From: Kui-Feng Lee <thinker.li@gmail.com>
To: bpf@vger.kernel.org, ast@kernel.org, martin.lau@linux.dev,
song@kernel.org, kernel-team@meta.com, andrii@kernel.org
Cc: sinquersw@gmail.com, kuifeng@meta.com,
Kui-Feng Lee <thinker.li@gmail.com>
Subject: [PATCH bpf-next 07/11] bpf: check_map_access() with the knowledge of arrays.
Date: Tue, 9 Apr 2024 17:41:46 -0700 [thread overview]
Message-ID: <20240410004150.2917641-8-thinker.li@gmail.com> (raw)
In-Reply-To: <20240410004150.2917641-1-thinker.li@gmail.com>
Ensure that accessing a map aligns with an element if the corresponding
btf_field, if there is, represents an array.
It would be necessary for an access to be aligned with the beginning of an
array if we didn't make this change. Any access to elements other than the
first one would be rejected.
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
---
kernel/bpf/verifier.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 34e43220c6f0..67b89d4ea1ba 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5428,7 +5428,7 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
rec = map->record;
for (i = 0; i < rec->cnt; i++) {
struct btf_field *field = &rec->fields[i];
- u32 p = field->offset;
+ u32 p = field->offset, var_p, elem_size;
/* If any part of a field can be touched by load/store, reject
* this program. To check that [x1, x2) overlaps with [y1, y2),
@@ -5448,7 +5448,10 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
verbose(env, "kptr access cannot have variable offset\n");
return -EACCES;
}
- if (p != off + reg->var_off.value) {
+ var_p = off + reg->var_off.value;
+ elem_size = field->size / field->nelems;
+ if (var_p < p || var_p >= p + field->size ||
+ (var_p - p) % elem_size) {
verbose(env, "kptr access misaligned expected=%u off=%llu\n",
p, off + reg->var_off.value);
return -EACCES;
--
2.34.1
next prev parent reply other threads:[~2024-04-10 0:42 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 0:41 [PATCH bpf-next 00/11] Enable BPF programs to declare arrays of kptr, bpf_rb_root, and bpf_list_head Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 01/11] bpf: Remove unnecessary checks on the offset of btf_field Kui-Feng Lee
2024-04-11 22:12 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 02/11] bpf: Remove unnecessary call to btf_field_type_size() Kui-Feng Lee
2024-04-11 22:12 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 03/11] bpf: Add nelems to struct btf_field_info and btf_field Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 04/11] bpf: check_map_kptr_access() compute the offset from the reg state Kui-Feng Lee
2024-04-11 22:13 ` Eduard Zingerman
2024-04-12 4:00 ` Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 05/11] bpf: initialize/free array of btf_field(s) Kui-Feng Lee
2024-04-11 22:13 ` Eduard Zingerman
2024-04-12 3:56 ` Kui-Feng Lee
2024-04-12 15:32 ` Eduard Zingerman
2024-04-12 17:00 ` Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 06/11] bpf: Find btf_field with the knowledge of arrays Kui-Feng Lee
2024-04-11 22:14 ` Eduard Zingerman
2024-04-12 2:00 ` Kui-Feng Lee
2024-04-10 0:41 ` Kui-Feng Lee [this message]
2024-04-11 22:14 ` [PATCH bpf-next 07/11] bpf: check_map_access() " Eduard Zingerman
2024-04-12 16:32 ` Kui-Feng Lee
2024-04-12 19:08 ` Eduard Zingerman
2024-04-12 19:29 ` Kui-Feng Lee
2024-04-12 19:50 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 08/11] bpf: Enable and verify btf_field arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 09/11] selftests/bpf: Test global kptr arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 10/11] selftests/bpf: Test global bpf_rb_root arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 11/11] selftests/bpf: Test global bpf_list_head arrays Kui-Feng Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240410004150.2917641-8-thinker.li@gmail.com \
--to=thinker.li@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kernel-team@meta.com \
--cc=kuifeng@meta.com \
--cc=martin.lau@linux.dev \
--cc=sinquersw@gmail.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox