netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Borkmann <daniel@iogearbox.net>
To: Marek Majkowski <marek@cloudflare.com>
Cc: Arthur Fabre <afabre@cloudflare.com>,
	ast@kernel.org, netdev@vger.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from unprivileged user
Date: Fri, 1 Mar 2019 15:22:30 +0100	[thread overview]
Message-ID: <af0643e0-08a1-6326-2a80-71892de1bf56@iogearbox.net> (raw)
In-Reply-To: <CAJPywTJiHxWeRun5Jpgo2TEQvcKUe1OcpP9eKi+q2m_WSyY6ag@mail.gmail.com>

On 03/01/2019 03:10 PM, Marek Majkowski wrote:
> Great, appreciated.
> 
> One more thing (since upgrading kernels takes time) do you think I can
> amend eBPF on my side to avoid triggering this? Naive stuff like this
> doesn't work sadly:
> 
>     uint64_t delta = b + ~a + 1;
> 
> I tried couple more variants with uint32_t types, but to no avail. Ideas?

For 32bit based add/sub this would definitely not be triggered, but only
latest LLVM supports alu32 emission. Since you guys are using inline asm
already, perhaps worth a shot.

Thanks,
Daniel

> Marek
> 
> On Fri, Mar 1, 2019 at 3:04 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>>
>> On 03/01/2019 12:39 PM, Arthur Fabre wrote:
>>> I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
>>>
>>> Dumping the "root" and "non-root" programs with bpftool,
>>> the subtraction instructions differ:
>>>
>>> "non-root":
>>>    0: (85) call bpf_ktime_get_ns#74944
>>>    1: (bf) r7 = r0
>>>    2: (85) call bpf_ktime_get_ns#74944
>>>    3: (bf) r6 = r0
>>>    4: (bf) r8 = r6
>>>    5: (b4) w11 = -1
>>>    6: (1f) r11 -= r8
>>>    7: (4f) r11 |= r8
>>>    8: (87) r11 = -r11
>>>    9: (c7) r11 s>>= 63
>>>   10: (5f) r8 &= r11
>>>
>>> "root":
>>>    0: (85) call bpf_ktime_get_ns#74944
>>>    1: (bf) r7 = r0
>>>    2: (85) call bpf_ktime_get_ns#74944
>>>    3: (bf) r6 = r0
>>>    4: (bf) r8 = r6
>>>
>>> The remainder of the instructions are for writing the results in the map,
>>> and the instructions are identical.
>>>
>>> I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
>>>
>>>     if (isneg)
>>>         *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
>>>     *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
>>>     *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
>>>     *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
>>>     *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
>>>     *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
>>>     if (issrc) {
>>>         *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
>>>                      off_reg);
>>>         insn->src_reg = BPF_REG_AX;
>>>     } else {
>>>         *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
>>>                      BPF_REG_AX);
>>>     }
>>>
>>> This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
>>> (https://patchwork.ozlabs.org/patch/1039606/).
>>> I don't yet understand what's going on.
>>
>> Ok, sigh, fix is this, sorry about the braino:
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index cdd2cb01f789..5b3cd384df1d 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -7629,7 +7629,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
>>                         u32 off_reg;
>>
>>                         aux = &env->insn_aux_data[i + delta];
>> -                       if (!aux->alu_state)
>> +                       if (!aux->alu_state ||
>> +                           aux->alu_state == BPF_ALU_NON_POINTER)
>>                                 continue;
>>
>>                         isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
>>
>> And this also makes the test work again:
>>
>> foo@test:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ ./ebpf-bug
>> 0 ->                    0 0x0000000000000000
>> 1 ->          54645145816 0x0000000cb91ac0d8
>> 2 ->          54645145860 0x0000000cb91ac104
>> 3 ->                   44 0x000000000000002c
>> foo@test:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ exit
>> root@test:~/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7# ./ebpf-bug
>> 0 ->                    0 0x0000000000000000
>> 1 ->          57984017624 0x0000000d801de4d8
>> 2 ->          57984017673 0x0000000d801de509
>> 3 ->                   49 0x0000000000000031
>>
>> I'll cook it as proper patch in a bit along with a test case.
>>
>> Thanks for reporting!
>> Daniel


      reply	other threads:[~2019-03-01 14:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-01  1:06 SOCKET_FILTER regression - eBPF can't subtract when attached from unprivileged user Marek Majkowski
2019-03-01 11:39 ` Arthur Fabre
2019-03-01 12:51   ` Daniel Borkmann
2019-03-01 14:04   ` Daniel Borkmann
2019-03-01 14:10     ` Marek Majkowski
2019-03-01 14:22       ` Daniel Borkmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=af0643e0-08a1-6326-2a80-71892de1bf56@iogearbox.net \
    --to=daniel@iogearbox.net \
    --cc=afabre@cloudflare.com \
    --cc=ast@kernel.org \
    --cc=marek@cloudflare.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).