From patchwork Wed Jan 17 09:40:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hao Sun X-Patchwork-Id: 188742 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:42cf:b0:101:a8e8:374 with SMTP id q15csp795351dye; Wed, 17 Jan 2024 01:41:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IFSmeQ+m2kyhOlWCeYZWwEApB7Tg58NaJaSmPOfvA1EUSz1qt1sRaZnVn5p5ZtBGbD2BswK X-Received: by 2002:a05:6870:c4a:b0:206:62e0:662e with SMTP id lf10-20020a0568700c4a00b0020662e0662emr11605897oab.3.1705484463838; Wed, 17 Jan 2024 01:41:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705484463; cv=pass; d=google.com; s=arc-20160816; b=Qwvyx52r6D4RFsnCctoZ6tfiV+gubLBnP5NsNyaPYNIKhCMszIwk/XEDUmfQvk7xVL wFrQ4zlokhf2za+8nuJKhmruaaGGTpewSRBsFElEErxyh74I79t9xZtxwFgdjgro+m/H u/JIKTQM+IjU0n8eIcTgIWG7CBvyUUEGJcH9dVgXLmPc5YhP/Ey2DahhrAnz/rNmMsmm XveKuvr8DWeihkqzszG18SbJlzuvcgVVt19ysapFzYi08+N4fLEmQsME93NDINkGQBse Ri/FTGulbSqrhdBrKu3tNSGQy9cRV8EOyI35zqnre8EF3NcV6Mwv8eQCoaRPHE9jH08i 3dkQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=KuJ0s2JIu9f/6e1MDd/MqOtZxdjhgBwx8nheT4zTYe0=; fh=oxXn5C/2xVtMSxPLzBvlq1fr1umoSR6lPNlWEhrntFw=; b=LHHH43XYEvbbBIZJ0sxLDYj6ZAK2sFBFOXLA51epbJdPiOHlLV7IhSqcv8E4IJKTPt BwUiEqCZqhF1xDXNvSaTdCW2TmtaD1c2GLPIPrZYkBPLaKoJdI4iseWXvxfkgffi5nlB MtrtCwqoCYYEDTzNsGY3r49T8A7HELjtMVIs8hVV2bMuGYa8YSdmiDDTSuKEm04zMeCH Daeybc1AdWWnS8UV2WotccSyOnXM5eI2YMZ6LaGETVEPwt3ur8sRwbY7Ey+0HOd3bape U7kfeQDPhmcMno19EA/50mAbW0DErucg3H4x86si9j9NbFW+3GhgQk2UYQ4RlfI9Varf TD8Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cAThuiOm; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-28741-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-28741-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 14-20020a63174e000000b005cf994cc8b9si171898pgx.298.2024.01.17.01.41.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jan 2024 01:41:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-28741-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cAThuiOm; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-28741-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-28741-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 75CADB20FB4 for ; Wed, 17 Jan 2024 09:40:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9C8DD1427A; Wed, 17 Jan 2024 09:40:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cAThuiOm" Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3725714264; Wed, 17 Jan 2024 09:40:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705484436; cv=none; b=qkxNL5B4pVZeWnF7WrJg76HGOL5PXnadQUsQScxPT4EkLhJ9+rNfBmSdjRxc16fv5vEAU9N1D0ZCdoLROPHoeFkj7GsP+rWfGnhpYeft91SV/jDpZA8BUuGRl0s81AI4cYBeLd2A0w8jzW0XAjWZCz0RHRXOqXC26ByT8CxtQgQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705484436; c=relaxed/simple; bh=2GsEiOJR8LLt3uVHvWmT0d7TQeor78cxlhGybVEomHQ=; h=Received:DKIM-Signature:X-Google-DKIM-Signature: X-Gm-Message-State:X-Google-Smtp-Source:X-Received:Received:From: To:Cc:Subject:Date:Message-ID:X-Mailer:MIME-Version: Content-Transfer-Encoding; b=TvaqvvguWEHr1vDRhF4JL7ap1kSTZUsYexJluRhq7vBfSrvb7WSxtmbDrJfAqZfzcJfJ3942QVUIK36Kwx2x6HJ/iY0jSr/+Qrxq5ScPWLMdw+CgZdEJKoQB7HZMjkodDhotbTsmWzgzBeSdK4x6Zb5PepPQE8SVUirGWDHwwbI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cAThuiOm; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-40e60e137aaso59058145e9.0; Wed, 17 Jan 2024 01:40:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705484433; x=1706089233; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=KuJ0s2JIu9f/6e1MDd/MqOtZxdjhgBwx8nheT4zTYe0=; b=cAThuiOmhqIUzbKyh5S0lHhBg9BuMe7WhQI/lTGwwM1J+d+J97+wrTqcspp3wHi++O MfUrRr2FRt+rk9rQWSvSu8WbzYDFZ2IGfMy1SYjyDmGASaIWIS7F8I2G66tuhUPY9lQO X1cJWZe4AFlK5a0yw5oO8El2F0F4Qtej+jWneVN/VwjM6P3eb7EHGprLkVb8RyHmTJsp u/G4rQuwwVD5DD2d9+hTKC3XQ6PYWDom7ZZJr4TymwhY94J5p3biWnBUs7+d+SSynN2d OLcqllJzXpiF/mwfNq6Dn0/Mn94ynMksZeesqdqz4g2IWuI2ORieuN2Op7KjADRF897M FggA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705484433; x=1706089233; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KuJ0s2JIu9f/6e1MDd/MqOtZxdjhgBwx8nheT4zTYe0=; b=PVmHTgTcwrEaomhN81iJkKB9aT/J2vh1FBxfXi7ALMJGoBiQhekbku/Hes0dxGtlS9 ZOUcfvFqkxpmU5FI0p339WfBFCIMu5NavEDA6NucbhAeQx8XQNLtX0gCHrKfeJSjIj3Y JxbxbAx1UnSogWT+II3JcL00sFY3pIfq2U55sU2PmTzsTaP7zgcPT5YvG9j6DVk5KBFs DFoK0vUeRqgGr35k7aem9l71vBbQSID2i55GqSSIKutG8swWQ/l1jIe3v21CKScVF9Sn 5m4I5DmLmU8lDhWQ0eEOQcf+n/NuLFFVByrFD9SaXLQYxf62RGfVu0wBkL6aNxHppDUo o75g== X-Gm-Message-State: AOJu0Ywa3pd3QMt3O23mhLtKgEbuyzfdZU2ZxYcNM+PRMIahmtbVfqAq KGaAZn1l1ZpqPVgk+IPLe4D+xHr3rA== X-Received: by 2002:a05:600c:310d:b0:40c:2c40:8c with SMTP id g13-20020a05600c310d00b0040c2c40008cmr4689239wmo.154.1705484432682; Wed, 17 Jan 2024 01:40:32 -0800 (PST) Received: from staff-net-cx-3510.intern.ethz.ch (2001-67c-10ec-5784-8000--16b.net6.ethz.ch. [2001:67c:10ec:5784:8000::16b]) by smtp.gmail.com with ESMTPSA id p21-20020a05600c359500b0040e3488f16dsm21684766wmq.12.2024.01.17.01.40.31 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 17 Jan 2024 01:40:32 -0800 (PST) From: Hao Sun To: bpf@vger.kernel.org Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, eddyz87@gmail.com, linux-kernel@vger.kernel.org, Hao Sun Subject: [PATCH] bpf: Refactor ptr alu checking rules to allow alu explicitly Date: Wed, 17 Jan 2024 10:40:12 +0100 Message-ID: <20240117094012.36798-1-sunhao.th@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1788330077427940676 X-GMAIL-MSGID: 1788330077427940676 Current checking rules are structured to disallow alu on particular ptr types explicitly, so default cases are allowed implicitly. This may lead to newly added ptr types being allowed unexpectedly. So restruture it to allow alu explicitly. The tradeoff is mainly a bit more cases added in the switch. The following table from Eduard summarizes the rules: | Pointer type | Arithmetics allowed | |---------------------+---------------------| | PTR_TO_CTX | yes | | CONST_PTR_TO_MAP | conditionally | | PTR_TO_MAP_VALUE | yes | | PTR_TO_MAP_KEY | yes | | PTR_TO_STACK | yes | | PTR_TO_PACKET_META | yes | | PTR_TO_PACKET | yes | | PTR_TO_PACKET_END | no | | PTR_TO_FLOW_KEYS | conditionally | | PTR_TO_SOCKET | no | | PTR_TO_SOCK_COMMON | no | | PTR_TO_TCP_SOCK | no | | PTR_TO_TP_BUFFER | yes | | PTR_TO_XDP_SOCK | no | | PTR_TO_BTF_ID | yes | | PTR_TO_MEM | yes | | PTR_TO_BUF | yes | | PTR_TO_FUNC | yes | | CONST_PTR_TO_DYNPTR | yes | The refactored rules are equivalent to the original one. Note that PTR_TO_FUNC and CONST_PTR_TO_DYNPTR are not reject here because: (1) check_mem_access() rejects load/store on those ptrs, and those ptrs with offset passing to calls are rejected check_func_arg_reg_off(); (2) someone may rely on the verifier not rejecting programs earily. Signed-off-by: Hao Sun Acked-by: Eduard Zingerman --- kernel/bpf/verifier.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 65f598694d55..861d8d824bb8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12826,6 +12826,19 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } switch (base_type(ptr_reg->type)) { + case PTR_TO_CTX: + case PTR_TO_MAP_VALUE: + case PTR_TO_MAP_KEY: + case PTR_TO_STACK: + case PTR_TO_PACKET_META: + case PTR_TO_PACKET: + case PTR_TO_TP_BUFFER: + case PTR_TO_BTF_ID: + case PTR_TO_MEM: + case PTR_TO_BUF: + case PTR_TO_FUNC: + case CONST_PTR_TO_DYNPTR: + break; case PTR_TO_FLOW_KEYS: if (known) break; @@ -12835,16 +12848,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, if (known && smin_val == 0 && opcode == BPF_ADD) break; fallthrough; - case PTR_TO_PACKET_END: - case PTR_TO_SOCKET: - case PTR_TO_SOCK_COMMON: - case PTR_TO_TCP_SOCK: - case PTR_TO_XDP_SOCK: + default: verbose(env, "R%d pointer arithmetic on %s prohibited\n", dst, reg_type_str(env, ptr_reg->type)); return -EACCES; - default: - break; } /* In case of 'scalar += pointer', dst_reg inherits pointer type and id.