From: Stanislav Fomichev <sdf@google.com>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yhs@fb.com, kpsingh@kernel.org, haoluo@google.com,
jolsa@kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/3] bpf: Introduce BTF_TYPE_SAFE_TRUSTED_UNION
Date: Mon, 10 Jul 2023 09:59:53 -0700 [thread overview]
Message-ID: <ZKw5CdD/TMnPHFQC@google.com> (raw)
In-Reply-To: <20230709025912.3837-2-laoar.shao@gmail.com>
On 07/09, Yafang Shao wrote:
> When we are verifying a field in a union, we may unexpectedly verify
> another field which has the same offset in this union. So in such case,
> we should annotate that field as PTR_UNTRUSTED. However, in some cases
> we are sure some fields in a union is safe and then we can add them into
> BTF_TYPE_SAFE_TRUSTED_UNION allow list.
>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
> kernel/bpf/btf.c | 20 +++++++++-----------
> kernel/bpf/verifier.c | 21 +++++++++++++++++++++
> 2 files changed, 30 insertions(+), 11 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 3dd47451f097..fae6fc24a845 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6133,7 +6133,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> const char *tname, *mname, *tag_value;
> u32 vlen, elem_id, mid;
>
> - *flag = 0;
> again:
> if (btf_type_is_modifier(t))
> t = btf_type_skip_modifiers(btf, t->type, NULL);
> @@ -6144,6 +6143,14 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> }
>
> vlen = btf_type_vlen(t);
> + if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1 && !(*flag & PTR_UNTRUSTED))
> + /*
> + * walking unions yields untrusted pointers
> + * with exception of __bpf_md_ptr and other
> + * unions with a single member
> + */
> + *flag |= PTR_UNTRUSTED;
> +
> if (off + size > t->size) {
> /* If the last element is a variable size array, we may
> * need to relax the rule.
> @@ -6304,15 +6311,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
> * of this field or inside of this struct
> */
> if (btf_type_is_struct(mtype)) {
> - if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
> - btf_type_vlen(mtype) != 1)
> - /*
> - * walking unions yields untrusted pointers
> - * with exception of __bpf_md_ptr and other
> - * unions with a single member
> - */
> - *flag |= PTR_UNTRUSTED;
> -
> /* our field must be inside that union or struct */
> t = mtype;
>
> @@ -6478,7 +6476,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
> bool strict)
> {
> const struct btf_type *type;
> - enum bpf_type_flag flag;
> + enum bpf_type_flag flag = 0;
> int err;
>
> /* Are we already done? */
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 11e54dd8b6dd..1fb0a64f5bce 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -5847,6 +5847,7 @@ static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val)
> #define BTF_TYPE_SAFE_RCU(__type) __PASTE(__type, __safe_rcu)
> #define BTF_TYPE_SAFE_RCU_OR_NULL(__type) __PASTE(__type, __safe_rcu_or_null)
> #define BTF_TYPE_SAFE_TRUSTED(__type) __PASTE(__type, __safe_trusted)
> +#define BTF_TYPE_SAFE_TRUSTED_UNION(__type) __PASTE(__type, __safe_trusted_union)
>
> /*
> * Allow list few fields as RCU trusted or full trusted.
> @@ -5914,6 +5915,11 @@ BTF_TYPE_SAFE_TRUSTED(struct socket) {
> struct sock *sk;
> };
>
[..]
> +/* union trusted: these fields are trusted even in a uion */
> +BTF_TYPE_SAFE_TRUSTED_UNION(struct sk_buff) {
> + struct sock *sk;
> +};
Does it say that sk member of sk_buff is always dereferencable?
Why is it universally safe?
In general, I don't really understand why it's safe to statically
mark the members this way. Shouldn't it depend on the context?
next prev parent reply other threads:[~2023-07-10 16:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-09 2:59 [PATCH bpf-next 0/3] bpf: Introduce union trusted Yafang Shao
2023-07-09 2:59 ` [PATCH bpf-next 1/3] bpf: Introduce BTF_TYPE_SAFE_TRUSTED_UNION Yafang Shao
2023-07-10 16:59 ` Stanislav Fomichev [this message]
2023-07-11 14:20 ` Yafang Shao
2023-07-11 2:55 ` Alexei Starovoitov
2023-07-11 14:21 ` Yafang Shao
2023-07-09 2:59 ` [PATCH bpf-next 2/3] selftests/bpf: Add selftests for BTF_TYPE_SAFE_TRUSTED_UNION Yafang Shao
2023-07-09 2:59 ` [PATCH bpf-next 3/3] bpf: Fix an error in verifying a field in a union Yafang Shao
2023-07-11 2:56 ` Alexei Starovoitov
2023-07-11 14:22 ` Yafang Shao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZKw5CdD/TMnPHFQC@google.com \
--to=sdf@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=martin.lau@linux.dev \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.