From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
bpf@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Frank van der Linden <fllinden@amazon.com>
Subject: [PATCH 5.4 4/8] bpf: Improve verifier error messages for users
Date: Fri, 30 Apr 2021 16:20:18 +0200 [thread overview]
Message-ID: <20210430141911.295796543@linuxfoundation.org> (raw)
In-Reply-To: <20210430141911.137473863@linuxfoundation.org>
From: Daniel Borkmann <daniel@iogearbox.net>
commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream.
Consolidate all error handling and provide more user-friendly error messages
from sanitize_ptr_alu() and sanitize_val_alu().
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[fllinden@amazon.com: backport to 5.4]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 84 ++++++++++++++++++++++++++++++++++++--------------
1 file changed, 62 insertions(+), 22 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4263,6 +4263,14 @@ static struct bpf_insn_aux_data *cur_aux
return &env->insn_aux_data[env->insn_idx];
}
+enum {
+ REASON_BOUNDS = -1,
+ REASON_TYPE = -2,
+ REASON_PATHS = -3,
+ REASON_LIMIT = -4,
+ REASON_STACK = -5,
+};
+
static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
const struct bpf_reg_state *off_reg,
u32 *alu_limit, u8 opcode)
@@ -4274,7 +4282,7 @@ static int retrieve_ptr_limit(const stru
if (!tnum_is_const(off_reg->var_off) &&
(off_reg->smin_value < 0) != (off_reg->smax_value < 0))
- return -EACCES;
+ return REASON_BOUNDS;
switch (ptr_reg->type) {
case PTR_TO_STACK:
@@ -4301,11 +4309,11 @@ static int retrieve_ptr_limit(const stru
}
break;
default:
- return -EINVAL;
+ return REASON_TYPE;
}
if (ptr_limit >= max)
- return -ERANGE;
+ return REASON_LIMIT;
*alu_limit = ptr_limit;
return 0;
}
@@ -4325,7 +4333,7 @@ static int update_alu_sanitation_state(s
if (aux->alu_state &&
(aux->alu_state != alu_state ||
aux->alu_limit != alu_limit))
- return -EACCES;
+ return REASON_PATHS;
/* Corresponding fixup done in fixup_bpf_calls(). */
aux->alu_state = alu_state;
@@ -4398,7 +4406,46 @@ do_sim:
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
if (!ptr_is_dst_reg && ret)
*dst_reg = tmp;
- return !ret ? -EFAULT : 0;
+ return !ret ? REASON_STACK : 0;
+}
+
+static int sanitize_err(struct bpf_verifier_env *env,
+ const struct bpf_insn *insn, int reason,
+ const struct bpf_reg_state *off_reg,
+ const struct bpf_reg_state *dst_reg)
+{
+ static const char *err = "pointer arithmetic with it prohibited for !root";
+ const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub";
+ u32 dst = insn->dst_reg, src = insn->src_reg;
+
+ switch (reason) {
+ case REASON_BOUNDS:
+ verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n",
+ off_reg == dst_reg ? dst : src, err);
+ break;
+ case REASON_TYPE:
+ verbose(env, "R%d has pointer with unsupported alu operation, %s\n",
+ off_reg == dst_reg ? src : dst, err);
+ break;
+ case REASON_PATHS:
+ verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n",
+ dst, op, err);
+ break;
+ case REASON_LIMIT:
+ verbose(env, "R%d tried to %s beyond pointer bounds, %s\n",
+ dst, op, err);
+ break;
+ case REASON_STACK:
+ verbose(env, "R%d could not be pushed for speculative verification, %s\n",
+ dst, err);
+ break;
+ default:
+ verbose(env, "verifier internal error: unknown reason (%d)\n",
+ reason);
+ break;
+ }
+
+ return -EACCES;
}
/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
@@ -4480,10 +4527,9 @@ static int adjust_ptr_min_max_vals(struc
switch (opcode) {
case BPF_ADD:
ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
- if (ret < 0) {
- verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, off_reg, dst_reg);
+
/* We can take a fixed offset as long as it doesn't overflow
* the s32 'off' field
*/
@@ -4535,10 +4581,9 @@ static int adjust_ptr_min_max_vals(struc
break;
case BPF_SUB:
ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
- if (ret < 0) {
- verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, off_reg, dst_reg);
+
if (dst_reg == off_reg) {
/* scalar -= pointer. Creates an unknown scalar */
verbose(env, "R%d tried to subtract pointer from scalar\n",
@@ -4655,7 +4700,6 @@ static int adjust_scalar_min_max_vals(st
s64 smin_val, smax_val;
u64 umin_val, umax_val;
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
- u32 dst = insn->dst_reg;
int ret;
if (insn_bitness == 32) {
@@ -4692,10 +4736,8 @@ static int adjust_scalar_min_max_vals(st
switch (opcode) {
case BPF_ADD:
ret = sanitize_val_alu(env, insn);
- if (ret < 0) {
- verbose(env, "R%d tried to add from different pointers or scalars\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
signed_add_overflows(dst_reg->smax_value, smax_val)) {
dst_reg->smin_value = S64_MIN;
@@ -4716,10 +4758,8 @@ static int adjust_scalar_min_max_vals(st
break;
case BPF_SUB:
ret = sanitize_val_alu(env, insn);
- if (ret < 0) {
- verbose(env, "R%d tried to sub from different pointers or scalars\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
signed_sub_overflows(dst_reg->smax_value, smin_val)) {
/* Overflow possible, we know nothing */
next prev parent reply other threads:[~2021-04-30 14:20 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 14:20 [PATCH 5.4 0/8] 5.4.116-rc1 review Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 1/8] bpf: Move off_reg into sanitize_ptr_alu Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 2/8] bpf: Ensure off_reg has no mixed signed bounds for all types Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 3/8] bpf: Rework ptr_limit into alu_limit and add common error path Greg Kroah-Hartman
2021-04-30 14:20 ` Greg Kroah-Hartman [this message]
2021-04-30 14:20 ` [PATCH 5.4 5/8] bpf: Refactor and streamline bounds check into helper Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 6/8] bpf: Move sanitize_val_alu out of op switch Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 7/8] bpf: Tighten speculative pointer arithmetic mask Greg Kroah-Hartman
2021-04-30 14:20 ` [PATCH 5.4 8/8] bpf: Update selftests to reflect new error states Greg Kroah-Hartman
2021-04-30 18:11 ` [PATCH 5.4 0/8] 5.4.116-rc1 review Jon Hunter
2021-04-30 22:36 ` Sudip Mukherjee
2021-04-30 23:34 ` Florian Fainelli
2021-05-01 8:04 ` Naresh Kamboju
2021-05-01 13:13 ` Guenter Roeck
-- strict thread matches above, loose matches on Subject: below --
2021-04-29 22:08 [PATCH 5.4 0/8] BPF backports for CVE-2021-29155 Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 4/8] bpf: Improve verifier error messages for users Frank van der Linden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210430141911.295796543@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=fllinden@amazon.com \
--cc=john.fastabend@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.