* [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code
@ 2018-12-19 21:01 Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 1/2] bpf: " Martin KaFai Lau
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Martin KaFai Lau @ 2018-12-19 21:01 UTC (permalink / raw)
To: netdev; +Cc: Alexei Starovoitov, Daniel Borkmann, kernel-team
This series ensures the line_info (passed by the userspace during
bpf_prog_load) cannot have its line_info.insn_off pointing to a
zero bpf insn code. F.e. a broken userspace tool might
generate a line_info.insn_off that points to the second
8 bytes of a BPF_LD_IMM64.
The first patch is the kernel change.
The second patch is a new test case.
Martin KaFai Lau (2):
bpf: Ensure line_info.insn_off cannot point to insn with zero code
bpf: Add BPF_LD_IMM64 to the line_info test
kernel/bpf/verifier.c | 8 ++++++++
tools/testing/selftests/bpf/test_btf.c | 27 ++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
--
2.17.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf-next 1/2] bpf: Ensure line_info.insn_off cannot point to insn with zero code
2018-12-19 21:01 [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Martin KaFai Lau
@ 2018-12-19 21:01 ` Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 2/2] bpf: Add BPF_LD_IMM64 to the line_info test Martin KaFai Lau
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Martin KaFai Lau @ 2018-12-19 21:01 UTC (permalink / raw)
To: netdev; +Cc: Alexei Starovoitov, Daniel Borkmann, kernel-team
This patch rejects a line_info if the bpf insn code referred by
line_info.insn_off is 0. F.e. a broken userspace tool might generate
a line_info.insn_off that points to the second 8 bytes of a BPF_LD_IMM64.
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
---
kernel/bpf/verifier.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0125731e2512..31c28505811b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4975,6 +4975,14 @@ static int check_btf_line(struct bpf_verifier_env *env,
goto err_free;
}
+ if (!prog->insnsi[linfo[i].insn_off].code) {
+ verbose(env,
+ "Invalid insn code at line_info[%u].insn_off\n",
+ i);
+ err = -EINVAL;
+ goto err_free;
+ }
+
if (!btf_name_by_offset(btf, linfo[i].line_off) ||
!btf_name_by_offset(btf, linfo[i].file_name_off)) {
verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH bpf-next 2/2] bpf: Add BPF_LD_IMM64 to the line_info test
2018-12-19 21:01 [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 1/2] bpf: " Martin KaFai Lau
@ 2018-12-19 21:01 ` Martin KaFai Lau
2018-12-19 21:27 ` [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Yonghong Song
2018-12-19 23:46 ` Alexei Starovoitov
3 siblings, 0 replies; 5+ messages in thread
From: Martin KaFai Lau @ 2018-12-19 21:01 UTC (permalink / raw)
To: netdev; +Cc: Alexei Starovoitov, Daniel Borkmann, kernel-team
This patch adds a BPF_LD_IMM64 case to the line_info test
to ensure the kernel rejects linfo_info.insn_off pointing
to the 2nd 8 bytes of the BPF_LD_IMM64.
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
---
tools/testing/selftests/bpf/test_btf.c | 27 ++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/tools/testing/selftests/bpf/test_btf.c b/tools/testing/selftests/bpf/test_btf.c
index 8024b7d4c354..8bcd38010582 100644
--- a/tools/testing/selftests/bpf/test_btf.c
+++ b/tools/testing/selftests/bpf/test_btf.c
@@ -4253,6 +4253,33 @@ static struct prog_info_raw_test {
.expected_prog_load_failure = true,
},
+{
+ .descr = "line_info (Zero bpf insn code)",
+ .raw_types = {
+ BTF_TYPE_INT_ENC(NAME_TBD, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
+ BTF_TYPE_INT_ENC(NAME_TBD, 0, 0, 64, 8), /* [2] */
+ BTF_TYPEDEF_ENC(NAME_TBD, 2), /* [3] */
+ BTF_END_RAW,
+ },
+ BTF_STR_SEC("\0int\0unsigned long\0u64\0u64 a=1;\0return a;"),
+ .insns = {
+ BPF_LD_IMM64(BPF_REG_0, 1),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_TRACEPOINT,
+ .func_info_cnt = 0,
+ .line_info = {
+ BPF_LINE_INFO_ENC(0, 0, NAME_TBD, 1, 10),
+ BPF_LINE_INFO_ENC(1, 0, 0, 2, 9),
+ BPF_LINE_INFO_ENC(2, 0, NAME_TBD, 3, 8),
+ BTF_END_RAW,
+ },
+ .line_info_rec_size = sizeof(struct bpf_line_info),
+ .nr_jited_ksyms = 1,
+ .err_str = "Invalid insn code at line_info[1]",
+ .expected_prog_load_failure = true,
+},
+
{
.descr = "line_info (No subprog. zero tailing line_info",
.raw_types = {
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code
2018-12-19 21:01 [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 1/2] bpf: " Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 2/2] bpf: Add BPF_LD_IMM64 to the line_info test Martin KaFai Lau
@ 2018-12-19 21:27 ` Yonghong Song
2018-12-19 23:46 ` Alexei Starovoitov
3 siblings, 0 replies; 5+ messages in thread
From: Yonghong Song @ 2018-12-19 21:27 UTC (permalink / raw)
To: Martin Lau, netdev; +Cc: Alexei Starovoitov, Daniel Borkmann, Kernel Team
On 12/19/18 1:01 PM, Martin KaFai Lau wrote:
> This series ensures the line_info (passed by the userspace during
> bpf_prog_load) cannot have its line_info.insn_off pointing to a
> zero bpf insn code. F.e. a broken userspace tool might
> generate a line_info.insn_off that points to the second
> 8 bytes of a BPF_LD_IMM64.
>
> The first patch is the kernel change.
> The second patch is a new test case.
>
> Martin KaFai Lau (2):
> bpf: Ensure line_info.insn_off cannot point to insn with zero code
> bpf: Add BPF_LD_IMM64 to the line_info test
>
> kernel/bpf/verifier.c | 8 ++++++++
> tools/testing/selftests/bpf/test_btf.c | 27 ++++++++++++++++++++++++++
> 2 files changed, 35 insertions(+)
Looks good to me. For the whole series,
Acked-by: Yonghong Song <yhs@fb.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code
2018-12-19 21:01 [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Martin KaFai Lau
` (2 preceding siblings ...)
2018-12-19 21:27 ` [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Yonghong Song
@ 2018-12-19 23:46 ` Alexei Starovoitov
3 siblings, 0 replies; 5+ messages in thread
From: Alexei Starovoitov @ 2018-12-19 23:46 UTC (permalink / raw)
To: Martin KaFai Lau; +Cc: netdev, Alexei Starovoitov, Daniel Borkmann, kernel-team
On Wed, Dec 19, 2018 at 01:01:01PM -0800, Martin KaFai Lau wrote:
> This series ensures the line_info (passed by the userspace during
> bpf_prog_load) cannot have its line_info.insn_off pointing to a
> zero bpf insn code. F.e. a broken userspace tool might
> generate a line_info.insn_off that points to the second
> 8 bytes of a BPF_LD_IMM64.
>
> The first patch is the kernel change.
> The second patch is a new test case.
Applied, Thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-12-19 23:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-19 21:01 [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 1/2] bpf: " Martin KaFai Lau
2018-12-19 21:01 ` [PATCH bpf-next 2/2] bpf: Add BPF_LD_IMM64 to the line_info test Martin KaFai Lau
2018-12-19 21:27 ` [PATCH bpf-next 0/2] Ensure line_info.insn_off cannot point to insn with zero code Yonghong Song
2018-12-19 23:46 ` Alexei Starovoitov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.