[PATCHv2 bpf-next 0/2] bpf: Add check for negative uprobe multi offset

[PATCHv2 bpf-next 0/2] bpf: Add check for negative uprobe multi offset

[Jiri Olsa]

hi,
adding the check for negative offset for uprobe multi link.

v2 changes:
- add more failure checks [Alan]
- move the offset retrieval/check up in the loop to be done earlier [Song]

thanks,
jirka

---
Jiri Olsa (2):
      bpf: Fail uprobe multi link with negative offset
      selftests/bpf: Add more uprobe multi fail tests

 kernel/trace/bpf_trace.c                                   |   8 +++--
 tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c | 149 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 152 insertions(+), 5 deletions(-)

[PATCHv2 bpf-next 1/2] bpf: Fail uprobe multi link with negative offset

[Jiri Olsa]

Currently the __uprobe_register will return 0 (success) when called with
negative offset. The reason is that the call to register_for_each_vma and
then build_map_info won't return error for negative offset. They just won't
do anything - no matching vma is found so there's no registered breakpoint
for the uprobe.

I don't think we can change the behaviour of __uprobe_register and fail
for negative uprobe offset, because apps might depend on that already.

But I think we can still make the change and check for it on bpf multi
link syscall level.

Also moving the __get_user call and check for the offsets to the top of
loop, to fail early without extra __get_user calls for ref_ctr_offset
and cookie arrays.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 kernel/trace/bpf_trace.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 97c0c49c40a0..492d60e9c480 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -3391,15 +3391,19 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
 		goto error_free;
 
 	for (i = 0; i < cnt; i++) {
-		if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
+		if (__get_user(uprobes[i].offset, uoffsets + i)) {
 			err = -EFAULT;
 			goto error_free;
 		}
+		if (uprobes[i].offset < 0) {
+			err = -EINVAL;
+			goto error_free;
+		}
 		if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
 			err = -EFAULT;
 			goto error_free;
 		}
-		if (__get_user(uprobes[i].offset, uoffsets + i)) {
+		if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
 			err = -EFAULT;
 			goto error_free;
 		}
-- 
2.43.0

[PATCHv2 bpf-next 2/2] selftests/bpf: Add more uprobe multi fail tests

[Jiri Olsa]

We fail to create uprobe if we pass negative offset,
adding test for that plus some more.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 .../bpf/prog_tests/uprobe_multi_test.c        | 149 +++++++++++++++++-
 1 file changed, 146 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
index 07a009f95e85..8269cdee33ae 100644
--- a/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
+++ b/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
@@ -239,23 +239,166 @@ static void test_attach_api_fails(void)
 	LIBBPF_OPTS(bpf_link_create_opts, opts);
 	const char *path = "/proc/self/exe";
 	struct uprobe_multi *skel = NULL;
+	int prog_fd, link_fd = -1;
 	unsigned long offset = 0;
-	int link_fd = -1;
 
 	skel = uprobe_multi__open_and_load();
 	if (!ASSERT_OK_PTR(skel, "uprobe_multi__open_and_load"))
 		goto cleanup;
 
+	prog_fd = bpf_program__fd(skel->progs.uprobe_extra);
+
 	/* abnormal cnt */
 	opts.uprobe_multi.path = path;
 	opts.uprobe_multi.offsets = &offset;
 	opts.uprobe_multi.cnt = INT_MAX;
-	link_fd = bpf_link_create(bpf_program__fd(skel->progs.uprobe), 0,
-				  BPF_TRACE_UPROBE_MULTI, &opts);
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
 	if (!ASSERT_ERR(link_fd, "link_fd"))
 		goto cleanup;
 	if (!ASSERT_EQ(link_fd, -E2BIG, "big cnt"))
 		goto cleanup;
+
+	/* cnt is 0 */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EINVAL, "cnt_is_zero"))
+		goto cleanup;
+
+	/* negative offset */
+	offset = -1;
+	opts.uprobe_multi.path = path;
+	opts.uprobe_multi.offsets = (unsigned long *) &offset;
+	opts.uprobe_multi.cnt = 1;
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EINVAL, "offset_is_negative"))
+		goto cleanup;
+
+	/* offsets is NULL */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EINVAL, "offsets_is_null"))
+		goto cleanup;
+
+	/* wrong offsets pointer */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.offsets = (unsigned long *) 1,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EFAULT, "offsets_is_wrong"))
+		goto cleanup;
+
+	/* path is NULL */
+	offset = 1;
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EINVAL, "path_is_null"))
+		goto cleanup;
+
+	/* wrong path pointer  */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = (const char *) 1,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EFAULT, "path_is_wrong"))
+		goto cleanup;
+
+	/* wrong path type */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = "/",
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EBADF, "path_is_wrong_type"))
+		goto cleanup;
+
+	/* wrong cookies pointer */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cookies = (__u64 *) 1ULL,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EFAULT, "cookies_is_wrong"))
+		goto cleanup;
+
+	/* wrong ref_ctr_offsets pointer */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cookies = (__u64 *) &offset,
+		.uprobe_multi.ref_ctr_offsets = (unsigned long *) 1,
+		.uprobe_multi.cnt = 1,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EFAULT, "ref_ctr_offsets_is_wrong"))
+		goto cleanup;
+
+	/* wrong flags */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.flags = 1 << 31,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	if (!ASSERT_EQ(link_fd, -EINVAL, "wrong_flags"))
+		goto cleanup;
+
+	/* wrong pid */
+	LIBBPF_OPTS_RESET(opts,
+		.uprobe_multi.path = path,
+		.uprobe_multi.offsets = (unsigned long *) &offset,
+		.uprobe_multi.cnt = 1,
+		.uprobe_multi.pid = -2,
+	);
+
+	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
+	if (!ASSERT_ERR(link_fd, "link_fd"))
+		goto cleanup;
+	ASSERT_EQ(link_fd, -ESRCH, "pid_is_wrong");
+
 cleanup:
 	if (link_fd >= 0)
 		close(link_fd);
-- 
2.43.0

Re: [PATCHv2 bpf-next 1/2] bpf: Fail uprobe multi link with negative offset

[Song Liu]

On Sun, Dec 17, 2023 at 1:55 PM Jiri Olsa <jolsa@kernel.org> wrote:
>
> Currently the __uprobe_register will return 0 (success) when called with
> negative offset. The reason is that the call to register_for_each_vma and
> then build_map_info won't return error for negative offset. They just won't
> do anything - no matching vma is found so there's no registered breakpoint
> for the uprobe.
>
> I don't think we can change the behaviour of __uprobe_register and fail
> for negative uprobe offset, because apps might depend on that already.
>
> But I think we can still make the change and check for it on bpf multi
> link syscall level.
>
> Also moving the __get_user call and check for the offsets to the top of
> loop, to fail early without extra __get_user calls for ref_ctr_offset
> and cookie arrays.
>
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>

Acked-by: Song Liu <song@kernel.org>

Re: [PATCHv2 bpf-next 2/2] selftests/bpf: Add more uprobe multi fail tests

[Song Liu]

On Sun, Dec 17, 2023 at 1:56 PM Jiri Olsa <jolsa@kernel.org> wrote:
>
> We fail to create uprobe if we pass negative offset,
> adding test for that plus some more.

nit: "negative offset plus some more" is a little weird to me. This is more
like "testing error handling paths of uprobe multi creation".

>
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>

Other than the nit,

Acked-by: Song Liu <song@kernel.org>

Re: [PATCHv2 bpf-next 2/2] selftests/bpf: Add more uprobe multi fail tests

[Andrii Nakryiko]

On Mon, Dec 18, 2023 at 8:19 AM Song Liu <song@kernel.org> wrote:
>
> On Sun, Dec 17, 2023 at 1:56 PM Jiri Olsa <jolsa@kernel.org> wrote:
> >
> > We fail to create uprobe if we pass negative offset,
> > adding test for that plus some more.
>
> nit: "negative offset plus some more" is a little weird to me. This is more
> like "testing error handling paths of uprobe multi creation".

I fixed it up and generalized a bit while applying.

>
> >
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
>
> Other than the nit,
>
> Acked-by: Song Liu <song@kernel.org>

Re: [PATCHv2 bpf-next 1/2] bpf: Fail uprobe multi link with negative offset

[Andrii Nakryiko]

On Sun, Dec 17, 2023 at 1:55 PM Jiri Olsa <jolsa@kernel.org> wrote:
>
> Currently the __uprobe_register will return 0 (success) when called with
> negative offset. The reason is that the call to register_for_each_vma and
> then build_map_info won't return error for negative offset. They just won't
> do anything - no matching vma is found so there's no registered breakpoint
> for the uprobe.
>
> I don't think we can change the behaviour of __uprobe_register and fail
> for negative uprobe offset, because apps might depend on that already.
>
> But I think we can still make the change and check for it on bpf multi
> link syscall level.
>
> Also moving the __get_user call and check for the offsets to the top of
> loop, to fail early without extra __get_user calls for ref_ctr_offset
> and cookie arrays.
>
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> ---
>  kernel/trace/bpf_trace.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 97c0c49c40a0..492d60e9c480 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -3391,15 +3391,19 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>                 goto error_free;
>
>         for (i = 0; i < cnt; i++) {
> -               if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
> +               if (__get_user(uprobes[i].offset, uoffsets + i)) {
>                         err = -EFAULT;
>                         goto error_free;
>                 }
> +               if (uprobes[i].offset < 0) {
> +                       err = -EINVAL;
> +                       goto error_free;
> +               }

I applied this because it does fix the problem, but the whole
reshuffle of offsets in front of cookies is pointless, because of the
common for() loop. You are saving one or two __get_user() calls before
failing.

If we really want to do validation first, reading offsets should be in
its own for loop, then uref_ctr_offsets in its own, and then cookies
in its own loop as well. That way we read and validate the entire
array before reading another array. Please consider a follow up, if
you think it's important enough.


>                 if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
>                         err = -EFAULT;
>                         goto error_free;
>                 }
> -               if (__get_user(uprobes[i].offset, uoffsets + i)) {
> +               if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
>                         err = -EFAULT;
>                         goto error_free;
>                 }
> --
> 2.43.0
>

Re: [PATCHv2 bpf-next 0/2] bpf: Add check for negative uprobe multi offset

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf-next.git (master)
by Andrii Nakryiko <andrii@kernel.org>:

On Sun, 17 Dec 2023 22:55:36 +0100 you wrote:
> hi,
> adding the check for negative offset for uprobe multi link.
> 
> v2 changes:
> - add more failure checks [Alan]
> - move the offset retrieval/check up in the loop to be done earlier [Song]
> 
> [...]

Here is the summary with links:
  - [PATCHv2,bpf-next,1/2] bpf: Fail uprobe multi link with negative offset
    https://git.kernel.org/bpf/bpf-next/c/3983c00281d9
  - [PATCHv2,bpf-next,2/2] selftests/bpf: Add more uprobe multi fail tests
    https://git.kernel.org/bpf/bpf-next/c/f17d1a18a3dd

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCHv2 bpf-next 1/2] bpf: Fail uprobe multi link with negative offset

[Jiri Olsa]

On Mon, Dec 18, 2023 at 09:56:38AM -0800, Andrii Nakryiko wrote:
> On Sun, Dec 17, 2023 at 1:55 PM Jiri Olsa <jolsa@kernel.org> wrote:
> >
> > Currently the __uprobe_register will return 0 (success) when called with
> > negative offset. The reason is that the call to register_for_each_vma and
> > then build_map_info won't return error for negative offset. They just won't
> > do anything - no matching vma is found so there's no registered breakpoint
> > for the uprobe.
> >
> > I don't think we can change the behaviour of __uprobe_register and fail
> > for negative uprobe offset, because apps might depend on that already.
> >
> > But I think we can still make the change and check for it on bpf multi
> > link syscall level.
> >
> > Also moving the __get_user call and check for the offsets to the top of
> > loop, to fail early without extra __get_user calls for ref_ctr_offset
> > and cookie arrays.
> >
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> > ---
> >  kernel/trace/bpf_trace.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index 97c0c49c40a0..492d60e9c480 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -3391,15 +3391,19 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> >                 goto error_free;
> >
> >         for (i = 0; i < cnt; i++) {
> > -               if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
> > +               if (__get_user(uprobes[i].offset, uoffsets + i)) {
> >                         err = -EFAULT;
> >                         goto error_free;
> >                 }
> > +               if (uprobes[i].offset < 0) {
> > +                       err = -EINVAL;
> > +                       goto error_free;
> > +               }
> 
> I applied this because it does fix the problem, but the whole
> reshuffle of offsets in front of cookies is pointless, because of the
> common for() loop. You are saving one or two __get_user() calls before
> failing.
> 
> If we really want to do validation first, reading offsets should be in
> its own for loop, then uref_ctr_offsets in its own, and then cookies
> in its own loop as well. That way we read and validate the entire
> array before reading another array. Please consider a follow up, if
> you think it's important enough.

ok, thanks

jirka

> 
> 
> >                 if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
> >                         err = -EFAULT;
> >                         goto error_free;
> >                 }
> > -               if (__get_user(uprobes[i].offset, uoffsets + i)) {
> > +               if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
> >                         err = -EFAULT;
> >                         goto error_free;
> >                 }
> > --
> > 2.43.0
> >