From: Hari Bathini <hbathini@linux.ibm.com>
To: naveen.n.rao@linux.ibm.com, christophe.leroy@csgroup.eu,
mpe@ellerman.id.au, ast@kernel.org, daniel@iogearbox.net
Cc: paulus@samba.org, andrii@kernel.org, kafai@fb.com,
songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
kpsingh@kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org,
Hari Bathini <hbathini@linux.ibm.com>
Subject: [PATCH v4 8/8] bpf ppc32: Access only if addr is kernel address
Date: Wed, 29 Sep 2021 16:48:55 +0530 [thread overview]
Message-ID: <20210929111855.50254-9-hbathini@linux.ibm.com> (raw)
In-Reply-To: <20210929111855.50254-1-hbathini@linux.ibm.com>
With KUAP enabled, any kernel code which wants to access userspace
needs to be surrounded by disable-enable KUAP. But that is not
happening for BPF_PROBE_MEM load instruction. Though PPC32 does not
support read protection, considering the fact that PTR_TO_BTF_ID
(which uses BPF_PROBE_MEM mode) could either be a valid kernel pointer
or NULL but should never be a pointer to userspace address, execute
BPF_PROBE_MEM load only if addr is kernel address, otherwise set
dst_reg=0 and move on.
This will catch NULL, valid or invalid userspace pointers. Only bad
kernel pointer will be handled by BPF exception table.
[Alexei suggested for x86]
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
---
Changes in v4:
* Adjusted the emit code to avoid using temporary reg.
arch/powerpc/net/bpf_jit_comp32.c | 34 +++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index 6ee13a09c70d..2ac81563c78d 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -818,6 +818,40 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
case BPF_LDX | BPF_PROBE_MEM | BPF_W:
case BPF_LDX | BPF_MEM | BPF_DW: /* dst = *(u64 *)(ul) (src + off) */
case BPF_LDX | BPF_PROBE_MEM | BPF_DW:
+ /*
+ * As PTR_TO_BTF_ID that uses BPF_PROBE_MEM mode could either be a valid
+ * kernel pointer or NULL but not a userspace address, execute BPF_PROBE_MEM
+ * load only if addr is kernel address (see is_kernel_addr()), otherwise
+ * set dst_reg=0 and move on.
+ */
+ if (BPF_MODE(code) == BPF_PROBE_MEM) {
+ PPC_LI32(_R0, TASK_SIZE - off);
+ EMIT(PPC_RAW_CMPLW(src_reg, _R0));
+ PPC_BCC(COND_GT, (ctx->idx + 5) * 4);
+ EMIT(PPC_RAW_LI(dst_reg, 0));
+ /*
+ * For BPF_DW case, "li reg_h,0" would be needed when
+ * !fp->aux->verifier_zext. Emit NOP otherwise.
+ *
+ * Note that "li reg_h,0" is emitted for BPF_B/H/W case,
+ * if necessary. So, jump there insted of emitting an
+ * additional "li reg_h,0" instruction.
+ */
+ if (size == BPF_DW && !fp->aux->verifier_zext)
+ EMIT(PPC_RAW_LI(dst_reg_h, 0));
+ else
+ EMIT(PPC_RAW_NOP());
+ /*
+ * Need to jump two instructions instead of one for BPF_DW case
+ * as there are two load instructions for dst_reg_h & dst_reg
+ * respectively.
+ */
+ if (size == BPF_DW)
+ PPC_JMP((ctx->idx + 3) * 4);
+ else
+ PPC_JMP((ctx->idx + 2) * 4);
+ }
+
switch (size) {
case BPF_B:
EMIT(PPC_RAW_LBZ(dst_reg, src_reg, off));
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Hari Bathini <hbathini@linux.ibm.com>
To: naveen.n.rao@linux.ibm.com, christophe.leroy@csgroup.eu,
mpe@ellerman.id.au, ast@kernel.org, daniel@iogearbox.net
Cc: songliubraving@fb.com, netdev@vger.kernel.org,
john.fastabend@gmail.com, andrii@kernel.org, kpsingh@kernel.org,
paulus@samba.org, yhs@fb.com, bpf@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, kafai@fb.com,
Hari Bathini <hbathini@linux.ibm.com>
Subject: [PATCH v4 8/8] bpf ppc32: Access only if addr is kernel address
Date: Wed, 29 Sep 2021 16:48:55 +0530 [thread overview]
Message-ID: <20210929111855.50254-9-hbathini@linux.ibm.com> (raw)
In-Reply-To: <20210929111855.50254-1-hbathini@linux.ibm.com>
With KUAP enabled, any kernel code which wants to access userspace
needs to be surrounded by disable-enable KUAP. But that is not
happening for BPF_PROBE_MEM load instruction. Though PPC32 does not
support read protection, considering the fact that PTR_TO_BTF_ID
(which uses BPF_PROBE_MEM mode) could either be a valid kernel pointer
or NULL but should never be a pointer to userspace address, execute
BPF_PROBE_MEM load only if addr is kernel address, otherwise set
dst_reg=0 and move on.
This will catch NULL, valid or invalid userspace pointers. Only bad
kernel pointer will be handled by BPF exception table.
[Alexei suggested for x86]
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
---
Changes in v4:
* Adjusted the emit code to avoid using temporary reg.
arch/powerpc/net/bpf_jit_comp32.c | 34 +++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
index 6ee13a09c70d..2ac81563c78d 100644
--- a/arch/powerpc/net/bpf_jit_comp32.c
+++ b/arch/powerpc/net/bpf_jit_comp32.c
@@ -818,6 +818,40 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
case BPF_LDX | BPF_PROBE_MEM | BPF_W:
case BPF_LDX | BPF_MEM | BPF_DW: /* dst = *(u64 *)(ul) (src + off) */
case BPF_LDX | BPF_PROBE_MEM | BPF_DW:
+ /*
+ * As PTR_TO_BTF_ID that uses BPF_PROBE_MEM mode could either be a valid
+ * kernel pointer or NULL but not a userspace address, execute BPF_PROBE_MEM
+ * load only if addr is kernel address (see is_kernel_addr()), otherwise
+ * set dst_reg=0 and move on.
+ */
+ if (BPF_MODE(code) == BPF_PROBE_MEM) {
+ PPC_LI32(_R0, TASK_SIZE - off);
+ EMIT(PPC_RAW_CMPLW(src_reg, _R0));
+ PPC_BCC(COND_GT, (ctx->idx + 5) * 4);
+ EMIT(PPC_RAW_LI(dst_reg, 0));
+ /*
+ * For BPF_DW case, "li reg_h,0" would be needed when
+ * !fp->aux->verifier_zext. Emit NOP otherwise.
+ *
+ * Note that "li reg_h,0" is emitted for BPF_B/H/W case,
+ * if necessary. So, jump there insted of emitting an
+ * additional "li reg_h,0" instruction.
+ */
+ if (size == BPF_DW && !fp->aux->verifier_zext)
+ EMIT(PPC_RAW_LI(dst_reg_h, 0));
+ else
+ EMIT(PPC_RAW_NOP());
+ /*
+ * Need to jump two instructions instead of one for BPF_DW case
+ * as there are two load instructions for dst_reg_h & dst_reg
+ * respectively.
+ */
+ if (size == BPF_DW)
+ PPC_JMP((ctx->idx + 3) * 4);
+ else
+ PPC_JMP((ctx->idx + 2) * 4);
+ }
+
switch (size) {
case BPF_B:
EMIT(PPC_RAW_LBZ(dst_reg, src_reg, off));
--
2.31.1
next prev parent reply other threads:[~2021-09-29 11:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 11:18 [PATCH v4 0/8] bpf powerpc: Add BPF_PROBE_MEM support in powerpc JIT compiler Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:18 ` [PATCH v4 1/8] bpf powerpc: Remove unused SEEN_STACK Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:18 ` [PATCH v4 2/8] bpf powerpc: Remove extra_pass from bpf_jit_build_body() Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:18 ` [PATCH v4 3/8] bpf powerpc: refactor JIT compiler code Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:42 ` Christophe Leroy
2021-09-29 11:42 ` Christophe Leroy
2021-09-29 11:18 ` [PATCH v4 4/8] powerpc/ppc-opcode: introduce PPC_RAW_BRANCH() macro Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:18 ` [PATCH v4 5/8] bpf ppc64: Add BPF_PROBE_MEM support for JIT Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:43 ` Christophe Leroy
2021-09-29 11:43 ` Christophe Leroy
2021-09-29 11:47 ` Christophe Leroy
2021-09-29 11:47 ` Christophe Leroy
2021-09-30 4:18 ` Jordan Niethe
2021-09-30 4:18 ` Jordan Niethe
2021-09-29 11:18 ` [PATCH v4 6/8] bpf ppc64: Access only if addr is kernel address Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:44 ` LEROY Christophe
2021-09-29 11:44 ` LEROY Christophe
2021-09-29 11:18 ` [PATCH v4 7/8] bpf ppc32: Add BPF_PROBE_MEM support for JIT Hari Bathini
2021-09-29 11:18 ` Hari Bathini
2021-09-29 11:44 ` Christophe Leroy
2021-09-29 11:44 ` Christophe Leroy
2021-09-29 11:18 ` Hari Bathini [this message]
2021-09-29 11:18 ` [PATCH v4 8/8] bpf ppc32: Access only if addr is kernel address Hari Bathini
2021-09-29 11:45 ` Christophe Leroy
2021-09-29 11:45 ` Christophe Leroy
2023-09-14 6:18 ` Christophe Leroy
2023-09-14 6:18 ` Christophe Leroy
2023-09-14 8:23 ` Hari Bathini
2023-09-14 8:23 ` Hari Bathini
2021-09-30 20:57 ` [PATCH v4 0/8] bpf powerpc: Add BPF_PROBE_MEM support in powerpc JIT compiler Daniel Borkmann
2021-09-30 20:57 ` Daniel Borkmann
2021-10-01 21:22 ` Naveen N. Rao
2021-10-01 21:22 ` Naveen N. Rao
2021-10-03 22:49 ` Michael Ellerman
2021-10-03 22:49 ` Michael Ellerman
2021-10-04 8:05 ` Daniel Borkmann
2021-10-04 8:05 ` Daniel Borkmann
2021-10-04 8:43 ` Michael Ellerman
2021-10-04 8:43 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210929111855.50254-9-hbathini@linux.ibm.com \
--to=hbathini@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=paulus@samba.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.