From: Frank van der Linden <fllinden@amazon.com>
To: <stable@vger.kernel.org>
Cc: <bpf@vger.kernel.org>, <daniel@iogearbox.net>
Subject: [PATCH v2 4.14 05/17] bpf: Improve verifier error messages for users
Date: Mon, 31 May 2021 18:25:44 +0000 [thread overview]
Message-ID: <20210531182556.25277-6-fllinden@amazon.com> (raw)
In-Reply-To: <20210531182556.25277-1-fllinden@amazon.com>
From: Daniel Borkmann <daniel@iogearbox.net>
commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream.
Consolidate all error handling and provide more user-friendly error messages
from sanitize_ptr_alu() and sanitize_val_alu().
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[fllinden@amazon.com: backport to 4.14]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
---
kernel/bpf/verifier.c | 84 +++++++++++++++++++++++++++++++------------
1 file changed, 62 insertions(+), 22 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 12cb6b1c4e9b..b44a4efeb1be 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2024,6 +2024,14 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
return &env->insn_aux_data[env->insn_idx];
}
+enum {
+ REASON_BOUNDS = -1,
+ REASON_TYPE = -2,
+ REASON_PATHS = -3,
+ REASON_LIMIT = -4,
+ REASON_STACK = -5,
+};
+
static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
const struct bpf_reg_state *off_reg,
u32 *alu_limit, u8 opcode)
@@ -2035,7 +2043,7 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
if (!tnum_is_const(off_reg->var_off) &&
(off_reg->smin_value < 0) != (off_reg->smax_value < 0))
- return -EACCES;
+ return REASON_BOUNDS;
switch (ptr_reg->type) {
case PTR_TO_STACK:
@@ -2059,11 +2067,11 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
}
break;
default:
- return -EINVAL;
+ return REASON_TYPE;
}
if (ptr_limit >= max)
- return -ERANGE;
+ return REASON_LIMIT;
*alu_limit = ptr_limit;
return 0;
}
@@ -2083,7 +2091,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
if (aux->alu_state &&
(aux->alu_state != alu_state ||
aux->alu_limit != alu_limit))
- return -EACCES;
+ return REASON_PATHS;
/* Corresponding fixup done in fixup_bpf_calls(). */
aux->alu_state = alu_state;
@@ -2156,7 +2164,46 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
if (!ptr_is_dst_reg && ret)
*dst_reg = tmp;
- return !ret ? -EFAULT : 0;
+ return !ret ? REASON_STACK : 0;
+}
+
+static int sanitize_err(struct bpf_verifier_env *env,
+ const struct bpf_insn *insn, int reason,
+ const struct bpf_reg_state *off_reg,
+ const struct bpf_reg_state *dst_reg)
+{
+ static const char *err = "pointer arithmetic with it prohibited for !root";
+ const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub";
+ u32 dst = insn->dst_reg, src = insn->src_reg;
+
+ switch (reason) {
+ case REASON_BOUNDS:
+ verbose("R%d has unknown scalar with mixed signed bounds, %s\n",
+ off_reg == dst_reg ? dst : src, err);
+ break;
+ case REASON_TYPE:
+ verbose("R%d has pointer with unsupported alu operation, %s\n",
+ off_reg == dst_reg ? src : dst, err);
+ break;
+ case REASON_PATHS:
+ verbose("R%d tried to %s from different maps, paths or scalars, %s\n",
+ dst, op, err);
+ break;
+ case REASON_LIMIT:
+ verbose("R%d tried to %s beyond pointer bounds, %s\n",
+ dst, op, err);
+ break;
+ case REASON_STACK:
+ verbose("R%d could not be pushed for speculative verification, %s\n",
+ dst, err);
+ break;
+ default:
+ verbose("verifier internal error: unknown reason (%d)\n",
+ reason);
+ break;
+ }
+
+ return -EACCES;
}
/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
@@ -2230,10 +2277,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
switch (opcode) {
case BPF_ADD:
ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
- if (ret < 0) {
- verbose("R%d tried to add from different maps, paths, or prohibited types\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, off_reg, dst_reg);
+
/* We can take a fixed offset as long as it doesn't overflow
* the s32 'off' field
*/
@@ -2285,10 +2331,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
break;
case BPF_SUB:
ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
- if (ret < 0) {
- verbose("R%d tried to sub from different maps, paths, or prohibited types\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, off_reg, dst_reg);
+
if (dst_reg == off_reg) {
/* scalar -= pointer. Creates an unknown scalar */
if (!env->allow_ptr_leaks)
@@ -2412,7 +2457,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
s64 smin_val, smax_val;
u64 umin_val, umax_val;
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
- u32 dst = insn->dst_reg;
int ret;
if (insn_bitness == 32) {
@@ -2449,10 +2493,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
switch (opcode) {
case BPF_ADD:
ret = sanitize_val_alu(env, insn);
- if (ret < 0) {
- verbose("R%d tried to add from different pointers or scalars\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
signed_add_overflows(dst_reg->smax_value, smax_val)) {
dst_reg->smin_value = S64_MIN;
@@ -2473,10 +2515,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
break;
case BPF_SUB:
ret = sanitize_val_alu(env, insn);
- if (ret < 0) {
- verbose("R%d tried to sub from different pointers or scalars\n", dst);
- return ret;
- }
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
signed_sub_overflows(dst_reg->smax_value, smin_val)) {
/* Overflow possible, we know nothing */
--
2.23.4
next prev parent reply other threads:[~2021-05-31 18:26 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 18:25 [PATCH v2 4.14 00/16] CVE fixes and selftests cleanup Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 01/17] bpf, selftests: Fix up some test_verifier cases for unprivileged Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 02/17] bpf: Move off_reg into sanitize_ptr_alu Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 03/17] bpf: Ensure off_reg has no mixed signed bounds for all types Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 04/17] bpf: Rework ptr_limit into alu_limit and add common error path Frank van der Linden
2021-05-31 18:25 ` Frank van der Linden [this message]
2021-05-31 18:25 ` [PATCH v2 4.14 06/17] bpf: Refactor and streamline bounds check into helper Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 07/17] bpf: Move sanitize_val_alu out of op switch Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 08/17] bpf: Tighten speculative pointer arithmetic mask Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 09/17] bpf: Update selftests to reflect new error states Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 10/17] bpf: do not allow root to mangle valid pointers Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 11/17] bpf/verifier: disallow pointer subtraction Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 12/17] selftests/bpf: fix test_align Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 13/17] selftests/bpf: make 'dubious pointer arithmetic' test useful Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 14/17] bpf: Fix leakage of uninitialized bpf stack under speculation Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 15/17] bpf: Wrap aux data inside bpf_sanitize_info container Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 16/17] bpf: Fix mask direction swap upon off reg sign change Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 17/17] bpf: No need to simulate speculative domain for immediates Frank van der Linden
2021-06-08 14:48 ` [PATCH v2 4.14 00/16] CVE fixes and selftests cleanup Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531182556.25277-6-fllinden@amazon.com \
--to=fllinden@amazon.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).