From patchwork Wed Aug 23 02:07:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13361555 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 390E715BC for ; Wed, 23 Aug 2023 02:07:10 +0000 (UTC) Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88408E4A; Tue, 22 Aug 2023 19:07:08 -0700 (PDT) Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-570c51530e5so2077997eaf.3; Tue, 22 Aug 2023 19:07:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692756428; x=1693361228; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mU5FNyFto872iS/tgMcoUPNuBwmFiNSaWS6P6+DDA0A=; b=bqPT7KEGvEt18ZuX9+5swBL7588zuwbuMEViBE41KMRQ6MdDCO0QThdph7lElc9zNZ 3Ymtv4PjGYjWE42q4cLbs4SCuRKlxUN4kle+V0k2jEh/yxkck+re40e7ob0uDCON8Smw oWUObyw22V2bAFc+Yc9RCKpq63fbmfkQk6mLaN57sAO64ZPsvhLHWzS9ucZuwtPC5efi SQ8E0qzMfrAVEskFvIFUJIPByQNbAL5L/XxXWM+fwcuGrtWB14jUYTPyRn4Z6AWVM2WI +CeFdaGw87X+O4l3CU9yaQ3qzr7PCPEDqBEZVklu+WpGHlHAajedKjClKH3fz4sIi3Xd pUdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692756428; x=1693361228; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mU5FNyFto872iS/tgMcoUPNuBwmFiNSaWS6P6+DDA0A=; b=RVOEL2VppRh4TcQXOk+pHyzcYj/R5iS9Wi+4r+PrR6RDl7BJTzIV3f0mlaas6LUPN/ yVaNDk4BHyjdMfzXPdrI9KLerFl4Qw17+l5C//zc5b7f/0CdGkR+oz1/0RAXJwOLLJi0 ZxJWxr1n2o5ceVYxjBccQ6iyduVYDLjB++6p0BBUaPDENZLSVCQ+ArY6P2MhV77XbFqE YbN2abK1Vi6rCGgMSLp1KX1ZNpMqvhhg2lXaoFuI3sUmb1FQ2Q5NcrOO9DdVlo/61hqb iWxsWtJ8ruLd8lO05lFnNCTExT2CamL4jeH42q7EZ5JwLMoqimEyQgnRIniUw7bu8+Xg /Ihg== X-Gm-Message-State: AOJu0YyOWGk2siv3AX8IUsY7Qkrc9TRz4M773iCgBipZCksS0Eg9zLo8 3tq6MWE2bBdEu/usG3t7tPMwtn7xOqYcNg+0 X-Google-Smtp-Source: AGHT+IEeK3Vu67X8WCCYwtmrQ+ZC4f647aPpKtj9+3HlQa7BuPidkBfHgPUcMNKxzbhjH7bgJmpn9A== X-Received: by 2002:a05:6358:2608:b0:134:c785:5932 with SMTP id l8-20020a056358260800b00134c7855932mr10335787rwc.32.1692756427789; Tue, 22 Aug 2023 19:07:07 -0700 (PDT) Received: from vultr.guest ([149.28.193.116]) by smtp.gmail.com with ESMTPSA id y15-20020aa7804f000000b0064f7c56d8b7sm8313627pfm.219.2023.08.22.19.07.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Aug 2023 19:07:07 -0700 (PDT) From: Yafang Shao To: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, eddyz87@gmail.com Cc: bpf@vger.kernel.org, Yafang Shao , Alexei Starovoitov , stable@vger.kernel.org Subject: [PATCH v2 bpf-next 1/2] bpf: Fix issue in verifying allow_ptr_leaks Date: Wed, 23 Aug 2023 02:07:02 +0000 Message-Id: <20230823020703.3790-2-laoar.shao@gmail.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230823020703.3790-1-laoar.shao@gmail.com> References: <20230823020703.3790-1-laoar.shao@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: bpf@iogearbox.net After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ Suggested-by: Yonghong Song Suggested-by: Alexei Starovoitov Signed-off-by: Yafang Shao Acked-by: Eduard Zingerman Cc: stable@vger.kernel.org --- kernel/bpf/verifier.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4ccca1f..b6b60cd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -14047,6 +14047,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, return -EINVAL; } + /* check src2 operand */ + err = check_reg_arg(env, insn->dst_reg, SRC_OP); + if (err) + return err; + + dst_reg = ®s[insn->dst_reg]; if (BPF_SRC(insn->code) == BPF_X) { if (insn->imm != 0) { verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); @@ -14058,12 +14064,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, if (err) return err; - if (is_pointer_value(env, insn->src_reg)) { + src_reg = ®s[insn->src_reg]; + if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) && + is_pointer_value(env, insn->src_reg)) { verbose(env, "R%d pointer comparison prohibited\n", insn->src_reg); return -EACCES; } - src_reg = ®s[insn->src_reg]; } else { if (insn->src_reg != BPF_REG_0) { verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); @@ -14071,12 +14078,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, } } - /* check src2 operand */ - err = check_reg_arg(env, insn->dst_reg, SRC_OP); - if (err) - return err; - - dst_reg = ®s[insn->dst_reg]; is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; if (BPF_SRC(insn->code) == BPF_K) { From patchwork Wed Aug 23 02:07:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13361556 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54BCE17D4 for ; Wed, 23 Aug 2023 02:07:11 +0000 (UTC) Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0376CF for ; Tue, 22 Aug 2023 19:07:09 -0700 (PDT) Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-68a3cae6e1eso2357407b3a.0 for ; Tue, 22 Aug 2023 19:07:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692756429; x=1693361229; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DLAcarte/YODlFqjWTjDwVfg/VXs8i7gnRIi0WfhFEs=; b=ZrUHUDfT6D5dnoPFa7j3QDcsv4wpYso+Sj4M57Dn8RSw/+JUC41CG5zaArGcrYm8fp /Mti4LIHDGLB90F/4Bp7tnhghawCP9pB6fyQUdf2RKEDz9OnDLwnV/hwjUNSwlzSiTuT EycLo/WomADaPviyI7F+ueg0gwYvpJbsEUyD6EBmYBO55mlABQ1wa3mbAsHWuaVlMVS0 f5gS6Ls1/37juLI2lIX0rTBPLFmBhq2KMOHd7pNx7OB8POriGU3LgiDjR8zE+7c7OtDy huD6kCX6c26Y7f2WfMo+uXjTw9OJOYGf1QcLwwC5SowNSo471FCRE7Ps93lDlDhVXU8L 66Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692756429; x=1693361229; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DLAcarte/YODlFqjWTjDwVfg/VXs8i7gnRIi0WfhFEs=; b=awx5jYytz08E6A/nxro+b99xQYIz02HH/tHFCkZFK2GqdjxlAmrXjVAQSfysQM+HNW cWTsXyCxCad/6Taza8OdbYHMv4u85Ds2VWaicBemMCZxqg5VSvd4zSZeAAFetBajnpw2 k4OxJsWBr1k2p1SBJ8djQOFCCzFWM71H7Thmq+wO1sw4GHawyeoRLczXsgDm9eJ+bPKt eOd2eCksBcfRjvUNMR8ZUYEMtevgp72E4jUzSeGvgkkd/X5YMGZLLGLDBi3qU5KAUwH6 uyJuefeUMwDxlhktu1uAqSgKml7O9HtvJ3E/ESD5UAWHWClzCaKOSJ9uC+jpzG8voc9x UqbA== X-Gm-Message-State: AOJu0Yz719g2W68l7WHGdH6foYAP9fEf/z4NirMZ3zGDp+oJpqcI3Lya KF+/L4LSuk7+IkWsKXpOb48= X-Google-Smtp-Source: AGHT+IHRqMjAqqbXy9TmiXB1P4xW8vsOBRvqoKE/8dfilCvjgOWsH5lGJ6h1gp+x+/sUbkRc9eV8Iw== X-Received: by 2002:a05:6a00:15d4:b0:687:1604:39eb with SMTP id o20-20020a056a0015d400b00687160439ebmr10794370pfu.25.1692756429077; Tue, 22 Aug 2023 19:07:09 -0700 (PDT) Received: from vultr.guest ([149.28.193.116]) by smtp.gmail.com with ESMTPSA id y15-20020aa7804f000000b0064f7c56d8b7sm8313627pfm.219.2023.08.22.19.07.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Aug 2023 19:07:08 -0700 (PDT) From: Yafang Shao To: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, eddyz87@gmail.com Cc: bpf@vger.kernel.org, Yafang Shao Subject: [PATCH v2 bpf-next 2/2] selftests/bpf: Add selftest for allow_ptr_leaks Date: Wed, 23 Aug 2023 02:07:03 +0000 Message-Id: <20230823020703.3790-3-laoar.shao@gmail.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230823020703.3790-1-laoar.shao@gmail.com> References: <20230823020703.3790-1-laoar.shao@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: bpf@iogearbox.net - Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao --- tools/testing/selftests/bpf/prog_tests/tc_bpf.c | 36 ++++++++++++++++++++++++- tools/testing/selftests/bpf/progs/test_tc_bpf.c | 13 +++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/tc_bpf.c b/tools/testing/selftests/bpf/prog_tests/tc_bpf.c index e873766..48b5553 100644 --- a/tools/testing/selftests/bpf/prog_tests/tc_bpf.c +++ b/tools/testing/selftests/bpf/prog_tests/tc_bpf.c @@ -3,6 +3,7 @@ #include #include +#include "cap_helpers.h" #include "test_tc_bpf.skel.h" #define LO_IFINDEX 1 @@ -327,7 +328,7 @@ static int test_tc_bpf_api(struct bpf_tc_hook *hook, int fd) return 0; } -void test_tc_bpf(void) +void tc_bpf_root(void) { DECLARE_LIBBPF_OPTS(bpf_tc_hook, hook, .ifindex = LO_IFINDEX, .attach_point = BPF_TC_INGRESS); @@ -393,3 +394,36 @@ void test_tc_bpf(void) } test_tc_bpf__destroy(skel); } + +void tc_bpf_non_root(void) +{ + struct test_tc_bpf *skel = NULL; + __u64 caps = 0; + int ret; + + /* In case CAP_BPF and CAP_PERFMON is not set */ + ret = cap_enable_effective(1ULL << CAP_BPF | 1ULL << CAP_NET_ADMIN, &caps); + if (!ASSERT_OK(ret, "set_cap_bpf_cap_net_admin")) + return; + ret = cap_disable_effective(1ULL << CAP_SYS_ADMIN | 1ULL << CAP_PERFMON, NULL); + if (!ASSERT_OK(ret, "disable_cap_sys_admin")) + goto restore_cap; + + skel = test_tc_bpf__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_tc_bpf__open_and_load")) + goto restore_cap; + + test_tc_bpf__destroy(skel); + +restore_cap: + if (caps) + cap_enable_effective(caps, NULL); +} + +void test_tc_bpf(void) +{ + if (test__start_subtest("tc_bpf_root")) + tc_bpf_root(); + if (test__start_subtest("tc_bpf_non_root")) + tc_bpf_non_root(); +} diff --git a/tools/testing/selftests/bpf/progs/test_tc_bpf.c b/tools/testing/selftests/bpf/progs/test_tc_bpf.c index d28ca8d..ef7da41 100644 --- a/tools/testing/selftests/bpf/progs/test_tc_bpf.c +++ b/tools/testing/selftests/bpf/progs/test_tc_bpf.c @@ -2,6 +2,8 @@ #include #include +#include +#include /* Dummy prog to test TC-BPF API */ @@ -10,3 +12,14 @@ int cls(struct __sk_buff *skb) { return 0; } + +/* Prog to verify tc-bpf without cap_sys_admin and cap_perfmon */ +SEC("tcx/ingress") +int pkt_ptr(struct __sk_buff *skb) +{ + struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); + + if ((long)(iph + 1) > (long)skb->data_end) + return 1; + return 0; +}