From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Joanne Koong <joannelkoong@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, song@kernel.org, yhs@fb.com,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, mykolal@fb.com,
dhowells@redhat.com, jarkko@kernel.org, rostedt@goodmis.org,
mingo@redhat.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, shuah@kernel.org, bpf@vger.kernel.org,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
deso@posteo.net, memxor@gmail.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH v14 02/12] bpf: Move dynptr type check to is_dynptr_type_expected()
Date: Wed, 31 Aug 2022 11:22:05 +0200 [thread overview]
Message-ID: <e3c7321ed035f00e8e70f832915065ea67d9ef3b.camel@huaweicloud.com> (raw)
In-Reply-To: <CAJnrk1bL2MSN81ORrkm9JcFQh3qsJ1jVGXEycSjyhk+Jv_Bz2Q@mail.gmail.com>
On Tue, 2022-08-30 at 09:46 -0700, Joanne Koong wrote:
> On Tue, Aug 30, 2022 at 9:18 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Move dynptr type check to is_dynptr_type_expected() from
> > is_dynptr_reg_valid_init(), so that callers can better determine
> > the cause
> > of a negative result (dynamic pointer not valid/initialized,
> > dynamic
> > pointer of the wrong type).
> >
> > Also, splitting makes the code more readable, since checking the
> > dynamic
> > pointer type is not necessarily related to validity and
> > initialization.
>
> I think it'd be helpful to also include that btf will be using these
> functions, which seems like the main motivation behind why this
> change
> is needed.
Ok, added.
> > Split the validity/initialization and dynamic pointer type check
> > also in
> > the verifier, and adjust the expected error message in the test (a
> > test for
> > an unexpected dynptr type passed to a helper cannot be added due to
> > missing
> > suitable helpers, but this case has been tested manually).
>
> The bpf_ringbuf_submit_dynptr() and bpf_ringbuf_discard_dynptr()
> helpers take in only ringbuf-type dynptrs, so either of these would
> work for testing the case where an incorrect dynptr type is passed in
> :)
Uhm, that didn't work.
If I initialize a local dynptr, and call bpf_ringbuf_submit_dynptr(), I
get:
arg 1 is an unacquired reference
The only way to make this work was to create a custom helper, with
OBJ_RELEASE removed.
> > Cc: Joanne Koong <joannelkoong@gmail.com>
> > Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> > kernel/bpf/verifier.c | 35 ++++++++++++++-
> > ----
> > .../testing/selftests/bpf/prog_tests/dynptr.c | 2 +-
> > 2 files changed, 28 insertions(+), 9 deletions(-)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 0194a36d0b36..1b913db252a3 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -779,8 +779,8 @@ static bool is_dynptr_reg_valid_uninit(struct
> > bpf_verifier_env *env, struct bpf_
> > return true;
> > }
> >
> > -static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env,
> > struct bpf_reg_state *reg,
> > - enum bpf_arg_type arg_type)
> > +static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env,
> > + struct bpf_reg_state *reg)
> > {
> > struct bpf_func_state *state = func(env, reg);
> > int spi = get_spi(reg->off);
> > @@ -796,11 +796,24 @@ static bool is_dynptr_reg_valid_init(struct
> > bpf_verifier_env *env, struct bpf_re
> > return false;
> > }
> >
> > + return true;
> > +}
> > +
> > +static bool is_dynptr_type_expected(struct bpf_verifier_env *env,
> > + struct bpf_reg_state *reg,
> > + enum bpf_arg_type arg_type)
> > +{
> > + struct bpf_func_state *state = func(env, reg);
> > + int spi = get_spi(reg->off);
> > + enum bpf_dynptr_type dynptr_type;
>
> nit: the above 2 lines should be swapped to maintain reverse
> christmas
> tree order of declarations
Ok.
Thanks
Roberto
>
> > +
> > /* ARG_PTR_TO_DYNPTR takes any type of dynptr */
> > if (arg_type == ARG_PTR_TO_DYNPTR)
> > return true;
> >
> > - return state->stack[spi].spilled_ptr.dynptr.type ==
> > arg_to_dynptr_type(arg_type);
> > + dynptr_type = arg_to_dynptr_type(arg_type);
> > +
> > + return state->stack[spi].spilled_ptr.dynptr.type ==
> > dynptr_type;
> > }
> >
> > /* The reg state of a pointer or a bounded scalar was saved when
> > @@ -6050,21 +6063,27 @@ static int check_func_arg(struct
> > bpf_verifier_env *env, u32 arg,
> > }
> >
> > meta->uninit_dynptr_regno = regno;
> > - } else if (!is_dynptr_reg_valid_init(env, reg,
> > arg_type)) {
> > + } else if (!is_dynptr_reg_valid_init(env, reg)) {
> > + verbose(env,
> > + "Expected an initialized dynptr as
> > arg #%d\n",
> > + arg + 1);
> > + return -EINVAL;
> > + } else if (!is_dynptr_type_expected(env, reg,
> > arg_type)) {
> > const char *err_extra = "";
> >
> > switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> > case DYNPTR_TYPE_LOCAL:
> > - err_extra = "local ";
> > + err_extra = "local";
> > break;
> > case DYNPTR_TYPE_RINGBUF:
> > - err_extra = "ringbuf ";
> > + err_extra = "ringbuf";
> > break;
> > default:
> > + err_extra = "<unknown>";
> > break;
> > }
> > -
> > - verbose(env, "Expected an initialized
> > %sdynptr as arg #%d\n",
> > + verbose(env,
> > + "Expected a dynptr of type %s as
> > arg #%d\n",
> > err_extra, arg + 1);
> > return -EINVAL;
> > }
> > diff --git a/tools/testing/selftests/bpf/prog_tests/dynptr.c
> > b/tools/testing/selftests/bpf/prog_tests/dynptr.c
> > index bcf80b9f7c27..8fc4e6c02bfd 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/dynptr.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/dynptr.c
> > @@ -30,7 +30,7 @@ static struct {
> > {"invalid_helper2", "Expected an initialized dynptr as arg
> > #3"},
> > {"invalid_write1", "Expected an initialized dynptr as arg
> > #1"},
> > {"invalid_write2", "Expected an initialized dynptr as arg
> > #3"},
> > - {"invalid_write3", "Expected an initialized ringbuf dynptr
> > as arg #1"},
> > + {"invalid_write3", "Expected an initialized dynptr as arg
> > #1"},
> > {"invalid_write4", "arg 1 is an unacquired reference"},
> > {"invalid_read1", "invalid read from stack"},
> > {"invalid_read2", "cannot pass in dynptr at an offset"},
> > --
> > 2.25.1
> >
next prev parent reply other threads:[~2022-08-31 9:22 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-30 16:17 [PATCH v14 00/12] bpf: Add kfuncs for PKCS#7 signature verification Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 01/12] bpf: Allow kfuncs to be used in LSM programs Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 02/12] bpf: Move dynptr type check to is_dynptr_type_expected() Roberto Sassu
2022-08-30 16:46 ` Joanne Koong
2022-08-31 9:22 ` Roberto Sassu [this message]
2022-08-30 16:17 ` [PATCH v14 03/12] btf: Allow dynamic pointer parameters in kfuncs Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 04/12] bpf: Export bpf_dynptr_get_size() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 05/12] KEYS: Move KEY_LOOKUP_ to include/linux/key.h and set KEY_LOOKUP_FLAGS_ALL Roberto Sassu
2022-08-31 2:53 ` Jarkko Sakkinen
2022-08-31 4:51 ` Jarkko Sakkinen
2022-08-31 6:29 ` Jarkko Sakkinen
2022-08-31 9:23 ` Roberto Sassu
2022-08-31 15:33 ` Alexei Starovoitov
2022-08-31 15:55 ` Roberto Sassu
2022-09-02 3:27 ` Jarkko Sakkinen
2022-08-30 16:17 ` [PATCH v14 06/12] bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 07/12] bpf: Add bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 08/12] selftests/bpf: Compile kernel with everything as built-in Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 09/12] selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 10/12] selftests/bpf: Add additional tests for bpf_lookup_*_key() Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 11/12] selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc Roberto Sassu
2022-08-30 16:17 ` [PATCH v14 12/12] selftests/bpf: Add verifier tests for dynamic pointers parameters in kfuncs Roberto Sassu
2022-08-30 16:54 ` Joanne Koong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3c7321ed035f00e8e70f832915065ea67d9ef3b.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=deso@posteo.net \
--cc=dhowells@redhat.com \
--cc=haoluo@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=joannelkoong@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mingo@redhat.com \
--cc=mykolal@fb.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rostedt@goodmis.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).