From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com,
memxor@gmail.com, ecree.xilinx@gmail.com
Subject: Re: [PATCH bpf-next 1/7] bpf: regsafe() must not skip check_ids()
Date: Wed, 14 Dec 2022 15:25:58 +0200 [thread overview]
Message-ID: <6ff2854e4c1f2a5c3754a8ffaadf5d47fa1c2285.camel@gmail.com> (raw)
In-Reply-To: <CAEf4BzbPBeAUzueQ7mxcmSovY2Nqr37RFZnb5B1pwSDqNhyZ6w@mail.gmail.com>
On Tue, 2022-12-13 at 16:35 -0800, Andrii Nakryiko wrote:
> On Fri, Dec 9, 2022 at 5:58 AM Eduard Zingerman <eddyz87@gmail.com> wrote:
> >
> > The verifier.c:regsafe() has the following shortcut:
> >
> > equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
> > ...
> > if (equal)
> > return true;
> >
> > Which is executed regardless old register type. This is incorrect for
> > register types that might have an ID checked by check_ids(), namely:
> > - PTR_TO_MAP_KEY
> > - PTR_TO_MAP_VALUE
> > - PTR_TO_PACKET_META
> > - PTR_TO_PACKET
> >
> > The following pattern could be used to exploit this:
> >
> > 0: r9 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=1.
> > 1: r8 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=2.
> > 2: r7 = ktime_get_ns() ; Unbound SCALAR_VALUE.
> > 3: r6 = ktime_get_ns() ; Unbound SCALAR_VALUE.
> > 4: if r6 > r7 goto +1 ; No new information about the state
> > ; is derived from this check, thus
> > ; produced verifier states differ only
> > ; in 'insn_idx'.
> > 5: r9 = r8 ; Optionally make r9.id == r8.id.
> > --- checkpoint --- ; Assume is_state_visisted() creates a
> > ; checkpoint here.
> > 6: if r9 == 0 goto <exit> ; Nullness info is propagated to all
> > ; registers with matching ID.
> > 7: r1 = *(u64 *) r8 ; Not always safe.
> >
> > Verifier first visits path 1-7 where r8 is verified to be not null
> > at (6). Later the jump from 4 to 6 is examined. The checkpoint for (6)
> > looks as follows:
> > R8_rD=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0)
> > R9_rwD=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0)
> > R10=fp0
> >
> > The current state is:
> > R0=... R6=... R7=... fp-8=...
> > R8=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0)
> > R9=map_value_or_null(id=1,off=0,ks=4,vs=8,imm=0)
> > R10=fp0
> >
> > Note that R8 states are byte-to-byte identical, so regsafe() would
> > exit early and skip call to check_ids(), thus ID mapping 2->2 will not
> > be added to 'idmap'. Next, states for R9 are compared: these are not
> > identical and check_ids() is executed, but 'idmap' is empty, so
> > check_ids() adds mapping 2->1 to 'idmap' and returns success.
> >
> > This commit pushes the 'equal' down to register types that don't need
> > check_ids().
> >
> > Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
> > ---
> > kernel/bpf/verifier.c | 29 ++++++++---------------------
> > 1 file changed, 8 insertions(+), 21 deletions(-)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 3194e9d9e4e4..d05c5d0344c6 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -12926,15 +12926,6 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
> >
> > equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
> >
> > - if (rold->type == PTR_TO_STACK)
> > - /* two stack pointers are equal only if they're pointing to
> > - * the same stack frame, since fp-8 in foo != fp-8 in bar
> > - */
> > - return equal && rold->frameno == rcur->frameno;
> > -
> > - if (equal)
> > - return true;
> > -
> > if (rold->type == NOT_INIT)
> > /* explored state can't have used this */
> > return true;
> > @@ -12942,6 +12933,8 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
> > return false;
> > switch (base_type(rold->type)) {
> > case SCALAR_VALUE:
> > + if (equal)
> > + return true;
> > if (env->explore_alu_limits)
> > return false;
> > if (rcur->type == SCALAR_VALUE) {
> > @@ -13012,20 +13005,14 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
> > /* new val must satisfy old val knowledge */
> > return range_within(rold, rcur) &&
> > tnum_in(rold->var_off, rcur->var_off);
> > - case PTR_TO_CTX:
> > - case CONST_PTR_TO_MAP:
> > - case PTR_TO_PACKET_END:
> > - case PTR_TO_FLOW_KEYS:
> > - case PTR_TO_SOCKET:
> > - case PTR_TO_SOCK_COMMON:
> > - case PTR_TO_TCP_SOCK:
> > - case PTR_TO_XDP_SOCK:
> > - /* Only valid matches are exact, which memcmp() above
> > - * would have accepted
> > + case PTR_TO_STACK:
> > + /* two stack pointers are equal only if they're pointing to
> > + * the same stack frame, since fp-8 in foo != fp-8 in bar
> > */
> > + return equal && rold->frameno == rcur->frameno;
> > default:
> > - /* Don't know what's going on, just say it's not safe */
> > - return false;
> > + /* Only valid matches are exact, which memcmp() */
> > + return equal;
>
> Is it safe to assume this for any possible register type? Wouldn't
> register types that use id and/or ref_obj_id need extra checks here? I
> think preexisting default was a safer approach, in which if we forgot
> to explicitly add support for some new or updated register type, the
> worst thing is that for that *new* register we'd have suboptimal
> verification performance, but not safety concerns.
Well, I don't think that this commit changes regsafe() behavior in
this regard. Here is how the code was structured before this commit:
static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
struct bpf_reg_state *rcur, struct bpf_id_pair *idmap)
{
bool equal;
if (!(rold->live & REG_LIVE_READ))
return true;
equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
if (rold->type == PTR_TO_STACK)
return equal && rold->frameno == rcur->frameno;
---> if (equal)
return true;
if (rold->type == NOT_INIT)
return true;
if (rcur->type == NOT_INIT)
return false;
switch (base_type(rold->type)) {
case SCALAR_VALUE:
... it's own logic, always returns ...
case PTR_TO_MAP_KEY:
case PTR_TO_MAP_VALUE:
... it's own logic, always returns ...
case PTR_TO_PACKET_META:
case PTR_TO_PACKET:
... it's own logic, always returns ...
case PTR_TO_CTX:
case CONST_PTR_TO_MAP:
case PTR_TO_PACKET_END:
case PTR_TO_FLOW_KEYS:
case PTR_TO_SOCKET:
case PTR_TO_SOCK_COMMON:
case PTR_TO_TCP_SOCK:
case PTR_TO_XDP_SOCK:
default:
return false;
}
/* Shouldn't get here; if we do, say it's not safe */
WARN_ON_ONCE(1);
return false;
}
So the "safe if byte-to-byte equal" behavior was present already.
I can add an explicit list of types to the "return equal;" branch
and add a default "return false;" branch if you think that it is
more fool-proof.
>
>
> > }
> >
> > /* Shouldn't get here; if we do, say it's not safe */
> > --
> > 2.34.1
> >
next prev parent reply other threads:[~2022-12-14 13:26 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-09 13:57 [PATCH bpf-next 0/7] stricter register ID checking in regsafe() Eduard Zingerman
2022-12-09 13:57 ` [PATCH bpf-next 1/7] bpf: regsafe() must not skip check_ids() Eduard Zingerman
2022-12-14 0:35 ` Andrii Nakryiko
2022-12-14 13:25 ` Eduard Zingerman [this message]
2022-12-14 19:37 ` Andrii Nakryiko
2022-12-09 13:57 ` [PATCH bpf-next 2/7] selftests/bpf: test cases for regsafe() bug skipping check_id() Eduard Zingerman
2022-12-09 13:57 ` [PATCH bpf-next 3/7] bpf: states_equal() must build idmap for all function frames Eduard Zingerman
2022-12-14 0:35 ` Andrii Nakryiko
2022-12-14 15:33 ` Eduard Zingerman
2022-12-14 17:24 ` Andrii Nakryiko
2022-12-09 13:57 ` [PATCH bpf-next 4/7] selftests/bpf: verify states_equal() maintains idmap across all frames Eduard Zingerman
2022-12-14 0:35 ` Andrii Nakryiko
2022-12-14 16:38 ` Eduard Zingerman
2022-12-14 17:10 ` Andrii Nakryiko
2022-12-09 13:57 ` [PATCH bpf-next 5/7] bpf: use check_ids() for active_lock comparison Eduard Zingerman
2022-12-09 13:57 ` [PATCH bpf-next 6/7] selftests/bpf: Add pruning test case for bpf_spin_lock Eduard Zingerman
2022-12-10 21:45 ` Alexei Starovoitov
2022-12-09 13:57 ` [PATCH bpf-next 7/7] selftests/bpf: test case for relaxed prunning of active_lock.id Eduard Zingerman
2022-12-10 21:50 ` [PATCH bpf-next 0/7] stricter register ID checking in regsafe() patchwork-bot+netdevbpf
2022-12-14 0:34 ` Andrii Nakryiko
2022-12-14 16:28 ` Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ff2854e4c1f2a5c3754a8ffaadf5d47fa1c2285.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=ecree.xilinx@gmail.com \
--cc=kernel-team@fb.com \
--cc=memxor@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox