[bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc

[bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc

[Jordan Rome]

This adds a kfunc wrapper around strncpy_from_user,
which can be called from sleepable BPF programs.

This matches the non-sleepable 'bpf_probe_read_user_str'
helper except it includes an additional 'flags'
param, which allows consumers to clear the entire
destination buffer on success.

Signed-off-by: Jordan Rome <linux@jordanrome.com>
---
 include/uapi/linux/bpf.h       |  8 +++++++
 kernel/bpf/helpers.c           | 41 ++++++++++++++++++++++++++++++++++
 tools/include/uapi/linux/bpf.h |  8 +++++++
 3 files changed, 57 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index e05b39e39c3f..e207175981be 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -7513,4 +7513,12 @@ struct bpf_iter_num {
 	__u64 __opaque[1];
 } __attribute__((aligned(8)));

+/*
+ * Flags to control bpf_copy_from_user_str() behaviour.
+ *     - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success
+ */
+enum {
+	BPF_ZERO_BUFFER = (1ULL << 0)
+};
+
 #endif /* _UAPI__LINUX_BPF_H__ */
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index d02ae323996b..fe4348679d38 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
 	bpf_mem_free(&bpf_global_ma, kit->bits);
 }

+/**
+ * bpf_copy_from_user_str() - Copy a string from an unsafe user address
+ * @dst:             Destination address, in kernel space.  This buffer must be at
+ *                   least @dst__szk bytes long.
+ * @dst__szk:        Maximum number of bytes to copy, including the trailing NUL.
+ * @unsafe_ptr__ign: Source address, in user space.
+ * @flags:           The only supported flag is BPF_ZERO_BUFFER
+ *
+ * Copies a NUL-terminated string from userspace to BPF space. If user string is
+ * too long this will still ensure zero termination in the dst buffer unless
+ * buffer size is 0.
+ *
+ * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success.
+ */
+__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags)
+{
+	int ret;
+	int count;
+
+	if (unlikely(!dst__szk))
+		return 0;
+
+	count = dst__szk - 1;
+	if (unlikely(!count)) {
+		((char *)dst)[0] = '\0';
+		return 1;
+	}
+
+	ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
+	if (ret >= 0) {
+		if (flags & BPF_ZERO_BUFFER)
+			memset((char *)dst + ret, 0, dst__szk - ret);
+		else
+			((char *)dst)[ret] = '\0';
+		ret++;
+	}
+
+	return ret;
+}
+
 __bpf_kfunc_end_defs();

 BTF_KFUNCS_START(generic_btf_ids)
@@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable)
 BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW)
 BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
+BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
 BTF_KFUNCS_END(common_btf_ids)

 static const struct btf_kfunc_id_set common_kfunc_set = {
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index e05b39e39c3f..15c2c3431e0f 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -7513,4 +7513,12 @@ struct bpf_iter_num {
 	__u64 __opaque[1];
 } __attribute__((aligned(8)));

+/*
+ * Flags to control bpf_copy_from_user_str() behaviour.
+ *     - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success
+ */
+enum {
+	BPF_ZERO_BUFFER = (1ULL << 0)
+};
+
 #endif /* _UAPI__LINUX_BPF_H__ */
--
2.43.5

[bpf-next v5 2/2] bpf: Add tests for bpf_copy_from_user_str kfunc

[Jordan Rome]

This adds tests for both the happy path and
the error path.

Signed-off-by: Jordan Rome <linux@jordanrome.com>
---
 .../selftests/bpf/prog_tests/attach_probe.c   |  8 ++--
 .../selftests/bpf/prog_tests/read_vsyscall.c  |  1 +
 .../selftests/bpf/progs/read_vsyscall.c       |  9 ++++-
 .../selftests/bpf/progs/test_attach_probe.c   | 38 +++++++++++++++++--
 4 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
index 7175af39134f..329c7862b52d 100644
--- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c
+++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
@@ -283,9 +283,11 @@ static void test_uprobe_sleepable(struct test_attach_probe *skel)
 	trigger_func3();

 	ASSERT_EQ(skel->bss->uprobe_byname3_sleepable_res, 9, "check_uprobe_byname3_sleepable_res");
-	ASSERT_EQ(skel->bss->uprobe_byname3_res, 10, "check_uprobe_byname3_res");
-	ASSERT_EQ(skel->bss->uretprobe_byname3_sleepable_res, 11, "check_uretprobe_byname3_sleepable_res");
-	ASSERT_EQ(skel->bss->uretprobe_byname3_res, 12, "check_uretprobe_byname3_res");
+	ASSERT_EQ(skel->bss->uprobe_byname3_str_sleepable_res, 10, "check_uprobe_byname3_str_sleepable_res");
+	ASSERT_EQ(skel->bss->uprobe_byname3_res, 11, "check_uprobe_byname3_res");
+	ASSERT_EQ(skel->bss->uretprobe_byname3_sleepable_res, 12, "check_uretprobe_byname3_sleepable_res");
+	ASSERT_EQ(skel->bss->uretprobe_byname3_str_sleepable_res, 13, "check_uretprobe_byname3_str_sleepable_res");
+	ASSERT_EQ(skel->bss->uretprobe_byname3_res, 14, "check_uretprobe_byname3_res");
 }

 void test_attach_probe(void)
diff --git a/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c b/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c
index 3405923fe4e6..c7b9ba8b1d06 100644
--- a/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c
+++ b/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c
@@ -23,6 +23,7 @@ struct read_ret_desc {
 	{ .name = "probe_read_user_str", .ret = -EFAULT },
 	{ .name = "copy_from_user", .ret = -EFAULT },
 	{ .name = "copy_from_user_task", .ret = -EFAULT },
+	{ .name = "copy_from_user_str", .ret = -EFAULT },
 };

 void test_read_vsyscall(void)
diff --git a/tools/testing/selftests/bpf/progs/read_vsyscall.c b/tools/testing/selftests/bpf/progs/read_vsyscall.c
index 986f96687ae1..39ebef430059 100644
--- a/tools/testing/selftests/bpf/progs/read_vsyscall.c
+++ b/tools/testing/selftests/bpf/progs/read_vsyscall.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Copyright (C) 2024. Huawei Technologies Co., Ltd */
+#include "vmlinux.h"
 #include <linux/types.h>
 #include <bpf/bpf_helpers.h>

@@ -7,10 +8,15 @@

 int target_pid = 0;
 void *user_ptr = 0;
-int read_ret[8];
+int read_ret[9];

 char _license[] SEC("license") = "GPL";

+/*
+ * This is the only kfunc, the others are helpers
+ */
+int bpf_copy_from_user_str(void *dst, u32, const void *, u64) __weak __ksym;
+
 SEC("fentry/" SYS_PREFIX "sys_nanosleep")
 int do_probe_read(void *ctx)
 {
@@ -40,6 +46,7 @@ int do_copy_from_user(void *ctx)
 	read_ret[6] = bpf_copy_from_user(buf, sizeof(buf), user_ptr);
 	read_ret[7] = bpf_copy_from_user_task(buf, sizeof(buf), user_ptr,
 					      bpf_get_current_task_btf(), 0);
+	read_ret[8] = bpf_copy_from_user_str((char *)buf, sizeof(buf), user_ptr, 0);

 	return 0;
 }
diff --git a/tools/testing/selftests/bpf/progs/test_attach_probe.c b/tools/testing/selftests/bpf/progs/test_attach_probe.c
index 68466a6ad18c..705830d44101 100644
--- a/tools/testing/selftests/bpf/progs/test_attach_probe.c
+++ b/tools/testing/selftests/bpf/progs/test_attach_probe.c
@@ -14,11 +14,15 @@ int uretprobe_byname_res = 0;
 int uprobe_byname2_res = 0;
 int uretprobe_byname2_res = 0;
 int uprobe_byname3_sleepable_res = 0;
+int uprobe_byname3_str_sleepable_res = 0;
 int uprobe_byname3_res = 0;
 int uretprobe_byname3_sleepable_res = 0;
+int uretprobe_byname3_str_sleepable_res = 0;
 int uretprobe_byname3_res = 0;
 void *user_ptr = 0;

+int bpf_copy_from_user_str(void *dst, u32, const void *, u64) __weak __ksym;
+
 SEC("ksyscall/nanosleep")
 int BPF_KSYSCALL(handle_kprobe_auto, struct __kernel_timespec *req, struct __kernel_timespec *rem)
 {
@@ -87,11 +91,37 @@ static __always_inline bool verify_sleepable_user_copy(void)
 	return bpf_strncmp(data, sizeof(data), "test_data") == 0;
 }

+static __always_inline bool verify_sleepable_user_copy_str(void)
+{
+	int ret;
+	char data_long[20];
+	char data_short[4];
+
+	ret = bpf_copy_from_user_str(data_short, sizeof(data_short), user_ptr, 0);
+
+	if (bpf_strncmp(data_short, 4, "tes\0") != 0 || ret != 4)
+		return false;
+
+	ret = bpf_copy_from_user_str(data_long, sizeof(data_long), user_ptr, BPF_ZERO_BUFFER);
+
+	if (bpf_strncmp(data_long, 10, "test_data\0") != 0 || ret != 10 || data_long[19] != '\0')
+		return false;
+
+	ret = bpf_copy_from_user_str(data_long, sizeof(data_long), user_ptr, 0);
+
+	if (bpf_strncmp(data_long, 10, "test_data\0") != 0 || ret != 10)
+		return false;
+
+	return true;
+}
+
 SEC("uprobe.s//proc/self/exe:trigger_func3")
 int handle_uprobe_byname3_sleepable(struct pt_regs *ctx)
 {
 	if (verify_sleepable_user_copy())
 		uprobe_byname3_sleepable_res = 9;
+	if (verify_sleepable_user_copy_str())
+		uprobe_byname3_str_sleepable_res = 10;
 	return 0;
 }

@@ -102,7 +132,7 @@ int handle_uprobe_byname3_sleepable(struct pt_regs *ctx)
 SEC("uprobe//proc/self/exe:trigger_func3")
 int handle_uprobe_byname3(struct pt_regs *ctx)
 {
-	uprobe_byname3_res = 10;
+	uprobe_byname3_res = 11;
 	return 0;
 }

@@ -110,14 +140,16 @@ SEC("uretprobe.s//proc/self/exe:trigger_func3")
 int handle_uretprobe_byname3_sleepable(struct pt_regs *ctx)
 {
 	if (verify_sleepable_user_copy())
-		uretprobe_byname3_sleepable_res = 11;
+		uretprobe_byname3_sleepable_res = 12;
+	if (verify_sleepable_user_copy_str())
+		uretprobe_byname3_str_sleepable_res = 13;
 	return 0;
 }

 SEC("uretprobe//proc/self/exe:trigger_func3")
 int handle_uretprobe_byname3(struct pt_regs *ctx)
 {
-	uretprobe_byname3_res = 12;
+	uretprobe_byname3_res = 14;
 	return 0;
 }

--
2.43.5

Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc

[Andrii Nakryiko]

On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote:
>
> This adds a kfunc wrapper around strncpy_from_user,
> which can be called from sleepable BPF programs.
>
> This matches the non-sleepable 'bpf_probe_read_user_str'
> helper except it includes an additional 'flags'
> param, which allows consumers to clear the entire
> destination buffer on success.
>
> Signed-off-by: Jordan Rome <linux@jordanrome.com>
> ---
>  include/uapi/linux/bpf.h       |  8 +++++++
>  kernel/bpf/helpers.c           | 41 ++++++++++++++++++++++++++++++++++
>  tools/include/uapi/linux/bpf.h |  8 +++++++
>  3 files changed, 57 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index e05b39e39c3f..e207175981be 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
>         __u64 __opaque[1];
>  } __attribute__((aligned(8)));
>
> +/*
> + * Flags to control bpf_copy_from_user_str() behaviour.
> + *     - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success
> + */
> +enum {
> +       BPF_ZERO_BUFFER = (1ULL << 0)

We call all flags BPF_F_<something>, so let's stay consistent.

And just for a bit of bikeshedding, "zero buffer" isn't immediately
clear and it would be nice to have a clearer verb in there. I don't
have a perfect name, but something like BPF_F_PAD_ZEROS or something
with "pad" maybe?

Also, should we keep behavior a bit more consistent and say that on
failure this flag will also ensure that buffer is cleared?

> +};
> +
>  #endif /* _UAPI__LINUX_BPF_H__ */
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index d02ae323996b..fe4348679d38 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
>         bpf_mem_free(&bpf_global_ma, kit->bits);
>  }
>
> +/**
> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address
> + * @dst:             Destination address, in kernel space.  This buffer must be at
> + *                   least @dst__szk bytes long.
> + * @dst__szk:        Maximum number of bytes to copy, including the trailing NUL.
> + * @unsafe_ptr__ign: Source address, in user space.
> + * @flags:           The only supported flag is BPF_ZERO_BUFFER
> + *
> + * Copies a NUL-terminated string from userspace to BPF space. If user string is
> + * too long this will still ensure zero termination in the dst buffer unless
> + * buffer size is 0.
> + *
> + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success.
> + */
> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags)
> +{
> +       int ret;
> +       int count;
> +

validate that flags doesn't have any unknown flags

if (unlikely(flags & ~BPF_F_ZERO_BUFFER))
    return -EINVAL;

> +       if (unlikely(!dst__szk))
> +               return 0;
> +
> +       count = dst__szk - 1;
> +       if (unlikely(!count)) {
> +               ((char *)dst)[0] = '\0';
> +               return 1;
> +       }

Do we need to special-case this unlikely scenario? Especially that
it's unlikely, why write code for it and pay a tiny price for an extra
check?

> +
> +       ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
> +       if (ret >= 0) {
> +               if (flags & BPF_ZERO_BUFFER)
> +                       memset((char *)dst + ret, 0, dst__szk - ret);
> +               else
> +                       ((char *)dst)[ret] = '\0';
> +               ret++;

so if string is truncated, ret == count, no? And dst[ret] will go
beyond the buffer?

we need more tests to validate all those various conditions


I'd also rewrite this a bit, so it's more linear:


ret = strncpy(...);
if (ret < 0)
    return ret;

((char *)dst)[count - 1] = '\0';

if (flags & BPF_F_ZERO_BUF)
      memset(...);

return ret < count ? ret + 1 : count;


or something along those lines


pw-bot: cr


> +       }
> +
> +       return ret;
> +}
> +
>  __bpf_kfunc_end_defs();
>
>  BTF_KFUNCS_START(generic_btf_ids)
> @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable)
>  BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW)
>  BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
> +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
>  BTF_KFUNCS_END(common_btf_ids)
>
>  static const struct btf_kfunc_id_set common_kfunc_set = {
> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> index e05b39e39c3f..15c2c3431e0f 100644
> --- a/tools/include/uapi/linux/bpf.h
> +++ b/tools/include/uapi/linux/bpf.h
> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
>         __u64 __opaque[1];
>  } __attribute__((aligned(8)));
>
> +/*
> + * Flags to control bpf_copy_from_user_str() behaviour.
> + *     - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success
> + */
> +enum {
> +       BPF_ZERO_BUFFER = (1ULL << 0)
> +};
> +
>  #endif /* _UAPI__LINUX_BPF_H__ */
> --
> 2.43.5
>

Re: [bpf-next v5 2/2] bpf: Add tests for bpf_copy_from_user_str kfunc

[Andrii Nakryiko]

On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote:
>
> This adds tests for both the happy path and
> the error path.
>
> Signed-off-by: Jordan Rome <linux@jordanrome.com>
> ---
>  .../selftests/bpf/prog_tests/attach_probe.c   |  8 ++--
>  .../selftests/bpf/prog_tests/read_vsyscall.c  |  1 +
>  .../selftests/bpf/progs/read_vsyscall.c       |  9 ++++-
>  .../selftests/bpf/progs/test_attach_probe.c   | 38 +++++++++++++++++--
>  4 files changed, 49 insertions(+), 7 deletions(-)
>

As I mentioned in the first patch, it would be better to have a bit
more extensive testing. All those rare conditions:

  - dst_size is zero
  - dst_size is one
  - string is empty
  - string exactly fits
  - string is truncated
  - plus various error conditions.

> diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
> index 7175af39134f..329c7862b52d 100644
> --- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c
> +++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
> @@ -283,9 +283,11 @@ static void test_uprobe_sleepable(struct test_attach_probe *skel)
>         trigger_func3();
>

[...]

Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc

[Kui-Feng Lee]

On 8/15/24 15:38, Andrii Nakryiko wrote:
> On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote:
>>
>> This adds a kfunc wrapper around strncpy_from_user,
>> which can be called from sleepable BPF programs.
>>
>> This matches the non-sleepable 'bpf_probe_read_user_str'
>> helper except it includes an additional 'flags'
>> param, which allows consumers to clear the entire
>> destination buffer on success.
>>
>> Signed-off-by: Jordan Rome <linux@jordanrome.com>
>> ---
>>   include/uapi/linux/bpf.h       |  8 +++++++
>>   kernel/bpf/helpers.c           | 41 ++++++++++++++++++++++++++++++++++
>>   tools/include/uapi/linux/bpf.h |  8 +++++++
>>   3 files changed, 57 insertions(+)
>>
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index e05b39e39c3f..e207175981be 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
>>          __u64 __opaque[1];
>>   } __attribute__((aligned(8)));
>>
>> +/*
>> + * Flags to control bpf_copy_from_user_str() behaviour.
>> + *     - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success
>> + */
>> +enum {
>> +       BPF_ZERO_BUFFER = (1ULL << 0)
> 
> We call all flags BPF_F_<something>, so let's stay consistent.
> 
> And just for a bit of bikeshedding, "zero buffer" isn't immediately
> clear and it would be nice to have a clearer verb in there. I don't
> have a perfect name, but something like BPF_F_PAD_ZEROS or something
> with "pad" maybe?
> 
> Also, should we keep behavior a bit more consistent and say that on
> failure this flag will also ensure that buffer is cleared?
> 
>> +};
>> +
>>   #endif /* _UAPI__LINUX_BPF_H__ */
>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>> index d02ae323996b..fe4348679d38 100644
>> --- a/kernel/bpf/helpers.c
>> +++ b/kernel/bpf/helpers.c
>> @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
>>          bpf_mem_free(&bpf_global_ma, kit->bits);
>>   }
>>
>> +/**
>> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address
>> + * @dst:             Destination address, in kernel space.  This buffer must be at
>> + *                   least @dst__szk bytes long.
>> + * @dst__szk:        Maximum number of bytes to copy, including the trailing NUL.
>> + * @unsafe_ptr__ign: Source address, in user space.
>> + * @flags:           The only supported flag is BPF_ZERO_BUFFER
>> + *
>> + * Copies a NUL-terminated string from userspace to BPF space. If user string is
>> + * too long this will still ensure zero termination in the dst buffer unless
>> + * buffer size is 0.
>> + *
>> + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success.
>> + */
>> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags)
>> +{
>> +       int ret;
>> +       int count;
>> +
> 
> validate that flags doesn't have any unknown flags
> 
> if (unlikely(flags & ~BPF_F_ZERO_BUFFER))
>      return -EINVAL;
> 
>> +       if (unlikely(!dst__szk))
>> +               return 0;
>> +
>> +       count = dst__szk - 1;
>> +       if (unlikely(!count)) {
>> +               ((char *)dst)[0] = '\0';
>> +               return 1;
>> +       }
> 
> Do we need to special-case this unlikely scenario? Especially that
> it's unlikely, why write code for it and pay a tiny price for an extra
> check?
> 
>> +
>> +       ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
>> +       if (ret >= 0) {
>> +               if (flags & BPF_ZERO_BUFFER)
>> +                       memset((char *)dst + ret, 0, dst__szk - ret);
>> +               else
>> +                       ((char *)dst)[ret] = '\0';
>> +               ret++;
> 
> so if string is truncated, ret == count, no? And dst[ret] will go
> beyond the buffer?

Since count = dst__szk - 1, it is not going beyond the buffer.

> 
> we need more tests to validate all those various conditions
> 
> 
> I'd also rewrite this a bit, so it's more linear:
> 
> 
> ret = strncpy(...);
> if (ret < 0)
>      return ret;
> 
> ((char *)dst)[count - 1] = '\0';
> 
> if (flags & BPF_F_ZERO_BUF)
>        memset(...);
> 
> return ret < count ? ret + 1 : count;
> 
> 
> or something along those lines
> 
> 
> pw-bot: cr
> 
> 
>> +       }
>> +
>> +       return ret;
>> +}
>> +
>>   __bpf_kfunc_end_defs();
>>
>>   BTF_KFUNCS_START(generic_btf_ids)
>> @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable)
>>   BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW)
>>   BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
>>   BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
>> +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
>>   BTF_KFUNCS_END(common_btf_ids)
>>
>>   static const struct btf_kfunc_id_set common_kfunc_set = {
>> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
>> index e05b39e39c3f..15c2c3431e0f 100644
>> --- a/tools/include/uapi/linux/bpf.h
>> +++ b/tools/include/uapi/linux/bpf.h
>> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
>>          __u64 __opaque[1];
>>   } __attribute__((aligned(8)));
>>
>> +/*
>> + * Flags to control bpf_copy_from_user_str() behaviour.
>> + *     - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success
>> + */
>> +enum {
>> +       BPF_ZERO_BUFFER = (1ULL << 0)
>> +};
>> +
>>   #endif /* _UAPI__LINUX_BPF_H__ */
>> --
>> 2.43.5
>>

Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc

[Andrii Nakryiko]

On Fri, Aug 16, 2024 at 12:23 AM Kui-Feng Lee <sinquersw@gmail.com> wrote:
>
>
>
> On 8/15/24 15:38, Andrii Nakryiko wrote:
> > On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote:
> >>
> >> This adds a kfunc wrapper around strncpy_from_user,
> >> which can be called from sleepable BPF programs.
> >>
> >> This matches the non-sleepable 'bpf_probe_read_user_str'
> >> helper except it includes an additional 'flags'
> >> param, which allows consumers to clear the entire
> >> destination buffer on success.
> >>
> >> Signed-off-by: Jordan Rome <linux@jordanrome.com>
> >> ---
> >>   include/uapi/linux/bpf.h       |  8 +++++++
> >>   kernel/bpf/helpers.c           | 41 ++++++++++++++++++++++++++++++++++
> >>   tools/include/uapi/linux/bpf.h |  8 +++++++
> >>   3 files changed, 57 insertions(+)
> >>
> >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> >> index e05b39e39c3f..e207175981be 100644
> >> --- a/include/uapi/linux/bpf.h
> >> +++ b/include/uapi/linux/bpf.h
> >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
> >>          __u64 __opaque[1];
> >>   } __attribute__((aligned(8)));
> >>
> >> +/*
> >> + * Flags to control bpf_copy_from_user_str() behaviour.
> >> + *     - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success
> >> + */
> >> +enum {
> >> +       BPF_ZERO_BUFFER = (1ULL << 0)
> >
> > We call all flags BPF_F_<something>, so let's stay consistent.
> >
> > And just for a bit of bikeshedding, "zero buffer" isn't immediately
> > clear and it would be nice to have a clearer verb in there. I don't
> > have a perfect name, but something like BPF_F_PAD_ZEROS or something
> > with "pad" maybe?
> >
> > Also, should we keep behavior a bit more consistent and say that on
> > failure this flag will also ensure that buffer is cleared?
> >
> >> +};
> >> +
> >>   #endif /* _UAPI__LINUX_BPF_H__ */
> >> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> >> index d02ae323996b..fe4348679d38 100644
> >> --- a/kernel/bpf/helpers.c
> >> +++ b/kernel/bpf/helpers.c
> >> @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
> >>          bpf_mem_free(&bpf_global_ma, kit->bits);
> >>   }
> >>
> >> +/**
> >> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address
> >> + * @dst:             Destination address, in kernel space.  This buffer must be at
> >> + *                   least @dst__szk bytes long.
> >> + * @dst__szk:        Maximum number of bytes to copy, including the trailing NUL.
> >> + * @unsafe_ptr__ign: Source address, in user space.
> >> + * @flags:           The only supported flag is BPF_ZERO_BUFFER
> >> + *
> >> + * Copies a NUL-terminated string from userspace to BPF space. If user string is
> >> + * too long this will still ensure zero termination in the dst buffer unless
> >> + * buffer size is 0.
> >> + *
> >> + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success.
> >> + */
> >> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags)
> >> +{
> >> +       int ret;
> >> +       int count;
> >> +
> >
> > validate that flags doesn't have any unknown flags
> >
> > if (unlikely(flags & ~BPF_F_ZERO_BUFFER))
> >      return -EINVAL;
> >
> >> +       if (unlikely(!dst__szk))
> >> +               return 0;
> >> +
> >> +       count = dst__szk - 1;
> >> +       if (unlikely(!count)) {
> >> +               ((char *)dst)[0] = '\0';
> >> +               return 1;
> >> +       }
> >
> > Do we need to special-case this unlikely scenario? Especially that
> > it's unlikely, why write code for it and pay a tiny price for an extra
> > check?
> >
> >> +
> >> +       ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
> >> +       if (ret >= 0) {
> >> +               if (flags & BPF_ZERO_BUFFER)
> >> +                       memset((char *)dst + ret, 0, dst__szk - ret);
> >> +               else
> >> +                       ((char *)dst)[ret] = '\0';
> >> +               ret++;
> >
> > so if string is truncated, ret == count, no? And dst[ret] will go
> > beyond the buffer?
>
> Since count = dst__szk - 1, it is not going beyond the buffer.
>

ah, I forgot that count is adjusted size already, ok

> >
> > we need more tests to validate all those various conditions
> >
> >
> > I'd also rewrite this a bit, so it's more linear:
> >
> >
> > ret = strncpy(...);
> > if (ret < 0)
> >      return ret;
> >
> > ((char *)dst)[count - 1] = '\0';
> >
> > if (flags & BPF_F_ZERO_BUF)
> >        memset(...);
> >
> > return ret < count ? ret + 1 : count;
> >
> >
> > or something along those lines
> >
> >
> > pw-bot: cr
> >
> >
> >> +       }
> >> +
> >> +       return ret;
> >> +}
> >> +
> >>   __bpf_kfunc_end_defs();
> >>
> >>   BTF_KFUNCS_START(generic_btf_ids)
> >> @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable)
> >>   BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW)
> >>   BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
> >>   BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
> >> +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
> >>   BTF_KFUNCS_END(common_btf_ids)
> >>
> >>   static const struct btf_kfunc_id_set common_kfunc_set = {
> >> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> >> index e05b39e39c3f..15c2c3431e0f 100644
> >> --- a/tools/include/uapi/linux/bpf.h
> >> +++ b/tools/include/uapi/linux/bpf.h
> >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num {
> >>          __u64 __opaque[1];
> >>   } __attribute__((aligned(8)));
> >>
> >> +/*
> >> + * Flags to control bpf_copy_from_user_str() behaviour.
> >> + *     - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success
> >> + */
> >> +enum {
> >> +       BPF_ZERO_BUFFER = (1ULL << 0)
> >> +};
> >> +
> >>   #endif /* _UAPI__LINUX_BPF_H__ */
> >> --
> >> 2.43.5
> >>