++++++++++++---------
>  1 file changed, 69 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/hid/bpf/hid_bpf_struct_ops.c b/drivers/hid/bpf/hid_bpf_struct_ops.c
> index 056d05d96962..944e6d91a36b 100644
> --- a/drivers/hid/bpf/hid_bpf_struct_ops.c
> +++ b/drivers/hid/bpf/hid_bpf_struct_ops.c
> @@ -16,6 +16,7 @@
>  #include <linux/hid_bpf.h>
>  #include <linux/init.h>
>  #include <linux/module.h>
> +#include <linux/stddef.h>
>  #include <linux/workqueue.h>
>  #include "hid_bpf_dispatch.h"
>
> @@ -52,40 +53,86 @@ static int hid_bpf_ops_check_member(const struct btf_type *t,
>         return 0;
>  }
>
> +struct hid_bpf_offset_write_range {
> +       const char *struct_name;
> +       u32 struct_length;
> +       u32 start;
> +       u32 end;
> +};
> +
>  static int hid_bpf_ops_btf_struct_access(struct bpf_verifier_log *log,
>                                            const struct bpf_reg_state *reg,
>                                            int off, int size)
>  {
> -       const struct btf_type *state;
> -       const struct btf_type *t;
> -       s32 type_id;
> +#define WRITE_RANGE(_name, _field, _start_offset, _end_offset)                 \
> +       {                                                                       \
> +               .struct_name = #_name,                                          \
> +               .struct_length = sizeof(struct _name),                          \
> +               .start = offsetof(struct _name, _field) + _start_offset,        \
> +               .end = offsetofend(struct _name, _field) + _end_offset,         \
> +       }

reading comment /* minus 1 to ensure \0 at the end */
in the next patch...
I don't see this logic below.
In general the manual byte offset adjustment
looks like a footgun. Maybe add a flag for \0 and avoid
messing with offsets?

>
> -       type_id = btf_find_by_name_kind(reg->btf, "hid_bpf_ctx",
> -                                       BTF_KIND_STRUCT);
> -       if (type_id < 0)
> -               return -EINVAL;
> +       const struct hid_bpf_offset_write_range write_ranges[] = {
> +               WRITE_RANGE(hid_bpf_ctx, retval, 0, 0),
> +       };
> +#undef WRITE_RANGE
> +       const struct btf_type *state = NULL;
> +       const struct btf_type *t;
> +       const char *cur = NULL;
> +       int i;
>
>         t = btf_type_by_id(reg->btf, reg->btf_id);
> -       state = btf_type_by_id(reg->btf, type_id);
> -       if (t != state) {
> -               bpf_log(log, "only access to hid_bpf_ctx is supported\n");
> -               return -EACCES;
> -       }
>
> -       /* out-of-bound access in hid_bpf_ctx */
> -       if (off + size > sizeof(struct hid_bpf_ctx)) {
> -               bpf_log(log, "write access at off %d with size %d\n", off, size);
> -               return -EACCES;
> +       for (i = 0; i < ARRAY_SIZE(write_ranges); i++) {
> +               const struct hid_bpf_offset_write_range *write_range = &write_ranges[i];
> +               s32 type_id;
> +
> +               /* we already found a writeable struct, but there is a
> +                * new one, let's break the loop.
> +                */
> +               if (t == state && write_range->struct_name != cur)
> +                       break;
> +
> +               /* new struct to look for */
> +               if (write_range->struct_name != cur) {
> +                       type_id = btf_find_by_name_kind(reg->btf, write_range->struct_name,
> +                                                       BTF_KIND_STRUCT);
> +                       if (type_id < 0)
> +                               return -EINVAL;
> +
> +                       state = btf_type_by_id(reg->btf, type_id);
> +               }
> +
> +               /* this is not the struct we are looking for */
> +               if (t != state) {
> +                       cur = write_range->struct_name;
> +                       continue;
> +               }
> +
> +               /* first time we see this struct, check for out of bounds */
> +               if (cur != write_range->struct_name &&
> +                   off + size > write_range->struct_length) {
> +                       bpf_log(log, "write access for struct %s at off %d with size %d\n",
> +                               write_range->struct_name, off, size);
> +                       return -EACCES;
> +               }
> +
> +               /* now check if we are in our boundaries */
> +               if (off >= write_range->start && off + size <= write_range->end)
> +                       return NOT_INIT;
> +
> +               cur = write_range->struct_name;
>         }
>
> -       if (off < offsetof(struct hid_bpf_ctx, retval)) {
> +
> +       if (t != state)
> +               bpf_log(log, "write access to this struct is not supported\n");
> +       else
>                 bpf_log(log,
> -                       "write access at off %d with size %d on read-only part of hid_bpf_ctx\n",
> -                       off, size);
> -               return -EACCES;
> -       }
> +                       "write access at off %d with size %d on read-only part of %s\n",
> +                       off, size, cur);
>
> -       return NOT_INIT;
> +       return -EACCES;
>  }
>
>  static const struct bpf_verifier_ops hid_bpf_verifier_ops = {
>
> --
> 2.44.0
>