* [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc @ 2024-08-15 11:27 Jordan Rome 2024-08-15 11:27 ` [bpf-next v5 2/2] bpf: Add tests for " Jordan Rome 2024-08-15 22:38 ` [bpf-next v5 1/2] bpf: Add " Andrii Nakryiko 0 siblings, 2 replies; 6+ messages in thread From: Jordan Rome @ 2024-08-15 11:27 UTC (permalink / raw) To: bpf Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team, sinquersw This adds a kfunc wrapper around strncpy_from_user, which can be called from sleepable BPF programs. This matches the non-sleepable 'bpf_probe_read_user_str' helper except it includes an additional 'flags' param, which allows consumers to clear the entire destination buffer on success. Signed-off-by: Jordan Rome <linux@jordanrome.com> --- include/uapi/linux/bpf.h | 8 +++++++ kernel/bpf/helpers.c | 41 ++++++++++++++++++++++++++++++++++ tools/include/uapi/linux/bpf.h | 8 +++++++ 3 files changed, 57 insertions(+) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index e05b39e39c3f..e207175981be 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -7513,4 +7513,12 @@ struct bpf_iter_num { __u64 __opaque[1]; } __attribute__((aligned(8))); +/* + * Flags to control bpf_copy_from_user_str() behaviour. + * - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success + */ +enum { + BPF_ZERO_BUFFER = (1ULL << 0) +}; + #endif /* _UAPI__LINUX_BPF_H__ */ diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index d02ae323996b..fe4348679d38 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it) bpf_mem_free(&bpf_global_ma, kit->bits); } +/** + * bpf_copy_from_user_str() - Copy a string from an unsafe user address + * @dst: Destination address, in kernel space. This buffer must be at + * least @dst__szk bytes long. + * @dst__szk: Maximum number of bytes to copy, including the trailing NUL. + * @unsafe_ptr__ign: Source address, in user space. + * @flags: The only supported flag is BPF_ZERO_BUFFER + * + * Copies a NUL-terminated string from userspace to BPF space. If user string is + * too long this will still ensure zero termination in the dst buffer unless + * buffer size is 0. + * + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success. + */ +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags) +{ + int ret; + int count; + + if (unlikely(!dst__szk)) + return 0; + + count = dst__szk - 1; + if (unlikely(!count)) { + ((char *)dst)[0] = '\0'; + return 1; + } + + ret = strncpy_from_user(dst, unsafe_ptr__ign, count); + if (ret >= 0) { + if (flags & BPF_ZERO_BUFFER) + memset((char *)dst + ret, 0, dst__szk - ret); + else + ((char *)dst)[ret] = '\0'; + ret++; + } + + return ret; +} + __bpf_kfunc_end_defs(); BTF_KFUNCS_START(generic_btf_ids) @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable) BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW) BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) BTF_KFUNCS_END(common_btf_ids) static const struct btf_kfunc_id_set common_kfunc_set = { diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index e05b39e39c3f..15c2c3431e0f 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -7513,4 +7513,12 @@ struct bpf_iter_num { __u64 __opaque[1]; } __attribute__((aligned(8))); +/* + * Flags to control bpf_copy_from_user_str() behaviour. + * - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success + */ +enum { + BPF_ZERO_BUFFER = (1ULL << 0) +}; + #endif /* _UAPI__LINUX_BPF_H__ */ -- 2.43.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bpf-next v5 2/2] bpf: Add tests for bpf_copy_from_user_str kfunc 2024-08-15 11:27 [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc Jordan Rome @ 2024-08-15 11:27 ` Jordan Rome 2024-08-15 22:41 ` Andrii Nakryiko 2024-08-15 22:38 ` [bpf-next v5 1/2] bpf: Add " Andrii Nakryiko 1 sibling, 1 reply; 6+ messages in thread From: Jordan Rome @ 2024-08-15 11:27 UTC (permalink / raw) To: bpf Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team, sinquersw This adds tests for both the happy path and the error path. Signed-off-by: Jordan Rome <linux@jordanrome.com> --- .../selftests/bpf/prog_tests/attach_probe.c | 8 ++-- .../selftests/bpf/prog_tests/read_vsyscall.c | 1 + .../selftests/bpf/progs/read_vsyscall.c | 9 ++++- .../selftests/bpf/progs/test_attach_probe.c | 38 +++++++++++++++++-- 4 files changed, 49 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c index 7175af39134f..329c7862b52d 100644 --- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c +++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c @@ -283,9 +283,11 @@ static void test_uprobe_sleepable(struct test_attach_probe *skel) trigger_func3(); ASSERT_EQ(skel->bss->uprobe_byname3_sleepable_res, 9, "check_uprobe_byname3_sleepable_res"); - ASSERT_EQ(skel->bss->uprobe_byname3_res, 10, "check_uprobe_byname3_res"); - ASSERT_EQ(skel->bss->uretprobe_byname3_sleepable_res, 11, "check_uretprobe_byname3_sleepable_res"); - ASSERT_EQ(skel->bss->uretprobe_byname3_res, 12, "check_uretprobe_byname3_res"); + ASSERT_EQ(skel->bss->uprobe_byname3_str_sleepable_res, 10, "check_uprobe_byname3_str_sleepable_res"); + ASSERT_EQ(skel->bss->uprobe_byname3_res, 11, "check_uprobe_byname3_res"); + ASSERT_EQ(skel->bss->uretprobe_byname3_sleepable_res, 12, "check_uretprobe_byname3_sleepable_res"); + ASSERT_EQ(skel->bss->uretprobe_byname3_str_sleepable_res, 13, "check_uretprobe_byname3_str_sleepable_res"); + ASSERT_EQ(skel->bss->uretprobe_byname3_res, 14, "check_uretprobe_byname3_res"); } void test_attach_probe(void) diff --git a/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c b/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c index 3405923fe4e6..c7b9ba8b1d06 100644 --- a/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c +++ b/tools/testing/selftests/bpf/prog_tests/read_vsyscall.c @@ -23,6 +23,7 @@ struct read_ret_desc { { .name = "probe_read_user_str", .ret = -EFAULT }, { .name = "copy_from_user", .ret = -EFAULT }, { .name = "copy_from_user_task", .ret = -EFAULT }, + { .name = "copy_from_user_str", .ret = -EFAULT }, }; void test_read_vsyscall(void) diff --git a/tools/testing/selftests/bpf/progs/read_vsyscall.c b/tools/testing/selftests/bpf/progs/read_vsyscall.c index 986f96687ae1..39ebef430059 100644 --- a/tools/testing/selftests/bpf/progs/read_vsyscall.c +++ b/tools/testing/selftests/bpf/progs/read_vsyscall.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 /* Copyright (C) 2024. Huawei Technologies Co., Ltd */ +#include "vmlinux.h" #include <linux/types.h> #include <bpf/bpf_helpers.h> @@ -7,10 +8,15 @@ int target_pid = 0; void *user_ptr = 0; -int read_ret[8]; +int read_ret[9]; char _license[] SEC("license") = "GPL"; +/* + * This is the only kfunc, the others are helpers + */ +int bpf_copy_from_user_str(void *dst, u32, const void *, u64) __weak __ksym; + SEC("fentry/" SYS_PREFIX "sys_nanosleep") int do_probe_read(void *ctx) { @@ -40,6 +46,7 @@ int do_copy_from_user(void *ctx) read_ret[6] = bpf_copy_from_user(buf, sizeof(buf), user_ptr); read_ret[7] = bpf_copy_from_user_task(buf, sizeof(buf), user_ptr, bpf_get_current_task_btf(), 0); + read_ret[8] = bpf_copy_from_user_str((char *)buf, sizeof(buf), user_ptr, 0); return 0; } diff --git a/tools/testing/selftests/bpf/progs/test_attach_probe.c b/tools/testing/selftests/bpf/progs/test_attach_probe.c index 68466a6ad18c..705830d44101 100644 --- a/tools/testing/selftests/bpf/progs/test_attach_probe.c +++ b/tools/testing/selftests/bpf/progs/test_attach_probe.c @@ -14,11 +14,15 @@ int uretprobe_byname_res = 0; int uprobe_byname2_res = 0; int uretprobe_byname2_res = 0; int uprobe_byname3_sleepable_res = 0; +int uprobe_byname3_str_sleepable_res = 0; int uprobe_byname3_res = 0; int uretprobe_byname3_sleepable_res = 0; +int uretprobe_byname3_str_sleepable_res = 0; int uretprobe_byname3_res = 0; void *user_ptr = 0; +int bpf_copy_from_user_str(void *dst, u32, const void *, u64) __weak __ksym; + SEC("ksyscall/nanosleep") int BPF_KSYSCALL(handle_kprobe_auto, struct __kernel_timespec *req, struct __kernel_timespec *rem) { @@ -87,11 +91,37 @@ static __always_inline bool verify_sleepable_user_copy(void) return bpf_strncmp(data, sizeof(data), "test_data") == 0; } +static __always_inline bool verify_sleepable_user_copy_str(void) +{ + int ret; + char data_long[20]; + char data_short[4]; + + ret = bpf_copy_from_user_str(data_short, sizeof(data_short), user_ptr, 0); + + if (bpf_strncmp(data_short, 4, "tes\0") != 0 || ret != 4) + return false; + + ret = bpf_copy_from_user_str(data_long, sizeof(data_long), user_ptr, BPF_ZERO_BUFFER); + + if (bpf_strncmp(data_long, 10, "test_data\0") != 0 || ret != 10 || data_long[19] != '\0') + return false; + + ret = bpf_copy_from_user_str(data_long, sizeof(data_long), user_ptr, 0); + + if (bpf_strncmp(data_long, 10, "test_data\0") != 0 || ret != 10) + return false; + + return true; +} + SEC("uprobe.s//proc/self/exe:trigger_func3") int handle_uprobe_byname3_sleepable(struct pt_regs *ctx) { if (verify_sleepable_user_copy()) uprobe_byname3_sleepable_res = 9; + if (verify_sleepable_user_copy_str()) + uprobe_byname3_str_sleepable_res = 10; return 0; } @@ -102,7 +132,7 @@ int handle_uprobe_byname3_sleepable(struct pt_regs *ctx) SEC("uprobe//proc/self/exe:trigger_func3") int handle_uprobe_byname3(struct pt_regs *ctx) { - uprobe_byname3_res = 10; + uprobe_byname3_res = 11; return 0; } @@ -110,14 +140,16 @@ SEC("uretprobe.s//proc/self/exe:trigger_func3") int handle_uretprobe_byname3_sleepable(struct pt_regs *ctx) { if (verify_sleepable_user_copy()) - uretprobe_byname3_sleepable_res = 11; + uretprobe_byname3_sleepable_res = 12; + if (verify_sleepable_user_copy_str()) + uretprobe_byname3_str_sleepable_res = 13; return 0; } SEC("uretprobe//proc/self/exe:trigger_func3") int handle_uretprobe_byname3(struct pt_regs *ctx) { - uretprobe_byname3_res = 12; + uretprobe_byname3_res = 14; return 0; } -- 2.43.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [bpf-next v5 2/2] bpf: Add tests for bpf_copy_from_user_str kfunc 2024-08-15 11:27 ` [bpf-next v5 2/2] bpf: Add tests for " Jordan Rome @ 2024-08-15 22:41 ` Andrii Nakryiko 0 siblings, 0 replies; 6+ messages in thread From: Andrii Nakryiko @ 2024-08-15 22:41 UTC (permalink / raw) To: Jordan Rome Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team, sinquersw On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote: > > This adds tests for both the happy path and > the error path. > > Signed-off-by: Jordan Rome <linux@jordanrome.com> > --- > .../selftests/bpf/prog_tests/attach_probe.c | 8 ++-- > .../selftests/bpf/prog_tests/read_vsyscall.c | 1 + > .../selftests/bpf/progs/read_vsyscall.c | 9 ++++- > .../selftests/bpf/progs/test_attach_probe.c | 38 +++++++++++++++++-- > 4 files changed, 49 insertions(+), 7 deletions(-) > As I mentioned in the first patch, it would be better to have a bit more extensive testing. All those rare conditions: - dst_size is zero - dst_size is one - string is empty - string exactly fits - string is truncated - plus various error conditions. > diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c > index 7175af39134f..329c7862b52d 100644 > --- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c > +++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c > @@ -283,9 +283,11 @@ static void test_uprobe_sleepable(struct test_attach_probe *skel) > trigger_func3(); > [...] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc 2024-08-15 11:27 [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc Jordan Rome 2024-08-15 11:27 ` [bpf-next v5 2/2] bpf: Add tests for " Jordan Rome @ 2024-08-15 22:38 ` Andrii Nakryiko 2024-08-16 7:23 ` Kui-Feng Lee 1 sibling, 1 reply; 6+ messages in thread From: Andrii Nakryiko @ 2024-08-15 22:38 UTC (permalink / raw) To: Jordan Rome Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team, sinquersw On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote: > > This adds a kfunc wrapper around strncpy_from_user, > which can be called from sleepable BPF programs. > > This matches the non-sleepable 'bpf_probe_read_user_str' > helper except it includes an additional 'flags' > param, which allows consumers to clear the entire > destination buffer on success. > > Signed-off-by: Jordan Rome <linux@jordanrome.com> > --- > include/uapi/linux/bpf.h | 8 +++++++ > kernel/bpf/helpers.c | 41 ++++++++++++++++++++++++++++++++++ > tools/include/uapi/linux/bpf.h | 8 +++++++ > 3 files changed, 57 insertions(+) > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index e05b39e39c3f..e207175981be 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -7513,4 +7513,12 @@ struct bpf_iter_num { > __u64 __opaque[1]; > } __attribute__((aligned(8))); > > +/* > + * Flags to control bpf_copy_from_user_str() behaviour. > + * - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success > + */ > +enum { > + BPF_ZERO_BUFFER = (1ULL << 0) We call all flags BPF_F_<something>, so let's stay consistent. And just for a bit of bikeshedding, "zero buffer" isn't immediately clear and it would be nice to have a clearer verb in there. I don't have a perfect name, but something like BPF_F_PAD_ZEROS or something with "pad" maybe? Also, should we keep behavior a bit more consistent and say that on failure this flag will also ensure that buffer is cleared? > +}; > + > #endif /* _UAPI__LINUX_BPF_H__ */ > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c > index d02ae323996b..fe4348679d38 100644 > --- a/kernel/bpf/helpers.c > +++ b/kernel/bpf/helpers.c > @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it) > bpf_mem_free(&bpf_global_ma, kit->bits); > } > > +/** > + * bpf_copy_from_user_str() - Copy a string from an unsafe user address > + * @dst: Destination address, in kernel space. This buffer must be at > + * least @dst__szk bytes long. > + * @dst__szk: Maximum number of bytes to copy, including the trailing NUL. > + * @unsafe_ptr__ign: Source address, in user space. > + * @flags: The only supported flag is BPF_ZERO_BUFFER > + * > + * Copies a NUL-terminated string from userspace to BPF space. If user string is > + * too long this will still ensure zero termination in the dst buffer unless > + * buffer size is 0. > + * > + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success. > + */ > +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags) > +{ > + int ret; > + int count; > + validate that flags doesn't have any unknown flags if (unlikely(flags & ~BPF_F_ZERO_BUFFER)) return -EINVAL; > + if (unlikely(!dst__szk)) > + return 0; > + > + count = dst__szk - 1; > + if (unlikely(!count)) { > + ((char *)dst)[0] = '\0'; > + return 1; > + } Do we need to special-case this unlikely scenario? Especially that it's unlikely, why write code for it and pay a tiny price for an extra check? > + > + ret = strncpy_from_user(dst, unsafe_ptr__ign, count); > + if (ret >= 0) { > + if (flags & BPF_ZERO_BUFFER) > + memset((char *)dst + ret, 0, dst__szk - ret); > + else > + ((char *)dst)[ret] = '\0'; > + ret++; so if string is truncated, ret == count, no? And dst[ret] will go beyond the buffer? we need more tests to validate all those various conditions I'd also rewrite this a bit, so it's more linear: ret = strncpy(...); if (ret < 0) return ret; ((char *)dst)[count - 1] = '\0'; if (flags & BPF_F_ZERO_BUF) memset(...); return ret < count ? ret + 1 : count; or something along those lines pw-bot: cr > + } > + > + return ret; > +} > + > __bpf_kfunc_end_defs(); > > BTF_KFUNCS_START(generic_btf_ids) > @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable) > BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW) > BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) > BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) > +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) > BTF_KFUNCS_END(common_btf_ids) > > static const struct btf_kfunc_id_set common_kfunc_set = { > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > index e05b39e39c3f..15c2c3431e0f 100644 > --- a/tools/include/uapi/linux/bpf.h > +++ b/tools/include/uapi/linux/bpf.h > @@ -7513,4 +7513,12 @@ struct bpf_iter_num { > __u64 __opaque[1]; > } __attribute__((aligned(8))); > > +/* > + * Flags to control bpf_copy_from_user_str() behaviour. > + * - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success > + */ > +enum { > + BPF_ZERO_BUFFER = (1ULL << 0) > +}; > + > #endif /* _UAPI__LINUX_BPF_H__ */ > -- > 2.43.5 > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc 2024-08-15 22:38 ` [bpf-next v5 1/2] bpf: Add " Andrii Nakryiko @ 2024-08-16 7:23 ` Kui-Feng Lee 2024-08-19 16:25 ` Andrii Nakryiko 0 siblings, 1 reply; 6+ messages in thread From: Kui-Feng Lee @ 2024-08-16 7:23 UTC (permalink / raw) To: Andrii Nakryiko, Jordan Rome Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team On 8/15/24 15:38, Andrii Nakryiko wrote: > On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote: >> >> This adds a kfunc wrapper around strncpy_from_user, >> which can be called from sleepable BPF programs. >> >> This matches the non-sleepable 'bpf_probe_read_user_str' >> helper except it includes an additional 'flags' >> param, which allows consumers to clear the entire >> destination buffer on success. >> >> Signed-off-by: Jordan Rome <linux@jordanrome.com> >> --- >> include/uapi/linux/bpf.h | 8 +++++++ >> kernel/bpf/helpers.c | 41 ++++++++++++++++++++++++++++++++++ >> tools/include/uapi/linux/bpf.h | 8 +++++++ >> 3 files changed, 57 insertions(+) >> >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h >> index e05b39e39c3f..e207175981be 100644 >> --- a/include/uapi/linux/bpf.h >> +++ b/include/uapi/linux/bpf.h >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num { >> __u64 __opaque[1]; >> } __attribute__((aligned(8))); >> >> +/* >> + * Flags to control bpf_copy_from_user_str() behaviour. >> + * - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success >> + */ >> +enum { >> + BPF_ZERO_BUFFER = (1ULL << 0) > > We call all flags BPF_F_<something>, so let's stay consistent. > > And just for a bit of bikeshedding, "zero buffer" isn't immediately > clear and it would be nice to have a clearer verb in there. I don't > have a perfect name, but something like BPF_F_PAD_ZEROS or something > with "pad" maybe? > > Also, should we keep behavior a bit more consistent and say that on > failure this flag will also ensure that buffer is cleared? > >> +}; >> + >> #endif /* _UAPI__LINUX_BPF_H__ */ >> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c >> index d02ae323996b..fe4348679d38 100644 >> --- a/kernel/bpf/helpers.c >> +++ b/kernel/bpf/helpers.c >> @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it) >> bpf_mem_free(&bpf_global_ma, kit->bits); >> } >> >> +/** >> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address >> + * @dst: Destination address, in kernel space. This buffer must be at >> + * least @dst__szk bytes long. >> + * @dst__szk: Maximum number of bytes to copy, including the trailing NUL. >> + * @unsafe_ptr__ign: Source address, in user space. >> + * @flags: The only supported flag is BPF_ZERO_BUFFER >> + * >> + * Copies a NUL-terminated string from userspace to BPF space. If user string is >> + * too long this will still ensure zero termination in the dst buffer unless >> + * buffer size is 0. >> + * >> + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success. >> + */ >> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags) >> +{ >> + int ret; >> + int count; >> + > > validate that flags doesn't have any unknown flags > > if (unlikely(flags & ~BPF_F_ZERO_BUFFER)) > return -EINVAL; > >> + if (unlikely(!dst__szk)) >> + return 0; >> + >> + count = dst__szk - 1; >> + if (unlikely(!count)) { >> + ((char *)dst)[0] = '\0'; >> + return 1; >> + } > > Do we need to special-case this unlikely scenario? Especially that > it's unlikely, why write code for it and pay a tiny price for an extra > check? > >> + >> + ret = strncpy_from_user(dst, unsafe_ptr__ign, count); >> + if (ret >= 0) { >> + if (flags & BPF_ZERO_BUFFER) >> + memset((char *)dst + ret, 0, dst__szk - ret); >> + else >> + ((char *)dst)[ret] = '\0'; >> + ret++; > > so if string is truncated, ret == count, no? And dst[ret] will go > beyond the buffer? Since count = dst__szk - 1, it is not going beyond the buffer. > > we need more tests to validate all those various conditions > > > I'd also rewrite this a bit, so it's more linear: > > > ret = strncpy(...); > if (ret < 0) > return ret; > > ((char *)dst)[count - 1] = '\0'; > > if (flags & BPF_F_ZERO_BUF) > memset(...); > > return ret < count ? ret + 1 : count; > > > or something along those lines > > > pw-bot: cr > > >> + } >> + >> + return ret; >> +} >> + >> __bpf_kfunc_end_defs(); >> >> BTF_KFUNCS_START(generic_btf_ids) >> @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable) >> BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW) >> BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) >> BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) >> +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) >> BTF_KFUNCS_END(common_btf_ids) >> >> static const struct btf_kfunc_id_set common_kfunc_set = { >> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h >> index e05b39e39c3f..15c2c3431e0f 100644 >> --- a/tools/include/uapi/linux/bpf.h >> +++ b/tools/include/uapi/linux/bpf.h >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num { >> __u64 __opaque[1]; >> } __attribute__((aligned(8))); >> >> +/* >> + * Flags to control bpf_copy_from_user_str() behaviour. >> + * - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success >> + */ >> +enum { >> + BPF_ZERO_BUFFER = (1ULL << 0) >> +}; >> + >> #endif /* _UAPI__LINUX_BPF_H__ */ >> -- >> 2.43.5 >> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc 2024-08-16 7:23 ` Kui-Feng Lee @ 2024-08-19 16:25 ` Andrii Nakryiko 0 siblings, 0 replies; 6+ messages in thread From: Andrii Nakryiko @ 2024-08-19 16:25 UTC (permalink / raw) To: Kui-Feng Lee Cc: Jordan Rome, bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Kernel Team On Fri, Aug 16, 2024 at 12:23 AM Kui-Feng Lee <sinquersw@gmail.com> wrote: > > > > On 8/15/24 15:38, Andrii Nakryiko wrote: > > On Thu, Aug 15, 2024 at 4:28 AM Jordan Rome <linux@jordanrome.com> wrote: > >> > >> This adds a kfunc wrapper around strncpy_from_user, > >> which can be called from sleepable BPF programs. > >> > >> This matches the non-sleepable 'bpf_probe_read_user_str' > >> helper except it includes an additional 'flags' > >> param, which allows consumers to clear the entire > >> destination buffer on success. > >> > >> Signed-off-by: Jordan Rome <linux@jordanrome.com> > >> --- > >> include/uapi/linux/bpf.h | 8 +++++++ > >> kernel/bpf/helpers.c | 41 ++++++++++++++++++++++++++++++++++ > >> tools/include/uapi/linux/bpf.h | 8 +++++++ > >> 3 files changed, 57 insertions(+) > >> > >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > >> index e05b39e39c3f..e207175981be 100644 > >> --- a/include/uapi/linux/bpf.h > >> +++ b/include/uapi/linux/bpf.h > >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num { > >> __u64 __opaque[1]; > >> } __attribute__((aligned(8))); > >> > >> +/* > >> + * Flags to control bpf_copy_from_user_str() behaviour. > >> + * - BPF_ZERO_BUFFER: Memset 0 the tail of the destination buffer on success > >> + */ > >> +enum { > >> + BPF_ZERO_BUFFER = (1ULL << 0) > > > > We call all flags BPF_F_<something>, so let's stay consistent. > > > > And just for a bit of bikeshedding, "zero buffer" isn't immediately > > clear and it would be nice to have a clearer verb in there. I don't > > have a perfect name, but something like BPF_F_PAD_ZEROS or something > > with "pad" maybe? > > > > Also, should we keep behavior a bit more consistent and say that on > > failure this flag will also ensure that buffer is cleared? > > > >> +}; > >> + > >> #endif /* _UAPI__LINUX_BPF_H__ */ > >> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c > >> index d02ae323996b..fe4348679d38 100644 > >> --- a/kernel/bpf/helpers.c > >> +++ b/kernel/bpf/helpers.c > >> @@ -2939,6 +2939,46 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it) > >> bpf_mem_free(&bpf_global_ma, kit->bits); > >> } > >> > >> +/** > >> + * bpf_copy_from_user_str() - Copy a string from an unsafe user address > >> + * @dst: Destination address, in kernel space. This buffer must be at > >> + * least @dst__szk bytes long. > >> + * @dst__szk: Maximum number of bytes to copy, including the trailing NUL. > >> + * @unsafe_ptr__ign: Source address, in user space. > >> + * @flags: The only supported flag is BPF_ZERO_BUFFER > >> + * > >> + * Copies a NUL-terminated string from userspace to BPF space. If user string is > >> + * too long this will still ensure zero termination in the dst buffer unless > >> + * buffer size is 0. > >> + * > >> + * If BPF_ZERO_BUFFER flag is set, memset the tail of @dst to 0 on success. > >> + */ > >> +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign, u64 flags) > >> +{ > >> + int ret; > >> + int count; > >> + > > > > validate that flags doesn't have any unknown flags > > > > if (unlikely(flags & ~BPF_F_ZERO_BUFFER)) > > return -EINVAL; > > > >> + if (unlikely(!dst__szk)) > >> + return 0; > >> + > >> + count = dst__szk - 1; > >> + if (unlikely(!count)) { > >> + ((char *)dst)[0] = '\0'; > >> + return 1; > >> + } > > > > Do we need to special-case this unlikely scenario? Especially that > > it's unlikely, why write code for it and pay a tiny price for an extra > > check? > > > >> + > >> + ret = strncpy_from_user(dst, unsafe_ptr__ign, count); > >> + if (ret >= 0) { > >> + if (flags & BPF_ZERO_BUFFER) > >> + memset((char *)dst + ret, 0, dst__szk - ret); > >> + else > >> + ((char *)dst)[ret] = '\0'; > >> + ret++; > > > > so if string is truncated, ret == count, no? And dst[ret] will go > > beyond the buffer? > > Since count = dst__szk - 1, it is not going beyond the buffer. > ah, I forgot that count is adjusted size already, ok > > > > we need more tests to validate all those various conditions > > > > > > I'd also rewrite this a bit, so it's more linear: > > > > > > ret = strncpy(...); > > if (ret < 0) > > return ret; > > > > ((char *)dst)[count - 1] = '\0'; > > > > if (flags & BPF_F_ZERO_BUF) > > memset(...); > > > > return ret < count ? ret + 1 : count; > > > > > > or something along those lines > > > > > > pw-bot: cr > > > > > >> + } > >> + > >> + return ret; > >> +} > >> + > >> __bpf_kfunc_end_defs(); > >> > >> BTF_KFUNCS_START(generic_btf_ids) > >> @@ -3024,6 +3064,7 @@ BTF_ID_FLAGS(func, bpf_preempt_enable) > >> BTF_ID_FLAGS(func, bpf_iter_bits_new, KF_ITER_NEW) > >> BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) > >> BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) > >> +BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) > >> BTF_KFUNCS_END(common_btf_ids) > >> > >> static const struct btf_kfunc_id_set common_kfunc_set = { > >> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > >> index e05b39e39c3f..15c2c3431e0f 100644 > >> --- a/tools/include/uapi/linux/bpf.h > >> +++ b/tools/include/uapi/linux/bpf.h > >> @@ -7513,4 +7513,12 @@ struct bpf_iter_num { > >> __u64 __opaque[1]; > >> } __attribute__((aligned(8))); > >> > >> +/* > >> + * Flags to control bpf_copy_from_user_str() behaviour. > >> + * - BPF_ZERO_BUFFER: Memset 0 the entire destination buffer on success > >> + */ > >> +enum { > >> + BPF_ZERO_BUFFER = (1ULL << 0) > >> +}; > >> + > >> #endif /* _UAPI__LINUX_BPF_H__ */ > >> -- > >> 2.43.5 > >> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-08-19 16:25 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-08-15 11:27 [bpf-next v5 1/2] bpf: Add bpf_copy_from_user_str kfunc Jordan Rome 2024-08-15 11:27 ` [bpf-next v5 2/2] bpf: Add tests for " Jordan Rome 2024-08-15 22:41 ` Andrii Nakryiko 2024-08-15 22:38 ` [bpf-next v5 1/2] bpf: Add " Andrii Nakryiko 2024-08-16 7:23 ` Kui-Feng Lee 2024-08-19 16:25 ` Andrii Nakryiko
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox