From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ChrB=QR=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,
	USER_AGENT_NEOMUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A086FC282C2
	for <netdev@archiver.kernel.org>; Sun, 10 Feb 2019 04:11:40 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 578AD21736
	for <netdev@archiver.kernel.org>; Sun, 10 Feb 2019 04:11:40 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CS2X17fk"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726755AbfBJECs (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Sat, 9 Feb 2019 23:02:48 -0500
Received: from mail-pf1-f196.google.com ([209.85.210.196]:44175 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726530AbfBJECs (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sat, 9 Feb 2019 23:02:48 -0500
Received: by mail-pf1-f196.google.com with SMTP id u6so3586095pfh.11
        for <netdev@vger.kernel.org>; Sat, 09 Feb 2019 20:02:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=7qSz5Mdx5Ue/2qp7/ex0kCYwqRUnAEcpq9j6boLCsLE=;
        b=CS2X17fkEn998Y7/RxmpIZcmKCkenavf4b8Kg9IXsWU/uxEZtGgPcnoejnqLnN31za
         PezKP/H8tzkAxkpvql6p2k9dtpu3b5IdNDvnbIYilSWavUZYvmzAqGrrHxpFlD+02UXM
         /kePIRse5bj9Nl4lJXYiUOtslgkzWHt9ds3OFe1xaJiODaGw20IKk8gjOSOEPWbQz5en
         SXk6vsBVO75nZC69228yQFyFLylpnWxYLS+mblIaGnH5j2t/6AfvvOsNo79EtGJFGP8z
         /1PwUH6r05I9558aY88f1xZ5v6OnUeh2qrb2xNB9SkoX/Iupfdr8y6hW4bv9lo74/EY/
         ae1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=7qSz5Mdx5Ue/2qp7/ex0kCYwqRUnAEcpq9j6boLCsLE=;
        b=fqoweMEIkUFiH4bVKShTuVrcC+WrajEoBu9t0QLNJcw2mgYFpuYKdcuJrNdRVWL71q
         QY95P7249gJ6UfLmc8GjD8mA0CSF6ZYIQWuByosfIGj5/8N0EDNm6+CUimBjZnLcYGvM
         RvOyXE41JpyAMo0nYScP3mhqESc0NmfUm9SJRcl2bV2sSiPRGErTLYTQcPeThpO0K17r
         dBFyPWGD2K8ojLrMQRkFKH8cV5OXSsj+rxfOr4Q3a4FG1y3aSoXVhghrh7RUVvBKphUh
         DlpeHJgRvwPi+CnFzAfUVy5ApMY773rB2yzzf6nCaYfbRQgP5Jg1EIVJxqIf5awLWbME
         V2mQ==
X-Gm-Message-State: AHQUAuYdwnaDyn0ph63SGnpY9MABzbolXWY7luyTbjKlZNS6CYr+QCRW
        0KqqqBQPR4kr6tFZbXmS8zM=
X-Google-Smtp-Source: AHgI3IYEZ7AUBshducAQ2XxtVyxEdxu04AtDyXlXI+Cgnju1hlZR7LOLWFwAq7oAYVxcOPHSWtizDA==
X-Received: by 2002:a63:1e12:: with SMTP id e18mr8740062pge.76.1549771367468;
        Sat, 09 Feb 2019 20:02:47 -0800 (PST)
Received: from ast-mbp ([2620:10d:c090:180::1:7558])
        by smtp.gmail.com with ESMTPSA id l185sm9429926pfl.54.2019.02.09.20.02.45
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 09 Feb 2019 20:02:45 -0800 (PST)
Date:   Sat, 9 Feb 2019 20:02:43 -0800
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
To:     Martin KaFai Lau <kafai@fb.com>
Cc:     netdev@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
        Daniel Borkmann <daniel@iogearbox.net>, kernel-team@fb.com,
        Joe Stringer <joe@wand.net.nz>
Subject: Re: [PATCH bpf] bpf: Fix narrow load on a bpf_sock returned from
 sk_lookup()
Message-ID: <20190210040241.wtsldfavw2vk3afv@ast-mbp>
References: <20190209062554.142612-1-kafai@fb.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190209062554.142612-1-kafai@fb.com>
User-Agent: NeoMutt/20180223
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Fri, Feb 08, 2019 at 10:25:54PM -0800, Martin KaFai Lau wrote:
> By adding this test to test_verifier:
> {
> 	"reference tracking: access sk->src_ip4 (narrow load)",
> 	.insns = {
> 	BPF_SK_LOOKUP,
> 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
> 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
> 	BPF_LDX_MEM(BPF_H, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, src_ip4) + 2),
> 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> 	BPF_EMIT_CALL(BPF_FUNC_sk_release),
> 	BPF_EXIT_INSN(),
> 	},
> 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
> 	.result = ACCEPT,
> },
> 
> The above test loads 2 bytes from sk->src_ip4 where
> sk is obtained by bpf_sk_lookup_tcp().
> 
> It hits an internal verifier error from convert_ctx_accesses():
> [root@arch-fb-vm1 bpf]# ./test_verifier 665 665
> Failed to load prog 'Invalid argument'!
> 0: (b7) r2 = 0
> 1: (63) *(u32 *)(r10 -8) = r2
> 2: (7b) *(u64 *)(r10 -16) = r2
> 3: (7b) *(u64 *)(r10 -24) = r2
> 4: (7b) *(u64 *)(r10 -32) = r2
> 5: (7b) *(u64 *)(r10 -40) = r2
> 6: (7b) *(u64 *)(r10 -48) = r2
> 7: (bf) r2 = r10
> 8: (07) r2 += -48
> 9: (b7) r3 = 36
> 10: (b7) r4 = 0
> 11: (b7) r5 = 0
> 12: (85) call bpf_sk_lookup_tcp#84
> 13: (bf) r6 = r0
> 14: (15) if r0 == 0x0 goto pc+3
>  R0=sock(id=1,off=0,imm=0) R6=sock(id=1,off=0,imm=0) R10=fp0,call_-1 fp-8=????0000 fp-16=0000mmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm refs=1
> 15: (69) r2 = *(u16 *)(r0 +26)
> 16: (bf) r1 = r6
> 17: (85) call bpf_sk_release#86
> 18: (95) exit
> 
> from 14 to 18: safe
> processed 20 insns (limit 131072), stack depth 48
> bpf verifier is misconfigured
> Summary: 0 PASSED, 0 SKIPPED, 1 FAILED
> 
> The bpf_sock_is_valid_access() is expecting src_ip4 can be narrowly
> loaded (meaning load any 1 or 2 bytes of the src_ip4) by
> marking info->ctx_field_size.  However, this marked
> ctx_field_size is not used.  This patch fixes it.
> 
> Due to the recent refactoring in test_verifier,
> this new test will be added to the bpf-next branch
> (together with the bpf_tcp_sock patchset)
> to avoid merge conflict.
> 
> Fixes: c64b7983288e ("bpf: Add PTR_TO_SOCKET verifier type")
> Cc: Joe Stringer <joe@wand.net.nz>
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>

Applied to bpf tree.

Martin, if your is_fullsock work depends on it, I can apply the fix
to bpf-next as well. Just let me know.