[PATCH bpf-next v1 00/13] Fixes for dynptr

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Joanne Koong <joannelkoong@gmail.com>,
	David Vernet <void@manifault.com>
Subject: [PATCH bpf-next v1 00/13] Fixes for dynptr
Date: Tue, 18 Oct 2022 19:29:07 +0530	[thread overview]
Message-ID: <20221018135920.726360-1-memxor@gmail.com> (raw)

This set fixes multiple issues in the dynptr code discovered during code
review.

 - Missing dynptr stack slot liveness propagation
 - Missing checks for PTR_TO_STACK variable offset
 - Incomplete destruction of dynptr stack slots on writes
 - Modification of dynptr struct through callback argument
   with reg->type == PTR_TO_DYNPTR

These can be abused to perform arbitrary kernel memory reads/writes by
replacing dynptr contents.

The first three cases are now unreachable from unprivileged BPF since
the commit 8addbfc7b308 ("bpf: Gate dynptr API behind CAP_BPF") which
has been applied to released stable kernels v6.0.1 and v5.19.15.

The changes are fairly intrusive and non-trivial, in-depth review is
warranted, as they rework the code before making the fixes to it, but
for the better (IMO).

Please see the individual commit logs for the details.

Kumar Kartikeya Dwivedi (13):
  bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func
  bpf: Rework process_dynptr_func
  bpf: Rename confusingly named RET_PTR_TO_ALLOC_MEM
  bpf: Rework check_func_arg_reg_off
  bpf: Fix state pruning for STACK_DYNPTR stack slots
  bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR
  bpf: Fix partial dynptr stack slot reads/writes
  bpf: Use memmove for bpf_dynptr_{read,write}
  selftests/bpf: Add test for dynptr reinit in user_ringbuf callback
  selftests/bpf: Add dynptr pruning tests
  selftests/bpf: Add dynptr var_off tests
  selftests/bpf: Add dynptr partial slot overwrite tests
  selftests/bpf: Add dynptr helper tests

 include/linux/bpf.h                           |  10 +-
 include/linux/bpf_verifier.h                  |   8 +-
 include/uapi/linux/bpf.h                      |   8 +-
 kernel/bpf/btf.c                              |  22 +-
 kernel/bpf/helpers.c                          |  22 +-
 kernel/bpf/verifier.c                         | 574 ++++++++++++++----
 scripts/bpf_doc.py                            |   1 +
 tools/include/uapi/linux/bpf.h                |   8 +-
 .../testing/selftests/bpf/prog_tests/dynptr.c |   9 +-
 .../bpf/prog_tests/kfunc_dynptr_param.c       |   5 +-
 .../selftests/bpf/prog_tests/user_ringbuf.c   |  12 +-
 .../testing/selftests/bpf/progs/dynptr_fail.c |  35 ++
 .../selftests/bpf/progs/dynptr_success.c      |  20 +
 .../bpf/progs/test_kfunc_dynptr_param.c       |  12 -
 .../selftests/bpf/progs/user_ringbuf_fail.c   |  35 ++
 tools/testing/selftests/bpf/verifier/dynptr.c | 182 ++++++
 .../testing/selftests/bpf/verifier/ringbuf.c  |   2 +-
 17 files changed, 780 insertions(+), 185 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c

-- 
2.38.0