From: Jiri Olsa <jolsa@kernel.org>
To: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
Martin KaFai Lau <kafai@fb.com>, David Miller <davem@redhat.com>,
John Fastabend <john.fastabend@gmail.com>,
Wenbo Zhang <ethercflow@gmail.com>,
KP Singh <kpsingh@chromium.org>, Andrii Nakryiko <andriin@fb.com>,
Brendan Gregg <bgregg@netflix.com>,
Florent Revest <revest@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 07/11] bpf: Allow nested BTF object to be refferenced by BTF object + offset
Date: Tue, 16 Jun 2020 12:05:08 +0200 [thread overview]
Message-ID: <20200616100512.2168860-8-jolsa@kernel.org> (raw)
In-Reply-To: <20200616100512.2168860-1-jolsa@kernel.org>
Adding btf_struct_address function that takes 2 BTF objects
and offset as arguments and checks whether object A is nested
in object B on given offset.
This function is be used when checking the helper function
PTR_TO_BTF_ID arguments. If the argument has an offset value,
the btf_struct_address will check if the final address is
the expected BTF ID.
This way we can access nested BTF objects under PTR_TO_BTF_ID
pointer type and pass them to helpers, while they still point
to valid kernel BTF objects.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
include/linux/bpf.h | 3 +++
kernel/bpf/btf.c | 63 ++++++++++++++++++++++++++++++++++++++-----
kernel/bpf/verifier.c | 32 ++++++++++++++--------
3 files changed, 81 insertions(+), 17 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index b7d3b5f3dc09..e98c113a5d27 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1283,6 +1283,9 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
int btf_struct_access(struct bpf_verifier_log *log,
const struct btf_type *t, int off, int size,
u32 *next_btf_id);
+int btf_struct_address(struct bpf_verifier_log *log,
+ const struct btf_type *t,
+ u32 off, u32 id);
int btf_resolve_helper_id(struct bpf_verifier_log *log,
const struct bpf_func_proto *fn, int);
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 304369a4c2e2..6924180a19c4 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3829,9 +3829,22 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
return true;
}
-int btf_struct_access(struct bpf_verifier_log *log,
- const struct btf_type *t, int off, int size,
- u32 *next_btf_id)
+enum access_op {
+ ACCESS_NEXT,
+ ACCESS_EXPECT,
+};
+
+struct access_data {
+ enum access_op op;
+ union {
+ u32 *next_btf_id;
+ const struct btf_type *exp_type;
+ };
+};
+
+static int struct_access(struct bpf_verifier_log *log,
+ const struct btf_type *t, int off, int size,
+ struct access_data *data)
{
u32 i, moff, mtrue_end, msize = 0, total_nelems = 0;
const struct btf_type *mtype, *elem_type = NULL;
@@ -3879,8 +3892,7 @@ int btf_struct_access(struct bpf_verifier_log *log,
goto error;
off = (off - moff) % elem_type->size;
- return btf_struct_access(log, elem_type, off, size,
- next_btf_id);
+ return struct_access(log, elem_type, off, size, data);
error:
bpf_log(log, "access beyond struct %s at off %u size %u\n",
@@ -4008,9 +4020,21 @@ int btf_struct_access(struct bpf_verifier_log *log,
/* adjust offset we're looking for */
off -= moff;
+
+ /* We are nexting into another struct,
+ * check if we are crossing expected ID.
+ */
+ if (data->op == ACCESS_EXPECT && !off && t == data->exp_type)
+ return 0;
goto again;
}
+ /* We are interested only in structs for expected ID,
+ * bail out.
+ */
+ if (data->op == ACCESS_EXPECT)
+ return -EINVAL;
+
if (btf_type_is_ptr(mtype)) {
const struct btf_type *stype;
u32 id;
@@ -4024,7 +4048,7 @@ int btf_struct_access(struct bpf_verifier_log *log,
stype = btf_type_skip_modifiers(btf_vmlinux, mtype->type, &id);
if (btf_type_is_struct(stype)) {
- *next_btf_id = id;
+ *data->next_btf_id = id;
return PTR_TO_BTF_ID;
}
}
@@ -4048,6 +4072,33 @@ int btf_struct_access(struct bpf_verifier_log *log,
return -EINVAL;
}
+int btf_struct_access(struct bpf_verifier_log *log,
+ const struct btf_type *t, int off, int size,
+ u32 *next_btf_id)
+{
+ struct access_data data = {
+ .op = ACCESS_NEXT,
+ .next_btf_id = next_btf_id,
+ };
+
+ return struct_access(log, t, off, size, &data);
+}
+
+int btf_struct_address(struct bpf_verifier_log *log,
+ const struct btf_type *t,
+ u32 off, u32 id)
+{
+ struct access_data data = { .op = ACCESS_EXPECT };
+ const struct btf_type *type;
+
+ type = btf_type_by_id(btf_vmlinux, id);
+ if (!type)
+ return -EINVAL;
+
+ data.exp_type = type;
+ return struct_access(log, t, off, 1, &data);
+}
+
int btf_resolve_helper_id(struct bpf_verifier_log *log,
const struct bpf_func_proto *fn, int arg)
{
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b553e4523bd3..bee3da2cd945 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3741,6 +3741,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
{
struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
enum bpf_reg_type expected_type, type = reg->type;
+ const struct btf_type *btf_type;
int err = 0;
if (arg_type == ARG_DONTCARE)
@@ -3820,17 +3821,26 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
expected_type = PTR_TO_BTF_ID;
if (type != expected_type)
goto err_type;
- if (reg->btf_id != meta->btf_id) {
- verbose(env, "Helper has type %s got %s in R%d\n",
- kernel_type_name(meta->btf_id),
- kernel_type_name(reg->btf_id), regno);
-
- return -EACCES;
- }
- if (!tnum_is_const(reg->var_off) || reg->var_off.value || reg->off) {
- verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n",
- regno);
- return -EACCES;
+ if (reg->off) {
+ btf_type = btf_type_by_id(btf_vmlinux, reg->btf_id);
+ if (btf_struct_address(&env->log, btf_type, reg->off, meta->btf_id)) {
+ verbose(env, "Helper has type %s got %s in R%d, off %d\n",
+ kernel_type_name(meta->btf_id),
+ kernel_type_name(reg->btf_id), regno, reg->off);
+ return -EACCES;
+ }
+ } else {
+ if (reg->btf_id != meta->btf_id) {
+ verbose(env, "Helper has type %s got %s in R%d\n",
+ kernel_type_name(meta->btf_id),
+ kernel_type_name(reg->btf_id), regno);
+ return -EACCES;
+ }
+ if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
+ verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n",
+ regno);
+ return -EACCES;
+ }
}
} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
if (meta->func_id == BPF_FUNC_spin_lock) {
--
2.25.4
next prev parent reply other threads:[~2020-06-16 10:06 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 10:05 [PATCHv3 0/9] bpf: Add d_path helper Jiri Olsa
2020-06-16 10:05 ` [PATCH 01/11] bpf: Add btfid tool to resolve BTF IDs in ELF object Jiri Olsa
2020-06-19 0:38 ` Andrii Nakryiko
2020-06-19 13:03 ` Jiri Olsa
2020-06-19 18:12 ` Andrii Nakryiko
2020-06-22 8:59 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 02/11] bpf: Compile btfid tool at kernel compilation start Jiri Olsa
2020-06-18 20:40 ` John Fastabend
2020-06-18 21:17 ` John Fastabend
2020-06-19 13:23 ` Jiri Olsa
2020-06-19 0:40 ` Andrii Nakryiko
2020-06-19 0:47 ` Arnaldo Carvalho de Melo
2020-06-19 2:08 ` Alexei Starovoitov
2020-06-19 3:51 ` Andrii Nakryiko
2020-06-16 10:05 ` [PATCH 03/11] bpf: Add btf_ids object Jiri Olsa
2020-06-19 0:56 ` Andrii Nakryiko
2020-06-19 1:06 ` Andrii Nakryiko
2020-06-19 13:16 ` Jiri Olsa
2020-06-19 13:13 ` Jiri Olsa
2020-06-19 18:15 ` Andrii Nakryiko
2020-06-19 1:02 ` Andrii Nakryiko
2020-06-19 13:05 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 04/11] bpf: Resolve BTF IDs in vmlinux image Jiri Olsa
2020-06-16 10:05 ` [PATCH 05/11] bpf: Remove btf_id helpers resolving Jiri Olsa
2020-06-19 1:10 ` Andrii Nakryiko
2020-06-19 13:18 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 06/11] bpf: Do not pass enum bpf_access_type to btf_struct_access Jiri Olsa
2020-06-19 3:58 ` Andrii Nakryiko
2020-06-19 13:23 ` Jiri Olsa
2020-06-16 10:05 ` Jiri Olsa [this message]
2020-06-16 10:05 ` [PATCH 08/11] bpf: Add BTF whitelist support Jiri Olsa
2020-06-19 4:29 ` Andrii Nakryiko
2020-06-19 13:29 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 09/11] bpf: Add d_path helper Jiri Olsa
2020-06-19 4:35 ` Andrii Nakryiko
2020-06-19 13:31 ` Jiri Olsa
2020-06-19 18:25 ` Andrii Nakryiko
2020-06-22 9:02 ` Jiri Olsa
2020-06-22 19:18 ` Andrii Nakryiko
2020-06-23 10:02 ` Jiri Olsa
2020-06-23 18:58 ` Andrii Nakryiko
2020-06-23 20:14 ` Jiri Olsa
2020-06-23 20:17 ` Andrii Nakryiko
2020-06-16 10:05 ` [PATCH 10/11] selftests/bpf: Add verifier test for " Jiri Olsa
2020-06-19 4:38 ` Andrii Nakryiko
2020-06-19 13:32 ` Jiri Olsa
2020-06-16 10:05 ` [PATCH 11/11] selftests/bpf: Add " Jiri Olsa
2020-06-19 4:44 ` Andrii Nakryiko
2020-06-19 13:34 ` Jiri Olsa
2020-06-18 20:57 ` [PATCHv3 0/9] bpf: Add " John Fastabend
2020-06-19 12:35 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200616100512.2168860-8-jolsa@kernel.org \
--to=jolsa@kernel.org \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bgregg@netflix.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=ethercflow@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=songliubraving@fb.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.