[PATCH net-next] bpf/cgroup: fix a verification error for a CGROUP

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net-next] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog
@ 2017-12-18 18:13 Yonghong Song
  2017-12-19  0:46 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Yonghong Song @ 2017-12-18 18:13 UTC (permalink / raw)
  To: ast, daniel, netdev; +Cc: guro, kernel-team

The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)

  libbpf: load bpf program failed: Permission denied
  libbpf: -- BEGIN DUMP LOG ---
  libbpf:
  0: (61) r2 = *(u32 *)(r1 +4)
  1: (b7) r0 = 0
  2: (55) if r2 != 0x1 goto pc+8
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
  3: (69) r2 = *(u16 *)(r1 +0)
  invalid bpf_context access off=0 size=2
  ...

The culprit is the following statement in dev_cgroup.c:
  short type = ctx->access_type & 0xFFFF;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
  struct bpf_cgroup_dev_ctx ctx = {
        .access_type = (access << 16) | dev_type,
        .major = major,
        .minor = minor,
  };

The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.

This patch permits the field access_type to be accessible
with type u16 and u8 as well.

Signed-off-by: Yonghong Song <yhs@fb.com>
Tested-by: Roman Gushchin <guro@fb.com>
---
 include/uapi/linux/bpf.h |  3 ++-
 kernel/bpf/cgroup.c      | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 80d62e8..6aa60d4 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1001,7 +1001,8 @@ struct bpf_perf_event_value {
 #define BPF_DEVCG_DEV_CHAR	(1ULL << 1)
 
 struct bpf_cgroup_dev_ctx {
-	__u32 access_type; /* (access << 16) | type */
+	/* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
+	__u32 access_type;
 	__u32 major;
 	__u32 minor;
 };
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b789ab7..c1c0b60 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
 				       enum bpf_access_type type,
 				       struct bpf_insn_access_aux *info)
 {
+	const int size_default = sizeof(__u32);
+
 	if (type == BPF_WRITE)
 		return false;
 
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
 	/* The verifier guarantees that size > 0. */
 	if (off % size != 0)
 		return false;
-	if (size != sizeof(__u32))
-		return false;
+
+	switch (off) {
+	case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
+		bpf_ctx_record_field_size(info, size_default);
+		if (!bpf_ctx_narrow_access_ok(off, size, size_default))
+			return false;
+		break;
+	default:
+		if (size != size_default)
+			return false;
+	}
 
 	return true;
 }
-- 
2.9.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net-next] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog
  2017-12-18 18:13 [PATCH net-next] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Yonghong Song
@ 2017-12-19  0:46 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2017-12-19  0:46 UTC (permalink / raw)
  To: Yonghong Song, ast, netdev; +Cc: guro, kernel-team

On 12/18/2017 07:13 PM, Yonghong Song wrote:
> The tools/testing/selftests/bpf test program
> test_dev_cgroup fails with the following error
> when compiled with llvm 6.0. (I did not try
> with earlier versions.)
> 
>   libbpf: load bpf program failed: Permission denied
>   libbpf: -- BEGIN DUMP LOG ---
>   libbpf:
>   0: (61) r2 = *(u32 *)(r1 +4)
>   1: (b7) r0 = 0
>   2: (55) if r2 != 0x1 goto pc+8
>    R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
>   3: (69) r2 = *(u16 *)(r1 +0)
>   invalid bpf_context access off=0 size=2
>   ...
> 
> The culprit is the following statement in dev_cgroup.c:
>   short type = ctx->access_type & 0xFFFF;
> This code is typical as the ctx->access_type is assigned
> as below in kernel/bpf/cgroup.c:
>   struct bpf_cgroup_dev_ctx ctx = {
>         .access_type = (access << 16) | dev_type,
>         .major = major,
>         .minor = minor,
>   };
> 
> The compiler converts it to u16 access while
> the verifier cgroup_dev_is_valid_access rejects
> any non u32 access.
> 
> This patch permits the field access_type to be accessible
> with type u16 and u8 as well.
> 
> Signed-off-by: Yonghong Song <yhs@fb.com>
> Tested-by: Roman Gushchin <guro@fb.com>

Looks good, applied to bpf-next, thanks Yonghong!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-12-19  0:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-18 18:13 [PATCH net-next] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Yonghong Song
2017-12-19  0:46 ` Daniel Borkmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).