Re: [PATCH] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Stanislav Fomichev <sdf@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>, Mykola Lysenko <mykolal@fb.com>,
	Shuah Khan <shuah@kernel.org>, Haowen Bai <baihaowen@meizu.com>,
	bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
Date: Mon, 6 Feb 2023 10:45:15 -0800	[thread overview]
Message-ID: <63e14abb.170a0220.ca425.b7bc@mx.google.com> (raw)
In-Reply-To: <CAKH8qBvqLeR3Wsbpb-v=EUY=Bw0jCP2OAaBn4tOqGmA1AqBZbA@mail.gmail.com>

On Mon, Feb 06, 2023 at 09:52:17AM -0800, Stanislav Fomichev wrote:
> On Sat, Feb 4, 2023 at 10:32 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> > flexible array. Found with GCC 13:
> >
> > ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> >   207 |                                        *(__be16 *)&key->data[i]);
> >       |                                                   ^~~~~~~~~~~~~
> > ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> >   102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> >       |                                                      ^
> > ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> >    97 | #define be16_to_cpu __be16_to_cpu
> >       |                     ^~~~~~~~~~~~~
> > ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> >   206 |                 u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> > ^
> >       |                            ^~~~~~~~~~~
> > In file included from ../include/linux/bpf.h:7:
> > ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> >    82 |         __u8    data[0];        /* Arbitrary size */
> >       |                 ^~~~
> >
> > This includes fixing the selftest which was incorrectly using a
> > variable length struct as a header, identified earlier[1]. Avoid this
> > by just explicitly including the prefixlen member instead of struct
> > bpf_lpm_trie_key.
> >
> > [1] https://lore.kernel.org/all/202206281009.4332AA33@keescook/
> >
> > Cc: Alexei Starovoitov <ast@kernel.org>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Andrii Nakryiko <andrii@kernel.org>
> > Cc: Martin KaFai Lau <martin.lau@linux.dev>
> > Cc: Song Liu <song@kernel.org>
> > Cc: Yonghong Song <yhs@fb.com>
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: KP Singh <kpsingh@kernel.org>
> > Cc: Stanislav Fomichev <sdf@google.com>
> > Cc: Hao Luo <haoluo@google.com>
> > Cc: Jiri Olsa <jolsa@kernel.org>
> > Cc: Mykola Lysenko <mykolal@fb.com>
> > Cc: Shuah Khan <shuah@kernel.org>
> > Cc: Haowen Bai <baihaowen@meizu.com>
> > Cc: bpf@vger.kernel.org
> > Cc: linux-kselftest@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  include/uapi/linux/bpf.h                         | 2 +-
> >  tools/testing/selftests/bpf/progs/map_ptr_kern.c | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index ba0f0cfb5e42..5930bc5c7e2c 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -79,7 +79,7 @@ struct bpf_insn {
> >  /* Key of an a BPF_MAP_TYPE_LPM_TRIE entry */
> >  struct bpf_lpm_trie_key {
> >         __u32   prefixlen;      /* up to 32 for AF_INET, 128 for AF_INET6 */
> > -       __u8    data[0];        /* Arbitrary size */
> > +       __u8    data[];         /* Arbitrary size */
> >  };
> 
> That's a UAPI change, can we do it? The safest option is probably just
> to remove this field if it's causing any problems (and not do the
> map_ptr_kern.c change below).

The problem was seen because "data" is used by the kernel (see the
compiler warning above). But if it can be removed, sure, that works too,
and it much nicer since the resulting structs would have fixed sizes.

> The usual use-case (at least that's what we do) is to define some new
> struct over it:
> 
> struct my_key {
>   struct bpf_lpm_trie_key prefix;
>   int a, b, c;
> };
> 
> So I really doubt that the 'data' is ever touched by any programs at all..

Horrible alternative:

struct my_key {
    union {
        struct bpf_lpm_trie_key trie;
        struct {
            u8 header[sizeof(struct bpf_lpm_trie_key)];
            int a, b, c;
        };
    };
};

Perhaps better might be:

struct bpf_lpm_trie_key {
    __u32   prefixlen;      /* up to 32 for AF_INET, 128 for AF_INET6 */
};

struct bpf_lpm_trie_key_raw {
    struct bpf_lpm_trie_key_prefix prefix;
    u8 data[];
};

struct my_key {
    struct bpf_lpm_trie_key_prefix prefix;
    int a, b, c;
};

Thoughts?

-- 
Kees Cook

next prev parent reply	other threads:[~2023-02-06 18:45 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-04 18:32 [PATCH] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Kees Cook
2023-02-06 17:52 ` Stanislav Fomichev
2023-02-06 18:45   ` Kees Cook [this message]
2023-02-06 19:17     ` Stanislav Fomichev
2023-02-09 16:36       ` Kees Cook
2023-02-09 16:55         ` Alexei Starovoitov
2023-02-09 17:48           ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=63e14abb.170a0220.ca425.b7bc@mx.google.com \
    --to=keescook@chromium.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=baihaowen@meizu.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mykolal@fb.com \
    --cc=sdf@google.com \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox