Re: [PATCH] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

From: Eduard Zingerman
Date: Tue Jan 09 2024 - 11:21:23 EST

Next message: Sean Christopherson: "Re: [PATCH v17 092/116] KVM: TDX: Handle TDX PV HLT hypercall"
Previous message: Conor Dooley: "Re: [PATCH v3 1/2] dt-bindings: usb: Add Marvell ac5"
In reply to: Hao Sun: "[PATCH] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS"
Next in thread: Hao Sun: "Re: [PATCH] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2024-01-09 at 16:36 +0100, Hao Sun wrote:
> For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
> for validation. However, variable offset ptr alu is not prohibited
> for this ptr kind. So the variable offset is not checked.
>
[...]
>
> Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
> Signed-off-by: Hao Sun <sunhao.th@xxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index adbf330d364b..65f598694d55 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12826,6 +12826,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
> }
>
> switch (base_type(ptr_reg->type)) {
> + case PTR_TO_FLOW_KEYS:
> + if (known)
> + break;
> + fallthrough;
> case CONST_PTR_TO_MAP:
> /* smin_val represents the known value */
> if (known && smin_val == 0 && opcode == BPF_ADD)

This change makes sense, could you please add a testcase?

Also, this switch is written to explicitly disallow and implicitly allow
pointer arithmetics, which might be a bit unsafe when new ptr types are added.
Would it make more sense to instead rewrite it to explicitly allow?
E.g. here is what it currently allows / disallows:

| Pointer type | Arithmetics allowed |
|---------------------+---------------------|
| PTR_TO_CTX | yes |
| CONST_PTR_TO_MAP | conditionally |
| PTR_TO_MAP_VALUE | yes |
| PTR_TO_MAP_KEY | yes |
| PTR_TO_STACK | yes |
| PTR_TO_PACKET_META | yes |
| PTR_TO_PACKET | yes |
| PTR_TO_PACKET_END | no |
| PTR_TO_FLOW_KEYS | yes |
| PTR_TO_SOCKET | no |
| PTR_TO_SOCK_COMMON | no |
| PTR_TO_TCP_SOCK | no |
| PTR_TO_TP_BUFFER | yes |
| PTR_TO_XDP_SOCK | no |
| PTR_TO_BTF_ID | yes |
| PTR_TO_MEM | yes |
| PTR_TO_BUF | yes |
| PTR_TO_FUNC | yes |
| CONST_PTR_TO_DYNPTR | yes |

Of these PTR_TO_FUNC and CONST_PTR_TO_DYNPTR (?) should not be allowed
as well, probably (not sure if that could be exploited).

Next message: Sean Christopherson: "Re: [PATCH v17 092/116] KVM: TDX: Handle TDX PV HLT hypercall"
Previous message: Conor Dooley: "Re: [PATCH v3 1/2] dt-bindings: usb: Add Marvell ac5"
In reply to: Hao Sun: "[PATCH] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS"
Next in thread: Hao Sun: "Re: [PATCH] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]