[PATCH v2 bpf-next 3/5] bpf: Reject indirect var_off stack access in unpriv mode

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrey Ignatov <rdna@fb.com>
To: <netdev@vger.kernel.org>
Cc: Andrey Ignatov <rdna@fb.com>, <ast@kernel.org>,
	<daniel@iogearbox.net>, <kernel-team@fb.com>
Subject: [PATCH v2 bpf-next 3/5] bpf: Reject indirect var_off stack access in unpriv mode
Date: Wed, 3 Apr 2019 15:15:22 -0700	[thread overview]
Message-ID: <2d85028d4a6017c0ecca0e3c2a06cc4f311e2205.1554329184.git.rdna@fb.com> (raw)
In-Reply-To: <cover.1554329184.git.rdna@fb.com>

Proper support of indirect stack access with variable offset in
unprivileged mode (!root) requires corresponding support in Spectre
masking for stack ALU in retrieve_ptr_limit().

There are no use-case for variable offset in unprivileged mode though so
make verifier reject such accesses for simplicity.

Pointer arithmetics is one (and only?) way to cause variable offset and
it's already rejected in unpriv mode so that verifier won't even get to
helper function whose argument contains variable offset, e.g.:

  0: (7a) *(u64 *)(r10 -16) = 0
  1: (7a) *(u64 *)(r10 -8) = 0
  2: (61) r2 = *(u32 *)(r1 +0)
  3: (57) r2 &= 4
  4: (17) r2 -= 16
  5: (0f) r2 += r10
  variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1R2
  stack pointer arithmetic goes out of range, prohibited for !root

Still it looks like a good idea to reject variable offset indirect stack
access for unprivileged mode in check_stack_boundary() explicitly.

Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrey Ignatov <rdna@fb.com>
---
 kernel/bpf/verifier.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 88a0c6e0b5a8..da90684181c9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2213,6 +2213,19 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
 		if (err)
 			return err;
 	} else {
+		/* Variable offset is prohibited for unprivileged mode for
+		 * simplicity since it requires corresponding support in
+		 * Spectre masking for stack ALU.
+		 * See also retrieve_ptr_limit().
+		 */
+		if (!env->allow_ptr_leaks) {
+			char tn_buf[48];
+
+			tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+			verbose(env, "R%d indirect variable offset stack access prohibited for !root, var_off=%s\n",
+				regno, tn_buf);
+			return -EACCES;
+		}
 		/* Only initialized buffer on stack is allowed to be accessed
 		 * with variable offset. With uninitialized buffer it's hard to
 		 * guarantee that whole memory is marked as initialized on
@@ -3355,6 +3368,9 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
 
 	switch (ptr_reg->type) {
 	case PTR_TO_STACK:
+		/* Indirect variable offset stack access is prohibited in
+		 * unprivileged mode so it's not handled here.
+		 */
 		off = ptr_reg->off + ptr_reg->var_off.value;
 		if (mask_to_left)
 			*ptr_limit = MAX_BPF_STACK + off;
-- 
2.17.1

next prev parent reply	other threads:[~2019-04-03 22:15 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-03 22:15 [PATCH v2 bpf-next 0/5] bpf: Fix indirect var_off stack access support Andrey Ignatov
2019-04-03 22:15 ` [PATCH v2 bpf-next 1/5] bpf: Reject indirect var_off stack access in raw mode Andrey Ignatov
2019-04-03 22:15 ` [PATCH v2 bpf-next 2/5] selftests/bpf: Test " Andrey Ignatov
2019-04-03 22:15 ` Andrey Ignatov [this message]
2019-04-03 22:15 ` [PATCH v2 bpf-next 4/5] selftests/bpf: Test indirect var_off stack access in unpriv mode Andrey Ignatov
2019-04-03 22:15 ` [PATCH v2 bpf-next 5/5] bpf: Add missed newline in verifier verbose log Andrey Ignatov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:88a0c6e0b5a dfblob:da90684181c )
 OR (
bs:"[PATCH v2 bpf-next 3/5] bpf: Reject indirect var_off stack access in unpriv mode" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2d85028d4a6017c0ecca0e3c2a06cc4f311e2205.1554329184.git.rdna@fb.com \
    --to=rdna@fb.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kernel-team@fb.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).