From: Andy Lutomirski <luto@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Andy Lutomirski <luto@kernel.org>, Yonghong Song <yhs@fb.com>,
Jann Horn <jannh@google.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andriin@fb.com>, Martin KaFai Lau <kafai@fb.com>,
bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
kernel-team <kernel-team@fb.com>, X86 ML <x86@kernel.org>,
KP Singh <kpsingh@kernel.org>
Subject: Re: [PATCH bpf] x86/bpf: handle bpf-program-triggered exceptions properly
Date: Thu, 28 Jan 2021 16:29:51 -0800 [thread overview]
Message-ID: <CALCETrUQuf6FX9EmuZur7vRwbeZBmoKeSYb9Rvx2ETp76SukOg@mail.gmail.com> (raw)
In-Reply-To: <20210129002642.iqlbssmp267zv7f2@ast-mbp.dhcp.thefacebook.com>
On Thu, Jan 28, 2021 at 4:26 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Thu, Jan 28, 2021 at 04:18:24PM -0800, Andy Lutomirski wrote:
> > On Thu, Jan 28, 2021 at 4:11 PM Alexei Starovoitov
> > <alexei.starovoitov@gmail.com> wrote:
> > >
> > > On Thu, Jan 28, 2021 at 03:51:13PM -0800, Andy Lutomirski wrote:
> > > >
> > > > Okay, so I guess you're trying to inline probe_read_kernel(). But
> > > > that means you have to inline a valid implementation. In particular,
> > > > you need to check that you're accessing *kernel* memory. Just like
> > >
> > > That check is on the verifier side. It only does it for kernel
> > > pointers with known types.
> > > In a sequnce a->b->c the verifier guarantees that 'a' is valid
> > > kernel pointer and it's also !null. Then it guarantees that offsetof(b)
> > > points to valid kernel field which is also a pointer.
> > > What it doesn't check that b != null, so
> > > that users don't have to write silly code with 'if (p)' after every
> > > dereference.
> >
> > That sounds like a verifier and/or JIT bug. If you have a pointer p
> > (doesn't matter whether p is what you call a or a->b) and you have not
> > confirmed that p points to the kernel range, you may not generate a
> > load from that pointer.
>
> Please read the explanation again. It's an inlined probe_kernel_read.
Can you point me at the uninlined implementation? Does it still
exist? I see get_kernel_nofault(), which is currently buggy, and I
will fix it.
>
> > >
> > > > how get_user() validates that the pointer points into user memory,
> > > > your helper should bounds check the pointer. On x86, you could check
> > > > the high bit.
> > > >
> > > > As an extra complication, we should really add logic to
> > > > get_kernel_nofault() to verify that the pointer points into actual
> > > > memory as opposed to MMIO space (or future incoherent MKTME space or
> > > > something like that, sigh). This will severely complicate inlining
> > > > it. And we should *really* make the same fix to get_kernel_nofault()
> > > > -- it should validate that the pointer is a kernel pointer.
> > > >
> > > > Is this really worth inlining instead of having the BPF JIT generate
> > > > an out of line call to a real C function? That would let us put in a
> > > > sane implementation.
> > >
> > > It's out of the question.
> > > JIT cannot generate a helper call for single bpf insn without huge overhead.
> > > All registers are used. It needs full save/restore, stack increase, etc.
> > >
> > > Anyhow I bet the bug we're discussing has nothing to do with bpf and jit.
> > > Something got changed and now probe_kernel_read(NULL) warns on !SMAP.
> > > This is something to debug.
> >
> > The bug is in bpf.
>
> If you don't care to debug please don't provide wrong guesses.
BPF generated a NULL pointer dereference (where NULL is a user
pointer) and expected it to recover cleanly. What exactly am I
supposed to debug? IMO the only thing wrong with the x86 code is that
it doesn't complain more loudly. I will fix that, too.
--Andy
next prev parent reply other threads:[~2021-01-29 0:30 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 0:12 [PATCH bpf] x86/bpf: handle bpf-program-triggered exceptions properly Yonghong Song
2021-01-26 9:15 ` Peter Zijlstra
2021-01-26 19:21 ` Yonghong Song
2021-01-27 9:30 ` Peter Zijlstra
2021-01-27 21:07 ` Andrii Nakryiko
2021-01-27 21:47 ` Andy Lutomirski
2021-01-28 1:05 ` Yonghong Song
2021-01-28 23:51 ` Andy Lutomirski
2021-01-29 0:11 ` Alexei Starovoitov
2021-01-29 0:18 ` Andy Lutomirski
2021-01-29 0:26 ` Alexei Starovoitov
2021-01-29 0:29 ` Andy Lutomirski [this message]
2021-01-29 0:32 ` Andy Lutomirski
2021-01-29 0:41 ` Alexei Starovoitov
2021-01-29 0:45 ` Andy Lutomirski
2021-01-29 1:04 ` Alexei Starovoitov
2021-01-29 1:31 ` Andy Lutomirski
2021-01-29 1:53 ` Alexei Starovoitov
2021-01-29 2:18 ` Andy Lutomirski
2021-01-29 2:32 ` Alexei Starovoitov
2021-01-29 3:09 ` Andy Lutomirski
2021-01-29 3:26 ` Alexei Starovoitov
2021-01-29 0:35 ` Jann Horn
2021-01-29 0:43 ` Alexei Starovoitov
2021-01-29 1:03 ` Jann Horn
2021-01-29 1:08 ` Alexei Starovoitov
[not found] <YBPToXfWV1ekRo4q@hirez.programming.kicks-ass.net>
[not found] ` <97EF0157-F068-4234-B826-C08B7324F356@amacapital.net>
2021-01-29 23:11 ` Alexei Starovoitov
2021-01-29 23:30 ` Andy Lutomirski
2021-01-30 2:54 ` Alexei Starovoitov
2021-01-31 17:32 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrUQuf6FX9EmuZur7vRwbeZBmoKeSYb9Rvx2ETp76SukOg@mail.gmail.com \
--to=luto@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jannh@google.com \
--cc=kafai@fb.com \
--cc=kernel-team@fb.com \
--cc=kpsingh@kernel.org \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).