From: Yonghong Song <yhs@fb.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>, <bpf@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
"Jose E . Marchesi" <jose.marchesi@oracle.com>,
<kernel-team@fb.com>, Masami Hiramatsu <mhiramat@kernel.org>
Subject: Re: [PATCH bpf-next 2/5] bpf: reject program if a __user tagged memory accessed in kernel way
Date: Sun, 19 Dec 2021 19:51:15 -0800 [thread overview]
Message-ID: <2094a015-89a5-8062-d795-4fbe621d6a2f@fb.com> (raw)
In-Reply-To: <20211220014505.oirge3vkyzm2t3st@ast-mbp.dhcp.thefacebook.com>
On 12/19/21 5:45 PM, Alexei Starovoitov wrote:
> On Thu, Dec 09, 2021 at 09:35:48AM -0800, Yonghong Song wrote:
>> BPF verifier supports direct memory access for BPF_PROG_TYPE_TRACING type
>> of bpf programs, e.g., a->b. If "a" is a pointer
>> pointing to kernel memory, bpf verifier will allow user to write
>> code in C like a->b and the verifier will translate it to a kernel
>> load properly. If "a" is a pointer to user memory, it is expected
>> that bpf developer should be bpf_probe_read_user() helper to
>> get the value a->b. Without utilizing BTF __user tagging information,
>> current verifier will assume that a->b is a kernel memory access
>> and this may generate incorrect result.
>
> The patch set looks great overall.
>
>> +/* The pointee address space encoded in BTF. */
>> +enum btf_addr_space {
>> + BTF_ADDRSPACE_UNSPEC = 0,
>> + BTF_ADDRSPACE_USER = 1,
>> +};
>> +
>> /* The information passed from prog-specific *_is_valid_access
>> * back to the verifier.
>> */
>> @@ -473,6 +479,7 @@ struct bpf_insn_access_aux {
>> struct {
>> struct btf *btf;
>> u32 btf_id;
>> + enum btf_addr_space addr_space;
>> };
> ...
>> @@ -4998,7 +4999,15 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
>>
>> info->btf = btf;
>> info->btf_id = t->type;
>> + info->addr_space = BTF_ADDRSPACE_UNSPEC;
>> t = btf_type_by_id(btf, t->type);
>> +
>> + if (btf_type_is_type_tag(t)) {
>> + tag_value = __btf_name_by_offset(btf, t->name_off);
>> + if (strcmp(tag_value, "user") == 0)
>> + info->addr_space = BTF_ADDRSPACE_USER;
>> + }
>> +
>> /* skip modifiers */
>> while (btf_type_is_modifier(t)) {
>
> bpf_insn_access_aux approach will work only for the first
> pointer deref, right?
That is true.
> Also addr_space will consume the last 4 free bytes in bpf_reg_state.
> Maybe encode user/kernel as a flag into bpf_reg_type?
> The verifier just got extended with PTR_MAYBE_NULL and MEM_RDONLY flags.
> MEM_RDONLY is roughly equivalent 'const' modifier.
> In that sense __user attribute is similar.
> wdyt?
I haven't carefully read Hao's patch set yet. But after roughly going
through it I think your suggestion should work. Will give a try!
next prev parent reply other threads:[~2021-12-20 3:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 17:35 bpf: add __user tagging support in vmlinux BTF Yonghong Song
2021-12-09 17:35 ` [PATCH bpf-next 1/5] compiler_types: define __user as __attribute__((btf_type_tag("user"))) Yonghong Song
2021-12-09 17:35 ` [PATCH bpf-next 2/5] bpf: reject program if a __user tagged memory accessed in kernel way Yonghong Song
2021-12-20 1:45 ` Alexei Starovoitov
2021-12-20 3:51 ` Yonghong Song [this message]
2021-12-09 17:35 ` [PATCH bpf-next 3/5] selftests/bpf: rename btf_decl_tag.c to test_btf_decl_tag.c Yonghong Song
2021-12-09 17:35 ` [PATCH bpf-next 4/5] selftests/bpf: add a selftest with __user tag Yonghong Song
2021-12-20 1:51 ` Alexei Starovoitov
2021-12-20 3:51 ` Yonghong Song
2021-12-09 17:36 ` [PATCH bpf-next 5/5] selftests/bpf: specify pahole version requirement for btf_tag test Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2094a015-89a5-8062-d795-4fbe621d6a2f@fb.com \
--to=yhs@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=arnaldo.melo@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jose.marchesi@oracle.com \
--cc=kernel-team@fb.com \
--cc=mhiramat@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox