From: Alexei Starovoitov <ast@plumgrid.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>,
Ingo Molnar <mingo@kernel.org>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Eric Dumazet <edumazet@google.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Linux API <linux-api@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs
Date: Mon, 5 Oct 2015 14:32:29 -0700 [thread overview]
Message-ID: <5612EC6D.6080301@plumgrid.com> (raw)
In-Reply-To: <CALCETrXUqYmwRhiFLnzWDrnVX5NdpoAnSggy8pxhzRPP86i5XA@mail.gmail.com>
On 10/5/15 2:16 PM, Andy Lutomirski wrote:
> On Mon, Oct 5, 2015 at 2:12 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
>> On 10/5/15 2:00 PM, Kees Cook wrote:
>>>
>>> On Mon, Oct 5, 2015 at 1:48 PM, Alexei Starovoitov<ast@plumgrid.com>
>>> wrote:
>>>>
>>>>> In order to let unprivileged users load and execute eBPF programs
>>>>> teach verifier to prevent pointer leaks.
>>>>> Verifier will prevent
>>>>> - any arithmetic on pointers
>>>>> (except R10+Imm which is used to compute stack addresses)
>>>>> - comparison of pointers
>>>>> - passing pointers to helper functions
>>>>> - indirectly passing pointers in stack to helper functions
>>>>> - returning pointer from bpf program
>>>>> - storing pointers into ctx or maps
>>>
>>> Does the arithmetic restriction include using a pointer as an index to
>>> a maps-based tail call? I'm still worried about pointer-based
>>> side-effects.
>>
>>
>> the array maps that hold FDs (BPF_MAP_TYPE_PROG_ARRAY and
>> BPF_MAP_TYPE_PERF_EVENT_ARRAY) don't have lookup/update accessors
>> from the program side, so programs cannot see or manipulate
>> those pointers.
>> For the former only bpf_tail_call() is allowed that takes integer
>> index and jumps to it. And the latter map accessed with
>> bpf_perf_event_read() that also takes index only (this helper
>> is not available to socket filters anyway).
>> Also bpf_tail_call() can only jump to the program of the same type.
>> So I'm quite certain it's safe.
>
> At some point there will be an unprivileged way to create a map,
> though, and we don't want to let pointers get poked into the map.
yes. exactly. With these two patches non-root can create a map
against memlock user limit and have a program store bytes into it
(like data from network packet), but it cannot store pointers into it.
That's covered by test "unpriv: write pointer into map elem value"
I've added new tests for all cases that can 'leak pointer':
unpriv: return pointer OK
unpriv: add const to pointer OK
unpriv: add pointer to pointer OK
unpriv: neg pointer OK
unpriv: cmp pointer with const OK
unpriv: cmp pointer with pointer OK
unpriv: pass pointer to printk OK
unpriv: pass pointer to helper function OK
unpriv: indirectly pass pointer on stack to helper function OK
unpriv: mangle pointer on stack 1 OK
unpriv: mangle pointer on stack 2 OK
unpriv: read pointer from stack in small chunks OK
unpriv: write pointer into ctx OK
unpriv: write pointer into map elem value OK
unpriv: partial copy of pointer OK
the most interesting one is 'indirectly pass pointer'.
It checks the case where user stores a pointer into a stack
and then uses that stack region either as a key for lookup or
as part of format string for printk.
next prev parent reply other threads:[~2015-10-05 21:32 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 20:48 [PATCH net-next 0/2] bpf: unprivileged Alexei Starovoitov
2015-10-05 20:48 ` [PATCH net-next 1/2] bpf: enable non-root eBPF programs Alexei Starovoitov
2015-10-05 22:14 ` Daniel Borkmann
[not found] ` <5612F639.2050305-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2015-10-06 0:51 ` Alexei Starovoitov
[not found] ` <56131B1F.80002-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-06 7:13 ` Ingo Molnar
2015-10-06 8:05 ` Daniel Borkmann
2015-10-06 8:20 ` Ingo Molnar
[not found] ` <20151006082048.GA18287-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-06 8:39 ` Daniel Borkmann
[not found] ` <561388D1.30406-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2015-10-06 17:50 ` Alexei Starovoitov
2015-10-06 17:56 ` Eric Dumazet
[not found] ` <1444154160.9555.5.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-10-06 18:05 ` Andy Lutomirski
2015-10-07 6:05 ` Ingo Molnar
2015-10-06 19:26 ` Alexei Starovoitov
[not found] ` <561409EC.5050005-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-06 18:03 ` Daniel Borkmann
2015-10-06 12:45 ` Daniel Borkmann
2015-10-07 21:20 ` Alexei Starovoitov
[not found] ` <56158CAF.9030209-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-07 22:07 ` Daniel Borkmann
2015-10-07 22:22 ` Kees Cook
2015-10-07 23:49 ` Alexei Starovoitov
[not found] ` <5615AF92.50402-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-08 6:21 ` Ingo Molnar
2015-10-08 6:30 ` Alexei Starovoitov
2015-10-08 17:42 ` Kees Cook
[not found] ` <1444078101-29060-2-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-05 21:00 ` Kees Cook
2015-10-05 21:12 ` Alexei Starovoitov
[not found] ` <5612E7C4.1010306-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-05 21:16 ` Andy Lutomirski
2015-10-05 21:32 ` Alexei Starovoitov [this message]
2015-10-05 22:02 ` Kees Cook
2015-10-06 0:28 ` Alexei Starovoitov
2015-10-08 2:29 ` Alexei Starovoitov
2015-10-05 20:48 ` [PATCH net-next 2/2] bpf: charge user for creation of BPF maps and programs Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5612EC6D.6080301@plumgrid.com \
--to=ast@plumgrid.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hannes@stressinduktion.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).