[PATCH bpf-next v3 0/1] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug

[PATCH bpf-next v3 0/1] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug

[ruowenq2]

From: Ruowen Qin <ruowenq2@illinois.edu>

Thanks to Alexei, patch 2/3 and 3/3 from v2 have been upstreamed. v3
primarily addresses scenarios where the compiler lacks ubsan support.

There are currently 6 BPF programs in syscall_tp_kern but the array to
hold the corresponding bpf_links in syscall_tp_user only has space for 4
programs, given the array size is hardcoded. This causes the sample
program to fail due to an out-of-bound access that corrupts other stack
variables:

  # ./syscall_tp
  prog #0: map ids 4 5
  verify map:4 val: 5
  map_lookup failed: Bad file descriptor

This patch series aims to solve this issue for now and for the future.
It first adds the -fsanitize=bounds flag to make similar bugs more
obvious at runtime. It then refactors syscall_tp_user to retrieve the
number of programs from the bpf_object and dynamically allocate the
array of bpf_links to avoid inconsistencies from hardcoding.

Changelog:
---
v2 -> v3
v2: https://lore.kernel.org/all/20230917214220.637721-1-jinghao7@illinois.edu/

* Address feddback from Alexei
  * Make the makefile smarter to detect the presence of ubsan in the compiler.

v1 -> v2
v1: https://lore.kernel.org/all/20230818164643.97782-1-jinghao@linux.ibm.com/

* Address feedback from Daniel
  * Add missing NULL check for calloc return value.
  * Remove the extra operation that sets links pointer to NULL after free.

Ruowen Qin (1):
  samples/bpf: Add -fsanitize=bounds to userspace programs

 samples/bpf/Makefile | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.42.0

[PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[ruowenq2]

From: Ruowen Qin <ruowenq2@illinois.edu>

The sanitizer flag, which is supported by both clang and gcc, would make
it easier to debug array index out-of-bounds problems in these programs.

Make the Makfile smarter to detect ubsan support from the compiler and
add the '-fsanitize=bounds' accordingly.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
---
 samples/bpf/Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index 6c707ebcebb9..90af76fa9dd8 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -169,6 +169,9 @@ endif
 TPROGS_CFLAGS += -Wall -O2
 TPROGS_CFLAGS += -Wmissing-prototypes
 TPROGS_CFLAGS += -Wstrict-prototypes
+TPROGS_CFLAGS += $(call try-run,\
+	printf "int main() { return 0; }" |\
+	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)
 
 TPROGS_CFLAGS += -I$(objtree)/usr/include
 TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
-- 
2.42.0

Re: [PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[Jiri Olsa]

On Tue, Sep 26, 2023 at 11:50:30PM -0500, ruowenq2@illinois.edu wrote:
> From: Ruowen Qin <ruowenq2@illinois.edu>
> 
> The sanitizer flag, which is supported by both clang and gcc, would make
> it easier to debug array index out-of-bounds problems in these programs.
> 
> Make the Makfile smarter to detect ubsan support from the compiler and
> add the '-fsanitize=bounds' accordingly.
> 
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
> Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
> Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
> ---
>  samples/bpf/Makefile | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
> index 6c707ebcebb9..90af76fa9dd8 100644
> --- a/samples/bpf/Makefile
> +++ b/samples/bpf/Makefile
> @@ -169,6 +169,9 @@ endif
>  TPROGS_CFLAGS += -Wall -O2
>  TPROGS_CFLAGS += -Wmissing-prototypes
>  TPROGS_CFLAGS += -Wstrict-prototypes
> +TPROGS_CFLAGS += $(call try-run,\
> +	printf "int main() { return 0; }" |\
> +	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)

I haven't checked deeply, but could we use just cc-option? looks simpler

TPROGS_CFLAGS += $(call cc-option, -fsanitize=bounds)

jirka

>  
>  TPROGS_CFLAGS += -I$(objtree)/usr/include
>  TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
> -- 
> 2.42.0
> 
> 

Re: [PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[ruowenq2]

On 9/27/23 6:03 AM, Jiri Olsa <olsajiri@gmail.com> wrote:
> On Tue, Sep 26, 2023 at 11:50:30PM -0500, ruowenq2@illinois.edu wrote:
> > From: Ruowen Qin <ruowenq2@illinois.edu>
> >
> > The sanitizer flag, which is supported by both clang and gcc, would make
> > it easier to debug array index out-of-bounds problems in these programs.
> >
> > Make the Makfile smarter to detect ubsan support from the compiler and
> > add the '-fsanitize=bounds' accordingly.
> >
> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
> > Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
> > Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
> > ---
> >   samples/bpf/Makefile | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
> > index 6c707ebcebb9..90af76fa9dd8 100644
> > --- a/samples/bpf/Makefile
> > +++ b/samples/bpf/Makefile
> > @@ -169,6 +169,9 @@ endif
> >   TPROGS_CFLAGS += -Wall -O2
> >   TPROGS_CFLAGS += -Wmissing-prototypes
> >   TPROGS_CFLAGS += -Wstrict-prototypes
> > +TPROGS_CFLAGS += $(call try-run,\
> > +	printf "int main() { return 0; }" |\
> > +	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)
> 
> I haven't checked deeply, but could we use just cc-option? looks simpler
> 
> TPROGS_CFLAGS += $(call cc-option, -fsanitize=bounds)
> 
> jirka

Hi, thanks for your quick reply! When checking for flags, cc-option does not execute the linker, but on Fedora, an error appears and stating that "/usr/lib64/libubsan.so.1.0.0" cannot be found during linking. So I try this seemingly cumbersome way.

Ruowen

> >   
> >   TPROGS_CFLAGS += -I$(objtree)/usr/include
> >   TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
> > -- 
> > 2.42.0
> >
> >
> 

Re: [PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[Jiri Olsa]

On Wed, Sep 27, 2023 at 06:19:10PM -0500, ruowenq2@illinois.edu wrote:
> 
> 
> On 9/27/23 6:03 AM, Jiri Olsa <olsajiri@gmail.com> wrote:
> > On Tue, Sep 26, 2023 at 11:50:30PM -0500, ruowenq2@illinois.edu wrote:
> > > From: Ruowen Qin <ruowenq2@illinois.edu>
> > >
> > > The sanitizer flag, which is supported by both clang and gcc, would make
> > > it easier to debug array index out-of-bounds problems in these programs.
> > >
> > > Make the Makfile smarter to detect ubsan support from the compiler and
> > > add the '-fsanitize=bounds' accordingly.
> > >
> > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > > Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
> > > Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
> > > Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
> > > ---
> > >   samples/bpf/Makefile | 3 +++
> > >   1 file changed, 3 insertions(+)
> > >
> > > diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
> > > index 6c707ebcebb9..90af76fa9dd8 100644
> > > --- a/samples/bpf/Makefile
> > > +++ b/samples/bpf/Makefile
> > > @@ -169,6 +169,9 @@ endif
> > >   TPROGS_CFLAGS += -Wall -O2
> > >   TPROGS_CFLAGS += -Wmissing-prototypes
> > >   TPROGS_CFLAGS += -Wstrict-prototypes
> > > +TPROGS_CFLAGS += $(call try-run,\
> > > +	printf "int main() { return 0; }" |\
> > > +	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)
> > 
> > I haven't checked deeply, but could we use just cc-option? looks simpler
> > 
> > TPROGS_CFLAGS += $(call cc-option, -fsanitize=bounds)
> > 
> > jirka
> 
> Hi, thanks for your quick reply! When checking for flags, cc-option does not execute the linker, but on Fedora, an error appears and stating that "/usr/lib64/libubsan.so.1.0.0" cannot be found during linking. So I try this seemingly cumbersome way.

I see, there's also ld-option, would that work?

jirka

> 
> Ruowen
> 
> > >   >   TPROGS_CFLAGS += -I$(objtree)/usr/include
> > >   TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
> > > -- > 2.42.0
> > >
> > >
> > 

Re: [PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[Jinghao Jia]

On 9/28/23 3:15 AM, Jiri Olsa wrote:
> On Wed, Sep 27, 2023 at 06:19:10PM -0500, ruowenq2@illinois.edu wrote:
>>
>>
>> On 9/27/23 6:03 AM, Jiri Olsa <olsajiri@gmail.com> wrote:
>>> On Tue, Sep 26, 2023 at 11:50:30PM -0500, ruowenq2@illinois.edu wrote:
>>>> From: Ruowen Qin <ruowenq2@illinois.edu>
>>>>
>>>> The sanitizer flag, which is supported by both clang and gcc, would make
>>>> it easier to debug array index out-of-bounds problems in these programs.
>>>>
>>>> Make the Makfile smarter to detect ubsan support from the compiler and
>>>> add the '-fsanitize=bounds' accordingly.
>>>>
>>>> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
>>>> Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
>>>> Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
>>>> Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
>>>> ---
>>>>   samples/bpf/Makefile | 3 +++
>>>>   1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
>>>> index 6c707ebcebb9..90af76fa9dd8 100644
>>>> --- a/samples/bpf/Makefile
>>>> +++ b/samples/bpf/Makefile
>>>> @@ -169,6 +169,9 @@ endif
>>>>   TPROGS_CFLAGS += -Wall -O2
>>>>   TPROGS_CFLAGS += -Wmissing-prototypes
>>>>   TPROGS_CFLAGS += -Wstrict-prototypes
>>>> +TPROGS_CFLAGS += $(call try-run,\
>>>> +	printf "int main() { return 0; }" |\
>>>> +	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)
>>>
>>> I haven't checked deeply, but could we use just cc-option? looks simpler
>>>
>>> TPROGS_CFLAGS += $(call cc-option, -fsanitize=bounds)
>>>
>>> jirka
>>
>> Hi, thanks for your quick reply! When checking for flags, cc-option does not execute the linker, but on Fedora, an error appears and stating that "/usr/lib64/libubsan.so.1.0.0" cannot be found during linking. So I try this seemingly cumbersome way.
> 
> I see, there's also ld-option, would that work?
> 
> jirka
> 

IMHO I don't think ld-option would solve the problem. It directly sends the
flag to the linker but -fsanitize=bounds is a compiler flag, not a linker
flag.

Basically, what's special about this case is that the feature we want to
probe is behind a gcc/clang flag but we do not know whether it is supported
until link time (e.g. the sanitizer library is missing on Fedora so we get
a link error).

--Jinghao

>>
>> Ruowen
>>
>>>>   >   TPROGS_CFLAGS += -I$(objtree)/usr/include
>>>>   TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
>>>> -- > 2.42.0
>>>>
>>>>
>>>

Re: [PATCH bpf-next v3 1/1] samples/bpf: Add -fsanitize=bounds to userspace programs

[Jiri Olsa]

On Thu, Sep 28, 2023 at 04:19:02AM -0500, Jinghao Jia wrote:
> 
> 
> On 9/28/23 3:15 AM, Jiri Olsa wrote:
> > On Wed, Sep 27, 2023 at 06:19:10PM -0500, ruowenq2@illinois.edu wrote:
> >>
> >>
> >> On 9/27/23 6:03 AM, Jiri Olsa <olsajiri@gmail.com> wrote:
> >>> On Tue, Sep 26, 2023 at 11:50:30PM -0500, ruowenq2@illinois.edu wrote:
> >>>> From: Ruowen Qin <ruowenq2@illinois.edu>
> >>>>
> >>>> The sanitizer flag, which is supported by both clang and gcc, would make
> >>>> it easier to debug array index out-of-bounds problems in these programs.
> >>>>
> >>>> Make the Makfile smarter to detect ubsan support from the compiler and
> >>>> add the '-fsanitize=bounds' accordingly.
> >>>>
> >>>> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> >>>> Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
> >>>> Signed-off-by: Jinghao Jia <jinghao7@illinois.edu>
> >>>> Signed-off-by: Ruowen Qin <ruowenq2@illinois.edu>
> >>>> ---
> >>>>   samples/bpf/Makefile | 3 +++
> >>>>   1 file changed, 3 insertions(+)
> >>>>
> >>>> diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
> >>>> index 6c707ebcebb9..90af76fa9dd8 100644
> >>>> --- a/samples/bpf/Makefile
> >>>> +++ b/samples/bpf/Makefile
> >>>> @@ -169,6 +169,9 @@ endif
> >>>>   TPROGS_CFLAGS += -Wall -O2
> >>>>   TPROGS_CFLAGS += -Wmissing-prototypes
> >>>>   TPROGS_CFLAGS += -Wstrict-prototypes
> >>>> +TPROGS_CFLAGS += $(call try-run,\
> >>>> +	printf "int main() { return 0; }" |\
> >>>> +	$(CC) -Werror -fsanitize=bounds -x c - -o "$$TMP",-fsanitize=bounds,)
> >>>
> >>> I haven't checked deeply, but could we use just cc-option? looks simpler
> >>>
> >>> TPROGS_CFLAGS += $(call cc-option, -fsanitize=bounds)
> >>>
> >>> jirka
> >>
> >> Hi, thanks for your quick reply! When checking for flags, cc-option does not execute the linker, but on Fedora, an error appears and stating that "/usr/lib64/libubsan.so.1.0.0" cannot be found during linking. So I try this seemingly cumbersome way.
> > 
> > I see, there's also ld-option, would that work?
> > 
> > jirka
> > 
> 
> IMHO I don't think ld-option would solve the problem. It directly sends the
> flag to the linker but -fsanitize=bounds is a compiler flag, not a linker
> flag.
> 
> Basically, what's special about this case is that the feature we want to
> probe is behind a gcc/clang flag but we do not know whether it is supported
> until link time (e.g. the sanitizer library is missing on Fedora so we get
> a link error).

ok, I tested on fedora, looks good

Acked-by: Jiri Olsa <jolsa@kernel.org>
Tested-by: Jiri Olsa <jolsa@kernel.org>

thanks,
jirka

> 
> --Jinghao
> 
> >>
> >> Ruowen
> >>
> >>>>   >   TPROGS_CFLAGS += -I$(objtree)/usr/include
> >>>>   TPROGS_CFLAGS += -I$(srctree)/tools/testing/selftests/bpf/
> >>>> -- > 2.42.0
> >>>>
> >>>>
> >>>

Re: [PATCH bpf-next v3 0/1] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Andrii Nakryiko <andrii@kernel.org>:

On Tue, 26 Sep 2023 23:50:29 -0500 you wrote:
> From: Ruowen Qin <ruowenq2@illinois.edu>
> 
> Thanks to Alexei, patch 2/3 and 3/3 from v2 have been upstreamed. v3
> primarily addresses scenarios where the compiler lacks ubsan support.
> 
> There are currently 6 BPF programs in syscall_tp_kern but the array to
> hold the corresponding bpf_links in syscall_tp_user only has space for 4
> programs, given the array size is hardcoded. This causes the sample
> program to fail due to an out-of-bound access that corrupts other stack
> variables:
> 
> [...]

Here is the summary with links:
  - [bpf-next,v3,1/1] samples/bpf: Add -fsanitize=bounds to userspace programs
    https://git.kernel.org/bpf/bpf-next/c/9e09b75079e2

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html