Commit e4c80f69 authored by Alexei Starovoitov's avatar Alexei Starovoitov
Browse files

Merge branch 'add-missing-size-check-for-btf-based-ctx-access' 

Kumar Kartikeya Dwivedi says:

====================
Add missing size check for BTF-based ctx access

This set fixes a issue reported for tracing and struct ops programs
using btf_ctx_access for ctx checks, where loading a pointer argument
from the ctx doesn't enforce a BPF_DW access size check. The original
report is at link [0]. Also add a regression test along with the fix.

  [0]: https://lore.kernel.org/bpf/51338.1732985814@localhost
====================

Link: https://patch.msgid.link/20241212092050.3204165-1-memxor@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 04789af7 8025731c

kernel/bpf/btf.c

+6 −0
Original line number Diff line number Diff line
@@ -6543,6 +6543,12 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, 
		return false;

	}



	if (size != sizeof(u64)) {

		bpf_log(log, "func '%s' size %d must be 8\n",

			tname, size);

		return false;

	}



	/* check for PTR_TO_RDONLY_BUF_OR_NULL or PTR_TO_RDWR_BUF_OR_NULL */

	for (i = 0; i < prog->aux->ctx_arg_info_size; i++) {

		const struct bpf_ctx_arg_aux *ctx_arg_info = &prog->aux->ctx_arg_info[i];

tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c

+38 −2
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ __success __retval(0) 
__naked void btf_ctx_access_accept(void)

{

	asm volatile ("					\

	r2 = *(u32*)(r1 + 8);		/* load 2nd argument value (int pointer) */\

	r2 = *(u64 *)(r1 + 8);		/* load 2nd argument value (int pointer) */\

	r0 = 0;						\

	exit;						\

"	::: __clobber_all);
@@ -23,7 +23,43 @@ __success __retval(0) 
__naked void ctx_access_u32_pointer_accept(void)

{

	asm volatile ("					\

	r2 = *(u32*)(r1 + 0);		/* load 1nd argument value (u32 pointer) */\

	r2 = *(u64 *)(r1 + 0);		/* load 1nd argument value (u32 pointer) */\

	r0 = 0;						\

	exit;						\

"	::: __clobber_all);

}



SEC("fentry/bpf_fentry_test9")

__description("btf_ctx_access u32 pointer reject u32")

__failure __msg("size 4 must be 8")

__naked void ctx_access_u32_pointer_reject_32(void)

{

	asm volatile ("					\

	r2 = *(u32 *)(r1 + 0);		/* load 1st argument with narrow load */\

	r0 = 0;						\

	exit;						\

"	::: __clobber_all);

}



SEC("fentry/bpf_fentry_test9")

__description("btf_ctx_access u32 pointer reject u16")

__failure __msg("size 2 must be 8")

__naked void ctx_access_u32_pointer_reject_16(void)

{

	asm volatile ("					\

	r2 = *(u16 *)(r1 + 0);		/* load 1st argument with narrow load */\

	r0 = 0;						\

	exit;						\

"	::: __clobber_all);

}



SEC("fentry/bpf_fentry_test9")

__description("btf_ctx_access u32 pointer reject u8")

__failure __msg("size 1 must be 8")

__naked void ctx_access_u32_pointer_reject_8(void)

{

	asm volatile ("					\

	r2 = *(u8 *)(r1 + 0);		/* load 1st argument with narrow load */\

	r0 = 0;						\

	exit;						\

"	::: __clobber_all);

tools/testing/selftests/bpf/progs/verifier_d_path.c

+2 −2
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ __success __retval(0) 
__naked void d_path_accept(void)

{

	asm volatile ("					\

	r1 = *(u32*)(r1 + 0);				\

	r1 = *(u64 *)(r1 + 0);				\

	r2 = r10;					\

	r2 += -8;					\

	r6 = 0;						\
@@ -31,7 +31,7 @@ __failure __msg("helper call is not allowed in probe") 
__naked void d_path_reject(void)

{

	asm volatile ("					\

	r1 = *(u32*)(r1 + 0);				\

	r1 = *(u64 *)(r1 + 0);				\

	r2 = r10;					\

	r2 += -8;					\

	r6 = 0;						\