From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: kkd@meta.com, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Steven Rostedt <rostedt@goodmis.org>,
Jiri Olsa <olsajiri@gmail.com>,
Juri Lelli <juri.lelli@redhat.com>,
kernel-team@fb.com
Subject: [PATCH bpf-next v1 0/2] Handle possible NULL trusted raw_tp arguments
Date: Thu, 31 Oct 2024 17:00:15 -0700 [thread overview]
Message-ID: <20241101000017.3424165-1-memxor@gmail.com> (raw)
More context is available in [0], but the TLDR; is that the verifier
incorrectly assumes that any raw tracepoint argument will always be
non-NULL. This means that even when users correctly check possible NULL
arguments, the verifier can remove the NULL check due to incorrect
knowledge of the NULL-ness of the pointer. Secondly, kernel helpers or
kfuncs taking these trusted tracepoint arguments incorrectly assume that
all arguments will always be valid non-NULL.
In this set, we mark raw_tp arguments as PTR_MAYBE_NULL on top of
PTR_TRUSTED, but special case their behavior when dereferencing them or
pointer arithmetic over them is involved. When passing trusted args to
helpers or kfuncs, raw_tp programs are permitted to pass possibly NULL
pointers in such cases.
Any loads into such maybe NULL trusted PTR_TO_BTF_ID is promoted to a
PROBE_MEM load to handle emanating page faults. The verifier will ensure
NULL checks on such pointers are preserved and do not lead to dead code
elimination.
This new behavior is not applied when ref_obj_id is non-zero, as those
pointers do not belong to raw_tp arguments, but instead acquired
objects.
Since helpers and kfuncs already require attention for PTR_TO_BTF_ID
(non-trusted) pointers, we do not implement any protection for such
cases in this patch set, and leave it as future work for an upcoming
series.
A selftest is included with this patch set to verify the new behavior,
and it crashes the kernel without the first patch.
[0]: https://lore.kernel.org/bpf/CAADnVQLMPPavJQR6JFsi3dtaaLHB816JN4HCV_TFWohJ61D+wQ@mail.gmail.com
Kumar Kartikeya Dwivedi (2):
bpf: Mark raw_tp arguments with PTR_MAYBE_NULL
selftests/bpf: Add tests for raw_tp null handling
include/linux/bpf.h | 6 ++
kernel/bpf/btf.c | 5 +-
kernel/bpf/verifier.c | 75 +++++++++++++++++--
.../bpf/bpf_testmod/bpf_testmod-events.h | 8 ++
.../selftests/bpf/bpf_testmod/bpf_testmod.c | 2 +
.../selftests/bpf/prog_tests/raw_tp_null.c | 25 +++++++
.../testing/selftests/bpf/progs/raw_tp_null.c | 27 +++++++
.../bpf/progs/test_tp_btf_nullable.c | 6 +-
8 files changed, 145 insertions(+), 9 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_null.c
create mode 100644 tools/testing/selftests/bpf/progs/raw_tp_null.c
base-commit: e626a13f6fbb4697f8734333432dca577628d09a
--
2.43.5
next reply other threads:[~2024-11-01 0:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-01 0:00 Kumar Kartikeya Dwivedi [this message]
2024-11-01 0:00 ` [PATCH bpf-next v1 1/2] bpf: Mark raw_tp arguments with PTR_MAYBE_NULL Kumar Kartikeya Dwivedi
2024-11-01 19:16 ` Andrii Nakryiko
2024-11-01 22:55 ` Alexei Starovoitov
2024-11-03 16:16 ` Kumar Kartikeya Dwivedi
2024-11-03 16:40 ` Kumar Kartikeya Dwivedi
2024-11-03 17:00 ` Kumar Kartikeya Dwivedi
2024-11-03 17:37 ` Alexei Starovoitov
2024-11-06 20:17 ` Andrii Nakryiko
2024-11-01 0:00 ` [PATCH bpf-next v1 2/2] selftests/bpf: Add tests for raw_tp null handling Kumar Kartikeya Dwivedi
2024-11-01 19:19 ` Andrii Nakryiko
2024-11-03 15:58 ` Kumar Kartikeya Dwivedi
2024-11-01 13:18 ` [PATCH bpf-next v1 0/2] Handle possible NULL trusted raw_tp arguments Kumar Kartikeya Dwivedi
2024-11-02 0:21 ` Eduard Zingerman
2024-11-02 0:29 ` Alexei Starovoitov
2024-11-02 0:32 ` Eduard Zingerman
2024-11-08 5:08 ` Eduard Zingerman
2024-11-08 20:13 ` Alexei Starovoitov
2024-11-08 21:57 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241101000017.3424165-1-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=eddyz87@gmail.com \
--cc=juri.lelli@redhat.com \
--cc=kernel-team@fb.com \
--cc=kkd@meta.com \
--cc=martin.lau@kernel.org \
--cc=olsajiri@gmail.com \
--cc=rostedt@goodmis.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox