All of lore.kernel.org
 help / color / mirror / Atom feed
From: Puranjay Mohan <puranjay12@gmail.com>
To: Ilya Leoshkevich <iii@linux.ibm.com>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
	Jean-Philippe Brucker <jean-philippe@linaro.org>,
	Network Development <netdev@vger.kernel.org>,
	bpf <bpf@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf] bpf: verifier: prevent userspace memory access
Date: Thu, 21 Mar 2024 10:13:06 +0000	[thread overview]
Message-ID: <mb61pzfursxjh.fsf@gmail.com> (raw)
In-Reply-To: <ed5cozsc7mduzmgbwrlw3lou4tlb6zpivhs2xrqwgpq2rhvkue@l7aifknll4tb>

Ilya Leoshkevich <iii@linux.ibm.com> writes:

> On Wed, Mar 20, 2024 at 11:08:00PM -0700, Alexei Starovoitov wrote:
>> On Wed, Mar 20, 2024 at 3:55 AM Puranjay Mohan <puranjay12@gmail.com> wrote:
>> >
>> > The JITs need to implement bpf_arch_uaddress_limit() to define where
>> > the userspace addresses end for that architecture or TASK_SIZE is taken
>> > as default.
>> >
>> > The implementation is as follows:
>> >
>> > REG_AX =  SRC_REG
>> > if(offset)
>> >         REG_AX += offset;
>> > REG_AX >>= 32;
>> > if (REG_AX <= (uaddress_limit >> 32))
>> >         DST_REG = 0;
>> > else
>> >         DST_REG = *(size *)(SRC_REG + offset);
>> 
>> The patch looks good, but it seems to be causing s390 CI failures.
>> 
>> Ilya,
>> could you help us understand is this check needed on s390
>> and if so, what should be the uaddress_limit ?
>
> s390x does not define ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
> Userspace and kernel run in completely different and isolated address
> spaces, so it's not possible to determine from a pointer value whether
> it's a user or a kernel pointer.
> But the good news is that whatever you deference without using
> special instruction sequences will refer to the kernel address space.
> So I wonder if we could somehow disable this check on s390x altogether?
> And if we are not sure whether it's a valid pointer, use BPF_PROBE_MEM
> as always.

Thanks for the details. I understand that s390x doesn't need this extra
check because all normal accesses are in the kernel address space and they
will be marked with BPF_PROBE_MEM by the verifier if the pointer is
untrusted.

I have sent v2 of this patch with this check disabled on s390x
https://lore.kernel.org/bpf/20240321101058.68530-1-puranjay12@gmail.com/

Thanks,
Puranjay


  reply	other threads:[~2024-03-21 10:13 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-20 10:54 [PATCH bpf] bpf: verifier: prevent userspace memory access Puranjay Mohan
2024-03-21  6:08 ` Alexei Starovoitov
2024-03-21  8:45   ` Ilya Leoshkevich
2024-03-21 10:13     ` Puranjay Mohan [this message]
2024-03-24 20:04   ` David Laight
2024-03-24 20:43     ` Alexei Starovoitov
2024-03-24 22:29       ` David Laight
2024-03-24 23:48         ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=mb61pzfursxjh.fsf@gmail.com \
    --to=puranjay12@gmail.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bp@alien8.de \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=hpa@zytor.com \
    --cc=iii@linux.ibm.com \
    --cc=jean-philippe@linaro.org \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mingo@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=sdf@google.com \
    --cc=song@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.