From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <kafai@fb.com>,
"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
"Jesper Dangaard Brouer" <brouer@redhat.com>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
netdev@vger.kernel.org
Subject: [PATCH bpf-next v3 02/10] bpf: Be conservative while processing invalid kfunc calls
Date: Wed, 15 Sep 2021 10:39:35 +0530 [thread overview]
Message-ID: <20210915050943.679062-3-memxor@gmail.com> (raw)
In-Reply-To: <20210915050943.679062-1-memxor@gmail.com>
This patch also modifies the BPF verifier to only return error for
invalid kfunc calls specially marked by userspace (with insn->imm == 0,
insn->off == 0) after the verifier has eliminated dead instructions.
This can be handled in the fixup stage, and skip processing during add
and check stages.
If such an invalid call is dropped, the fixup stage will not encounter
insn->imm as 0, otherwise it bails out and returns an error.
This will be exposed as weak ksym support in libbpf in subsequent patch.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
kernel/bpf/verifier.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 3a35af7d1180..f241ba78b970 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1817,6 +1817,15 @@ static int add_kfunc_call(struct bpf_verifier_env *env, u32 func_id, s16 offset)
prog_aux->kfunc_tab = tab;
}
+ /* btf idr allocates IDs from 1, so func_id == 0 is always invalid, but
+ * instead of returning an error, be conservative and wait until the
+ * code elimination pass before returning error, so that invalid calls
+ * that get pruned out can be in BPF programs loaded from userspace.
+ * It is also required that offset be untouched (0) for such calls.
+ */
+ if (!func_id && !offset)
+ return 0;
+
if (!btf_tab && offset) {
btf_tab = kzalloc(sizeof(*btf_tab), GFP_KERNEL);
if (!btf_tab)
@@ -6627,6 +6636,10 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn)
struct btf *desc_btf;
int err;
+ /* skip for now, but return error when we find this in fixup_kfunc_call */
+ if (!insn->imm)
+ return 0;
+
desc_btf = find_kfunc_desc_btf(env, insn->imm, insn->off, &btf_mod);
if (IS_ERR(desc_btf))
return PTR_ERR(desc_btf);
@@ -12761,6 +12774,11 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env,
{
const struct bpf_kfunc_desc *desc;
+ if (!insn->imm) {
+ verbose(env, "invalid kernel function call not eliminated in verifier pass\n");
+ return -EINVAL;
+ }
+
/* insn->imm has the btf func_id. Replace it with
* an address (relative to __bpf_base_call).
*/
--
2.33.0
next prev parent reply other threads:[~2021-09-15 5:09 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 5:09 [PATCH bpf-next v3 00/10] Support kernel module function calls from eBPF Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 01/10] bpf: Introduce BPF support for kernel module function calls Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` Kumar Kartikeya Dwivedi [this message]
2021-09-15 5:09 ` [PATCH bpf-next v3 03/10] bpf: btf: Introduce helpers for dynamic BTF set registration Kumar Kartikeya Dwivedi
2021-09-15 16:18 ` Alexei Starovoitov
2021-09-15 18:06 ` Kumar Kartikeya Dwivedi
2021-09-16 3:04 ` Alexei Starovoitov
2021-09-15 5:09 ` [PATCH bpf-next v3 04/10] tools: Allow specifying base BTF file in resolve_btfids Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 05/10] bpf: Enable TCP congestion control kfunc from modules Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 06/10] bpf: Bump MAX_BPF_STACK size to 768 bytes Kumar Kartikeya Dwivedi
2021-09-15 16:33 ` Alexei Starovoitov
2021-09-15 17:57 ` Kumar Kartikeya Dwivedi
2021-09-16 2:56 ` Alexei Starovoitov
2021-09-15 5:09 ` [PATCH bpf-next v3 07/10] libbpf: Support kernel module function calls Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 08/10] libbpf: Resolve invalid weak kfunc calls with imm = 0, off = 0 Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 09/10] libbpf: Update gen_loader to emit BTF_KIND_FUNC relocations Kumar Kartikeya Dwivedi
2021-09-15 5:09 ` [PATCH bpf-next v3 10/10] bpf, selftests: Add basic test for module kfunc call Kumar Kartikeya Dwivedi
2021-09-15 16:04 ` [PATCH bpf-next v3 00/10] Support kernel module function calls from eBPF Andrii Nakryiko
2021-09-15 18:03 ` Kumar Kartikeya Dwivedi
2021-09-15 18:05 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210915050943.679062-3-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=daniel@iogearbox.net \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=toke@redhat.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).