[bpf-next,v2,0/3] bpf: Prevent writing read-only memory

Message ID	20211025231256.4030142-1-haoluo@google.com (mailing list archive)
Headers	show Return-Path: <bpf-owner@kernel.org> Date: Mon, 25 Oct 2021 16:12:53 -0700 Message-Id: <20211025231256.4030142-1-haoluo@google.com> Mime-Version: 1.0 Subject: [PATCH bpf-next v2 0/3] bpf: Prevent writing read-only memory From: Hao Luo <haoluo@google.com> To: Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, Daniel Borkmann <daniel@iogearbox.net> Cc: KP Singh <kpsingh@kernel.org>, bpf@vger.kernel.org, Hao Luo <haoluo@google.com> Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	bpf: Prevent writing read-only memory \| expand [bpf-next,v2,0/3] bpf: Prevent writing read-only memory [bpf-next,1/3] bpf: Prevent write to ksym memory [bpf-next,v2,2/3] bpf: Introduce ARG_PTR_TO_WRITABLE_MEM [bpf-next,v2,3/3] bpf/selftests: Test PTR_TO_RDONLY_MEM

Message ID

20211025231256.4030142-1-haoluo@google.com (mailing list archive)

Headers

Date: Mon, 25 Oct 2021 16:12:53 -0700
Message-Id: <20211025231256.4030142-1-haoluo@google.com>
Mime-Version: 1.0
Subject: [PATCH bpf-next v2 0/3] bpf: Prevent writing read-only memory
From: Hao Luo <haoluo@google.com>
To: Alexei Starovoitov <ast@kernel.org>,
        Andrii Nakryiko <andrii@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>
Cc: KP Singh <kpsingh@kernel.org>, bpf@vger.kernel.org,
        Hao Luo <haoluo@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

bpf: Prevent writing read-only memory | expand

Message

Hao Luo Oct. 25, 2021, 11:12 p.m. UTC

Currently there are two ways to modify a kernel memory in bpf programs:
 1. declare a ksym of scalar type and directly modify its memory.
 2. Pass a RDONLY_BUF into a helper function which will override
 its arguments. For example, bpf_d_path, bpf_snprintf.

This patchset fixes these two problem. For the first, we introduce a
new reg type PTR_TO_RDONLY_MEM for the scalar typed ksym, which forbids
writing. Second, we introduce a new arg type ARG_PTR_TO_WRITABLE_MEM,
which is a proper subset of the ARG_PTR_TO_MEM and includes only those
reg types that are writable. For helper functions that may override its
argument, they should use ARG_PTR_TO_WRITABLE_MEM. For other helper
functions, they can continue using ARG_PTR_TO_MEM.

There is an alternative solution to the second problem, that is, an
ARG_PTR_TO_CONST_MEM, which represents the current ARG_PTR_TO_MEM, and
ARG_PTR_TO_MEM, which represents the ARG_PTR_TO_WRITABLE_MEM in this
patchset. But I find the naming here is too confusing. Most of the
helper functions should not override their arguments, therefore, using
ARG_PTR_TO_MEM sounds natural.

Hao Luo (3):
  bpf: Prevent write to ksym memory
  bpf: Introduce ARG_PTR_TO_WRITABLE_MEM
  bpf/selftests: Test PTR_TO_RDONLY_MEM

 include/linux/bpf.h                           | 15 +++++-
 include/uapi/linux/bpf.h                      |  4 +-
 kernel/bpf/cgroup.c                           |  2 +-
 kernel/bpf/helpers.c                          |  6 +--
 kernel/bpf/verifier.c                         | 54 ++++++++++++++++---
 kernel/trace/bpf_trace.c                      |  6 +--
 net/core/filter.c                             |  6 +--
 tools/include/uapi/linux/bpf.h                |  4 +-
 .../selftests/bpf/prog_tests/ksyms_btf.c      | 14 +++++
 .../bpf/progs/test_ksyms_btf_write_check.c    | 29 ++++++++++
 10 files changed, 116 insertions(+), 24 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c