From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 4.4 64/87] bpf: dont (ab)use instructions to store state
Date: Mon, 15 Jan 2018 13:35:03 +0100 [thread overview]
Message-ID: <20180115123356.223306804@linuxfoundation.org> (raw)
In-Reply-To: <20180115123349.252309699@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <jakub.kicinski@netronome.com>
commit 3df126f35f88dc76eea33769f85a3c3bb8ce6c6b upstream.
Storing state in reserved fields of instructions makes
it impossible to run verifier on programs already
marked as read-only. Allocate and use an array of
per-instruction state instead.
While touching the error path rename and move existing
jump target.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 67 +++++++++++++++++++++++++++++---------------------
1 file changed, 39 insertions(+), 28 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -186,6 +186,10 @@ struct verifier_stack_elem {
struct verifier_stack_elem *next;
};
+struct bpf_insn_aux_data {
+ enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
+};
+
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
/* single container for all structs
@@ -200,6 +204,7 @@ struct verifier_env {
struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
u32 used_map_cnt; /* number of used maps */
bool allow_ptr_leaks;
+ struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
};
/* verbose verifier prints what it's seeing
@@ -1784,7 +1789,7 @@ static int do_check(struct verifier_env
return err;
} else if (class == BPF_LDX) {
- enum bpf_reg_type src_reg_type;
+ enum bpf_reg_type *prev_src_type, src_reg_type;
/* check for reserved fields is already done */
@@ -1813,16 +1818,18 @@ static int do_check(struct verifier_env
continue;
}
- if (insn->imm == 0) {
+ prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
+
+ if (*prev_src_type == NOT_INIT) {
/* saw a valid insn
* dst_reg = *(u32 *)(src_reg + off)
- * use reserved 'imm' field to mark this insn
+ * save type to validate intersecting paths
*/
- insn->imm = src_reg_type;
+ *prev_src_type = src_reg_type;
- } else if (src_reg_type != insn->imm &&
+ } else if (src_reg_type != *prev_src_type &&
(src_reg_type == PTR_TO_CTX ||
- insn->imm == PTR_TO_CTX)) {
+ *prev_src_type == PTR_TO_CTX)) {
/* ABuser program is trying to use the same insn
* dst_reg = *(u32*) (src_reg + off)
* with different pointer types:
@@ -1835,7 +1842,7 @@ static int do_check(struct verifier_env
}
} else if (class == BPF_STX) {
- enum bpf_reg_type dst_reg_type;
+ enum bpf_reg_type *prev_dst_type, dst_reg_type;
if (BPF_MODE(insn->code) == BPF_XADD) {
err = check_xadd(env, insn);
@@ -1863,11 +1870,13 @@ static int do_check(struct verifier_env
if (err)
return err;
- if (insn->imm == 0) {
- insn->imm = dst_reg_type;
- } else if (dst_reg_type != insn->imm &&
+ prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
+
+ if (*prev_dst_type == NOT_INIT) {
+ *prev_dst_type = dst_reg_type;
+ } else if (dst_reg_type != *prev_dst_type &&
(dst_reg_type == PTR_TO_CTX ||
- insn->imm == PTR_TO_CTX)) {
+ *prev_dst_type == PTR_TO_CTX)) {
verbose("same insn cannot be used with different pointers\n");
return -EINVAL;
}
@@ -2104,17 +2113,17 @@ static void convert_pseudo_ld_imm64(stru
static int convert_ctx_accesses(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
- int insn_cnt = env->prog->len;
+ const int insn_cnt = env->prog->len;
struct bpf_insn insn_buf[16];
struct bpf_prog *new_prog;
enum bpf_access_type type;
- int i;
+ int i, delta = 0;
if (!env->prog->aux->ops->convert_ctx_access)
return 0;
for (i = 0; i < insn_cnt; i++, insn++) {
- u32 insn_delta, cnt;
+ u32 cnt;
if (insn->code == (BPF_LDX | BPF_MEM | BPF_W))
type = BPF_READ;
@@ -2123,11 +2132,8 @@ static int convert_ctx_accesses(struct v
else
continue;
- if (insn->imm != PTR_TO_CTX) {
- /* clear internal mark */
- insn->imm = 0;
+ if (env->insn_aux_data[i].ptr_type != PTR_TO_CTX)
continue;
- }
cnt = env->prog->aux->ops->
convert_ctx_access(type, insn->dst_reg, insn->src_reg,
@@ -2137,18 +2143,16 @@ static int convert_ctx_accesses(struct v
return -EINVAL;
}
- new_prog = bpf_patch_insn_single(env->prog, i, insn_buf, cnt);
+ new_prog = bpf_patch_insn_single(env->prog, i + delta, insn_buf,
+ cnt);
if (!new_prog)
return -ENOMEM;
- insn_delta = cnt - 1;
+ delta += cnt - 1;
/* keep walking new program and skip insns we just inserted */
env->prog = new_prog;
- insn = new_prog->insnsi + i + insn_delta;
-
- insn_cnt += insn_delta;
- i += insn_delta;
+ insn = new_prog->insnsi + i + delta;
}
return 0;
@@ -2192,6 +2196,11 @@ int bpf_check(struct bpf_prog **prog, un
if (!env)
return -ENOMEM;
+ env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
+ (*prog)->len);
+ ret = -ENOMEM;
+ if (!env->insn_aux_data)
+ goto err_free_env;
env->prog = *prog;
/* grab the mutex to protect few globals used by verifier */
@@ -2210,12 +2219,12 @@ int bpf_check(struct bpf_prog **prog, un
/* log_* values have to be sane */
if (log_size < 128 || log_size > UINT_MAX >> 8 ||
log_level == 0 || log_ubuf == NULL)
- goto free_env;
+ goto err_unlock;
ret = -ENOMEM;
log_buf = vmalloc(log_size);
if (!log_buf)
- goto free_env;
+ goto err_unlock;
} else {
log_level = 0;
}
@@ -2284,14 +2293,16 @@ skip_full_check:
free_log_buf:
if (log_level)
vfree(log_buf);
-free_env:
if (!env->prog->aux->used_maps)
/* if we didn't copy map pointers into bpf_prog_info, release
* them now. Otherwise free_bpf_prog_info() will release them.
*/
release_maps(env);
*prog = env->prog;
- kfree(env);
+err_unlock:
mutex_unlock(&bpf_verifier_lock);
+ vfree(env->insn_aux_data);
+err_free_env:
+ kfree(env);
return ret;
}
next prev parent reply other threads:[~2018-01-15 12:35 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-15 12:33 [PATCH 4.4 00/87] 4.4.112-stable review Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 01/87] dm bufio: fix shrinker scans when (nr_to_scan < retain_target) Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 03/87] can: gs_usb: fix return value of the "set_bittiming" callback Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 04/87] IB/srpt: Disable RDMA access by the initiator Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 05/87] MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 06/87] MIPS: Factor out NT_PRFPREG regset access helpers Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 07/87] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 08/87] MIPS: Consistently handle buffer counter " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 09/87] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 10/87] MIPS: Also verify sizeof `elf_fpreg_t with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 11/87] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 12/87] net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 13/87] kvm: vmx: Scrub hardware GPRs at VM-exit Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 14/87] x86/vsdo: Fix build on PARAVIRT_CLOCK=y, KVM_GUEST=n Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 15/87] x86/acpi: Handle SCI interrupts above legacy space gracefully Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 16/87] iommu/arm-smmu-v3: Dont free page table ops twice Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 17/87] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 18/87] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 19/87] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 20/87] ALSA: pcm: Allow aborting mutex lock at " Greg Kroah-Hartman
2018-01-23 23:35 ` Ben Hutchings
2018-02-12 8:34 ` Takashi Iwai
2018-02-14 16:20 ` Ben Hutchings
2018-02-14 16:43 ` Takashi Iwai
2018-01-15 12:34 ` [PATCH 4.4 21/87] ALSA: aloop: Release cable upon open error path Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 22/87] ALSA: aloop: Fix inconsistent format due to incomplete rule Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 23/87] ALSA: aloop: Fix racy hw constraints adjustment Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 24/87] x86/acpi: Reduce code duplication in mp_override_legacy_irq() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 25/87] mm/compaction: fix invalid free_pfn and compact_cached_free_pfn Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 26/87] mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 27/87] mm/page-writeback: fix dirty_ratelimit calculation Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 28/87] mm/zswap: use workqueue to destroy pool Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 29/87] zswap: dont param_set_charp while holding spinlock Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 30/87] locks: dont check for race with close when setting OFD lock Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 31/87] futex: Replace barrier() in unqueue_me() with READ_ONCE() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 32/87] locking/mutex: Allow next waiter lockless wakeup Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 33/87] [media] usbvision fix overflow of interfaces array Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 34/87] usb: musb: ux500: Fix NULL pointer dereference at system PM Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 35/87] r8152: fix the wake event Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 36/87] r8152: use test_and_clear_bit Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 37/87] r8152: adjust ALDPS function Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 38/87] lan78xx: use skb_cow_head() to deal with cloned skbs Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 39/87] sr9700: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 40/87] smsc75xx: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 41/87] cx82310_eth: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 42/87] x86/mm/pat, /dev/mem: Remove superfluous error message Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 43/87] hwrng: core - sleep interruptible in read Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 44/87] sysrq: Fix warning in sysrq generated crash Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 45/87] xhci: Fix ring leak in failure path of xhci_alloc_virt_device() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 46/87] Revert "userfaultfd: selftest: vm: allow to build in vm/ directory" Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 47/87] x86/pti/efi: broken conversion from efi to kernel page table Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 48/87] 8021q: fix a memory leak for VLAN 0 device Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 49/87] ip6_tunnel: disable dst caching if tunnel is dual-stack Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 50/87] net: core: fix module type in sock_diag_bind Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 51/87] RDS: Heap OOB write in rds_message_alloc_sgs() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 52/87] RDS: null pointer dereference in rds_atomic_free_op Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 53/87] sh_eth: fix TSU resource handling Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 54/87] sh_eth: fix SH7757 GEther initialization Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 55/87] net: stmmac: enable EEE in MII, GMII or RGMII only Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 56/87] ipv6: fix possible mem leaks in ipv6_make_skb() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 57/87] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 58/87] rbd: set max_segments to USHRT_MAX Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 59/87] x86/microcode/intel: Extend BDW late-loading with a revision check Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 60/87] KVM: x86: Add memory barrier on vmcs field lookup Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 61/87] drm/vmwgfx: Potential off by one in vmw_view_add() Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 62/87] kaiser: Set _PAGE_NX only if supported Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 63/87] bpf: add bpf_patch_insn_single helper Greg Kroah-Hartman
2018-01-15 12:35 ` Greg Kroah-Hartman [this message]
2018-01-15 12:35 ` [PATCH 4.4 65/87] bpf: move fixup_bpf_calls() function Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 66/87] bpf: refactor fixup_bpf_calls() Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 67/87] bpf: adjust insn_aux_data when patching insns Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 68/87] bpf: prevent out-of-bounds speculation Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 69/87] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 70/87] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 71/87] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 73/87] USB: serial: cp210x: add new device ID ELV ALC 8xxx Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 74/87] usb: misc: usb3503: make sure reset is low for at least 100us Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 75/87] USB: fix usbmon BUG trigger Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 76/87] usbip: remove kernel addresses from usb device and urb debug msgs Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 77/87] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 78/87] Bluetooth: Prevent stack info leak from the EFS element Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 79/87] uas: ignore UAS for Norelsys NS1068(X) chips Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 80/87] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 81/87] x86/Documentation: Add PTI description Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 82/87] sysfs/cpu: Add vulnerability folder Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 83/87] x86/cpu: Implement CPU vulnerabilites sysfs functions Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 84/87] sysfs/cpu: Fix typos in vulnerability documentation Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 85/87] x86/alternatives: Fix optimize_nops() checking Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 86/87] x86/alternatives: Add missing \n at end of ALTERNATIVE inline asm Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 87/87] selftests/x86: Add test_vsyscall Greg Kroah-Hartman
2018-01-15 13:01 ` [PATCH 4.4 00/87] 4.4.112-stable review Greg Kroah-Hartman
2018-01-15 13:47 ` Greg Kroah-Hartman
2018-01-15 20:24 ` Christoph Biedl
2018-01-15 20:29 ` Christoph Biedl
2018-01-15 16:39 ` Nathan Chancellor
2018-01-15 18:02 ` Greg Kroah-Hartman
2018-01-15 21:59 ` Dan Rue
2018-01-16 5:53 ` Greg Kroah-Hartman
2018-01-16 11:22 ` Naresh Kamboju
2018-01-16 12:15 ` Greg Kroah-Hartman
2018-01-16 14:29 ` Guenter Roeck
2018-01-16 20:24 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180115123356.223306804@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jakub.kicinski@netronome.com \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).