Re: [PATCH bpf-next 1/5] bpf: Add a ARG_PTR_TO_CONST_STR argument type

[Andrii Nakryiko <andrii.nakryiko@gmail.com>]

On Tue, Mar 16, 2021 at 5:46 PM Florent Revest <revest@chromium.org> wrote:
>
> On Wed, Mar 17, 2021 at 1:35 AM Andrii Nakryiko
> <andrii.nakryiko@gmail.com> wrote:
> > On Tue, Mar 16, 2021 at 4:58 PM Florent Revest <revest@chromium.org> wrote:
> > > On Tue, Mar 16, 2021 at 2:03 AM Andrii Nakryiko
> > > <andrii.nakryiko@gmail.com> wrote:
> > > > On Wed, Mar 10, 2021 at 2:02 PM Florent Revest <revest@chromium.org> wrote:
> > > > > +       } else if (arg_type == ARG_PTR_TO_CONST_STR) {
> > > > > +               struct bpf_map *map = reg->map_ptr;
> > > > > +               int map_off, i;
> > > > > +               u64 map_addr;
> > > > > +               char *map_ptr;
> > > > > +
> > > > > +               if (!map || !bpf_map_is_rdonly(map)) {
> > > > > +                       verbose(env, "R%d does not point to a readonly map'\n", regno);
> > > > > +                       return -EACCES;
> > > > > +               }
> > > > > +
> > > > > +               if (!tnum_is_const(reg->var_off)) {
> > > > > +                       verbose(env, "R%d is not a constant address'\n", regno);
> > > > > +                       return -EACCES;
> > > > > +               }
> > > > > +
> > > > > +               if (!map->ops->map_direct_value_addr) {
> > > > > +                       verbose(env, "no direct value access support for this map type\n");
> > > > > +                       return -EACCES;
> > > > > +               }
> > > > > +
> > > > > +               err = check_helper_mem_access(env, regno,
> > > > > +                                             map->value_size - reg->off,
> > > > > +                                             false, meta);
> > > >
> > > > you expect reg to be PTR_TO_MAP_VALUE, so probably better to directly
> > > > use check_map_access(). And double-check that register is of expected
> > > > type. just the presence of ref->map_ptr might not be sufficient?
> > >
> > > Sorry, just making sure I understand your comment correctly, are you
> > > suggesting that we:
> > > 1- skip the check_map_access_type() currently done by
> > > check_helper_mem_access()? or did you implicitly mean that we should
> > > call it as well next to check_map_access() ?
> >
> > check_helper_mem_access() will call check_map_access() for
> > PTR_TO_MAP_VALUE and we expect only PTR_TO_MAP_VALUE, right? So why go
> > through check_helper_mem_access() if we know we need
> > check_map_access()? Less indirection, more explicit. So I meant
> > "replace check_helper_mem_access() with check_map_access()".
>
> Mhh I suspect there's still a misunderstanding, these function names
> are really confusing ahah.
> What about check_map_access*_type*. which is also called by
> check_helper_mem_access (before check_map_access):
> https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/verifier.c#n4329
>
> Your message sounds like we should skip it so I was asking if that's
> what you also implicitly meant or if you missed it?

ah, you meant READ/WRITE access? ok, let's keep
check_helper_mem_access() then, never mind me

>
> > > 2- enforce (reg->type == PTR_TO_MAP_VALUE) even if currently
> > > guaranteed by compatible_reg_types, just to stay on the safe side ?
> >
> > I can't follow compatible_reg_types :( If it does, then I guess it's
> > fine without this check.
>
> It's alright, I can keep an extra check just for safety. :)