From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>,
Alexei Starovoitov <ast@kernel.org>
Cc: Andrii Nakryiko <andrii@kernel.org>,
bpf@vger.kernel.org, daniel@iogearbox.net,
martin.lau@kernel.org, kernel-team@meta.com
Subject: Re: [PATCH v3 bpf-next 03/10] bpf: fix check for attempt to corrupt spilled pointer
Date: Tue, 05 Dec 2023 02:54:53 +0200 [thread overview]
Message-ID: <6875401e502049bfdfa128fc7bf37fabe5314e2f.camel@gmail.com> (raw)
In-Reply-To: <CAEf4BzZ0Ao7EF4PodPBxTdQphEt-_ezZyNDOzqds2XfXYpjsHg@mail.gmail.com>
On Mon, 2023-12-04 at 16:23 -0800, Andrii Nakryiko wrote:
[...]
> > > @@ -4431,7 +4431,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
> > > * so it's aligned access and [off, off + size) are within stack limits
> > > */
> > > if (!env->allow_ptr_leaks &&
> > > - state->stack[spi].slot_type[0] == STACK_SPILL &&
> > > + is_spilled_reg(&state->stack[spi]) &&
> > > size != BPF_REG_SIZE) {
> > > verbose(env, "attempt to corrupt spilled pointer on stack\n");
> > > return -EACCES;
> >
> > I think there is a small detail here.
> > slot_type[0] == STACK_SPILL actually checks if a spill is 64-bit.
>
> Hm... I wonder if the check was written like this deliberately to
> prevent turning any spilled register into STACK_MISC?
idk, the error is about pointers and forbidding turning pointers to
STACK_MISC makes sense. Don't see why it would be useful to forbid
this for scalars.
> > Thus, with this patch applied the test below does not pass.
> > Log fragment:
> >
> > 1: (57) r0 &= 65535 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
> > 2: (63) *(u32 *)(r10 -8) = r0
> > 3: R0_w=scalar(...,var_off=(0x0; 0xffff)) R10=fp0 fp-8=mmmmscalar(...,var_off=(0x0; 0xffff))
> > 3: (b7) r0 = 42 ; R0_w=42
> > 4: (63) *(u32 *)(r10 -4) = r0
> > attempt to corrupt spilled pointer on stack
>
> What would happen if we have
>
> 4: *(u16 *)(r10 - 8) = 123; ?
w/o this patch:
0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar()
1: (57) r0 &= 65535 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
2: (63) *(u32 *)(r10 -8) = r0 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
R10=fp0 fp-8=mmmmscalar(...,var_off=(0x0; 0xffff))
3: (b7) r0 = 123 ; R0_w=123
4: (6b) *(u16 *)(r10 -8) = r0 ; R0_w=123 R10=fp0 fp-8=mmmmmm123
5: (95) exit
with this patch:
0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar()
1: (57) r0 &= 65535 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
2: (63) *(u32 *)(r10 -8) = r0 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
R10=fp0 fp-8=mmmmscalar(...,var_off=(0x0; 0xffff))
3: (b7) r0 = 123 ; R0_w=123
4: (6b) *(u16 *)(r10 -8) = r0
attempt to corrupt spilled pointer on stack
> and similarly
>
> 4: *(u16 *)(r10 - 6) = 123; ?
w/o this patch:
0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar()
1: (57) r0 &= 65535 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
2: (63) *(u32 *)(r10 -8) = r0 ; R0_w=scalar(....,var_off=(0x0; 0xffff))
R10=fp0 fp-8=mmmmscalar(...,var_off=(0x0; 0xffff))
3: (b7) r0 = 123 ; R0_w=123
4: (6b) *(u16 *)(r10 -6) = r0 ; R0_w=123 R10=fp0 fp-8=mmmmmmmm
5: (95) exit
with this patch:
0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar()
1: (57) r0 &= 65535 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
2: (63) *(u32 *)(r10 -8) = r0 ; R0_w=scalar(...,var_off=(0x0; 0xffff))
R10=fp0 fp-8=mmmmscalar(...,var_off=(0x0; 0xffff))
3: (b7) r0 = 123 ; R0_w=123
4: (6b) *(u16 *)(r10 -6) = r0
attempt to corrupt spilled pointer on stack
> So it makes me feel like the intent was to reject any partial writes
> with spilled reg slots. We could probably improve that to just make
> sure that we don't turn spilled pointers into STACK_MISC in unpriv,
> but I'm not sure if it's worth doing that instead of keeping things
> simple?
You mean like below?
if (!env->allow_ptr_leaks &&
is_spilled_reg(&state->stack[spi]) &&
is_spillable_regtype(state->stack[spi].spilled_ptr.type) &&
size != BPF_REG_SIZE) {
verbose(env, "attempt to corrupt spilled pointer on stack\n");
return -EACCES;
}
next prev parent reply other threads:[~2023-12-05 0:54 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-04 19:25 [PATCH v3 bpf-next 00/10] Complete BPF verifier precision tracking support for register spills Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 01/10] bpf: support non-r10 register spill/fill to/from stack in precision tracking Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 02/10] selftests/bpf: add stack access precision test Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 03/10] bpf: fix check for attempt to corrupt spilled pointer Andrii Nakryiko
2023-12-04 22:12 ` Eduard Zingerman
2023-12-04 22:15 ` Eduard Zingerman
2023-12-05 0:23 ` Andrii Nakryiko
2023-12-05 0:54 ` Eduard Zingerman [this message]
2023-12-05 3:56 ` Andrii Nakryiko
2023-12-05 13:34 ` Eduard Zingerman
2023-12-05 18:30 ` Andrii Nakryiko
2023-12-05 18:49 ` Eduard Zingerman
2023-12-05 18:55 ` Andrii Nakryiko
2023-12-05 1:45 ` Alexei Starovoitov
2023-12-05 3:50 ` Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 04/10] bpf: preserve STACK_ZERO slots on partial reg spills Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 05/10] selftests/bpf: validate STACK_ZERO is preserved on subreg spill Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 06/10] bpf: preserve constant zero when doing partial register restore Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 07/10] selftests/bpf: validate zero preservation for sub-slot loads Andrii Nakryiko
2023-12-04 19:25 ` [PATCH v3 bpf-next 08/10] bpf: track aligned STACK_ZERO cases as imprecise spilled registers Andrii Nakryiko
2023-12-04 19:26 ` [PATCH v3 bpf-next 09/10] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros Andrii Nakryiko
2023-12-04 19:26 ` [PATCH v3 bpf-next 10/10] bpf: use common instruction history across all states Andrii Nakryiko
2023-12-04 22:32 ` [PATCH v3 bpf-next 00/10] Complete BPF verifier precision tracking support for register spills Andrii Nakryiko
2023-12-04 23:02 ` Yonghong Song
2023-12-04 23:52 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6875401e502049bfdfa128fc7bf37fabe5314e2f.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox