From: Kees Cook <keescook@chromium.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: Mark Rutland <mark.rutland@arm.com>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Mykola Lysenko <mykolal@fb.com>,
Shuah Khan <shuah@kernel.org>, Haowen Bai <baihaowen@meizu.com>,
bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
Yonghong Song <yonghong.song@linux.dev>,
Jonathan Corbet <corbet@lwn.net>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Jesper Dangaard Brouer <hawk@kernel.org>,
Joanne Koong <joannelkoong@gmail.com>,
Yafang Shao <laoar.shao@gmail.com>,
Kui-Feng Lee <kuifeng@meta.com>,
Anton Protopopov <aspsk@isovalent.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
netdev@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v4] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
Date: Wed, 21 Feb 2024 13:38:40 -0800 [thread overview]
Message-ID: <202402211317.4D3DEDCA2@keescook> (raw)
In-Reply-To: <da75b2bf-0d14-6ed5-91c2-dfeba9ad55c4@iogearbox.net>
On Wed, Feb 21, 2024 at 05:39:55PM +0100, Daniel Borkmann wrote:
> On 2/20/24 7:54 PM, Kees Cook wrote:
> > Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> > flexible array. Found with GCC 13:
> >
> > ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> > 207 | *(__be16 *)&key->data[i]);
> > | ^~~~~~~~~~~~~
> > ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> > 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> > | ^
> > ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> > 97 | #define be16_to_cpu __be16_to_cpu
> > | ^~~~~~~~~~~~~
> > ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> > 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> > ^
> > | ^~~~~~~~~~~
> > In file included from ../include/linux/bpf.h:7:
> > ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> > 82 | __u8 data[0]; /* Arbitrary size */
> > | ^~~~
> >
> > And found at run-time under CONFIG_FORTIFY_SOURCE:
> >
> > UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
> > index 0 is out of range for type '__u8 [*]'
> >
> > Changing struct bpf_lpm_trie_key is difficult since has been used by
> > userspace. For example, in Cilium:
> >
> > struct egress_gw_policy_key {
> > struct bpf_lpm_trie_key lpm_key;
> > __u32 saddr;
> > __u32 daddr;
> > };
> >
> > While direct references to the "data" member haven't been found, there
> > are static initializers what include the final member. For example,
> > the "{}" here:
> >
> > struct egress_gw_policy_key in_key = {
> > .lpm_key = { 32 + 24, {} },
> > .saddr = CLIENT_IP,
> > .daddr = EXTERNAL_SVC_IP & 0Xffffff,
> > };
> >
> > To avoid the build time and run time warnings seen with a 0-sized
> > trailing array for struct bpf_lpm_trie_key, introduce a new struct
> > that correctly uses a flexible array for the trailing bytes,
> > struct bpf_lpm_trie_key_u8. As part of this, include the "header"
> > portion (which is just the "prefixlen" member), so it can be used
> > by anything building a bpf_lpr_trie_key that has trailing members that
> > aren't a u8 flexible array (like the self-test[1]), which is named
> > struct bpf_lpm_trie_key_hdr.
> >
> > Adjust the kernel code to use struct bpf_lpm_trie_key_u8 through-out,
> > and for the selftest to use struct bpf_lpm_trie_key_hdr. Add a comment
> > to the UAPI header directing folks to the two new options.
> >
> > Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
> > Reported-by: Mark Rutland <mark.rutland@arm.com>
> > Closes: https://paste.debian.net/hidden/ca500597/
> > Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> [...]
>
> The build in BPF CI is still broken, did you try to build selftests?
I did! I didn't have this error. :(
> https://github.com/kernel-patches/bpf/actions/runs/7978647641
Thanks for the pointer. It took a bit of digging, but I found this:
https://github.com/libbpf/ci/blob/main/build-selftests/build_selftests.sh
which is much more involved than just "make -C tools/testing/selftests/bpf"
>
> [...]
> GEN-SKEL [test_progs] linked_funcs.skel.h
> LINK-BPF [test_progs] test_usdt.bpf.o
> GEN-SKEL [test_progs-no_alu32] profiler1.skel.h
> GEN-SKEL [test_progs] test_usdt.skel.h
> In file included from /tmp/work/bpf/bpf/tools/include/uapi/linux/bpf.h:11,
> from test_cpp.cpp:4:
> /tmp/work/bpf/bpf/tools/include/uapi/linux/bpf.h:92:17: error: ‘struct bpf_lpm_trie_key_u8::<unnamed union>::bpf_lpm_trie_key_hdr’ invalid; an anonymous union may only have public non-static data members [-fpermissive]
> 92 | __struct_group(bpf_lpm_trie_key_hdr, hdr, /* no attrs */,
> | ^~~~~~~~~~~~~~~~~~~~
> /tmp/work/bpf/bpf/tools/include/uapi/linux/stddef.h:29:10: note: in definition of macro ‘__struct_group’
> 29 | struct TAG { MEMBERS } ATTRS NAME; \
> | ^~~
I'll see if I can figure out where this is coming from. This sounds like
something is being built with an unexpectedly strict option. (The above
report seems weird -- this isn't coming from -fpermissive, and is
actually an _error_ not a warning, which is the opposite of what
-fpermissive is supposed to do.) Also the mention of "public" is scary
here... that implies a C++ compiler is involved? Maybe that's why my
builds didn't catch this?
> make: *** [Makefile:703: /tmp/work/bpf/bpf/tools/testing/selftests/bpf/test_cpp] Error 1
Ah yes, cpp. Fun. I will try to reproduce this failure.
--
Kees Cook
next prev parent reply other threads:[~2024-02-21 21:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-20 18:54 [PATCH v4] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Kees Cook
2024-02-21 16:39 ` Daniel Borkmann
2024-02-21 21:38 ` Kees Cook [this message]
2024-02-21 22:01 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402211317.4D3DEDCA2@keescook \
--to=keescook@chromium.org \
--cc=andrii@kernel.org \
--cc=aspsk@isovalent.com \
--cc=ast@kernel.org \
--cc=baihaowen@meizu.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=gustavoars@kernel.org \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=joannelkoong@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=kuifeng@meta.com \
--cc=laoar.shao@gmail.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=sdf@google.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.