提交 548aacdd 编写于 作者: D David S. Miller

Merge branch 'bpf-ARG_PTR_TO_RAW_STACK'

Merge branch 'bpf-ARG_PTR_TO_RAW_STACK'

Daniel Borkmann says:

====================
BPF updates

This series adds a new verifier argument type called
ARG_PTR_TO_RAW_STACK and converts related helpers to make
use of it. Basic idea is that we can save init of stack
memory when the helper function is guaranteed to fully
fill out the passed buffer in every path. Series also adds
test cases and converts samples. For more details, please
see individual patches.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
...@@ -66,6 +66,11 @@ enum bpf_arg_type { ...@@ -66,6 +66,11 @@ enum bpf_arg_type {
* functions that access data on eBPF program stack * functions that access data on eBPF program stack
*/ */
ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */ ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */
ARG_PTR_TO_RAW_STACK, /* any pointer to eBPF program stack, area does not
* need to be initialized, helper function must fill
* all bytes or clear them in error case.
*/
ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */ ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */
ARG_CONST_STACK_SIZE_OR_ZERO, /* number of bytes accessed from stack or 0 */ ARG_CONST_STACK_SIZE_OR_ZERO, /* number of bytes accessed from stack or 0 */
......
...@@ -163,17 +163,26 @@ static u64 bpf_get_current_comm(u64 r1, u64 size, u64 r3, u64 r4, u64 r5) ...@@ -163,17 +163,26 @@ static u64 bpf_get_current_comm(u64 r1, u64 size, u64 r3, u64 r4, u64 r5)
struct task_struct *task = current; struct task_struct *task = current;
char *buf = (char *) (long) r1; char *buf = (char *) (long) r1;
if (!task) if (unlikely(!task))
return -EINVAL; goto err_clear;
strlcpy(buf, task->comm, min_t(size_t, size, sizeof(task->comm))); strncpy(buf, task->comm, size);
/* Verifier guarantees that size > 0. For task->comm exceeding
* size, guarantee that buf is %NUL-terminated. Unconditionally
* done here to save the size test.
*/
buf[size - 1] = 0;
return 0; return 0;
err_clear:
memset(buf, 0, size);
return -EINVAL;
} }
const struct bpf_func_proto bpf_get_current_comm_proto = { const struct bpf_func_proto bpf_get_current_comm_proto = {
.func = bpf_get_current_comm, .func = bpf_get_current_comm,
.gpl_only = false, .gpl_only = false,
.ret_type = RET_INTEGER, .ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_STACK, .arg1_type = ARG_PTR_TO_RAW_STACK,
.arg2_type = ARG_CONST_STACK_SIZE, .arg2_type = ARG_CONST_STACK_SIZE,
}; };
...@@ -205,6 +205,13 @@ struct verifier_env { ...@@ -205,6 +205,13 @@ struct verifier_env {
#define BPF_COMPLEXITY_LIMIT_INSNS 65536 #define BPF_COMPLEXITY_LIMIT_INSNS 65536
#define BPF_COMPLEXITY_LIMIT_STACK 1024 #define BPF_COMPLEXITY_LIMIT_STACK 1024
struct bpf_call_arg_meta {
struct bpf_map *map_ptr;
bool raw_mode;
int regno;
int access_size;
};
/* verbose verifier prints what it's seeing /* verbose verifier prints what it's seeing
* bpf_check() is called under lock, so no race to access these global vars * bpf_check() is called under lock, so no race to access these global vars
*/ */
...@@ -785,7 +792,8 @@ static int check_xadd(struct verifier_env *env, struct bpf_insn *insn) ...@@ -785,7 +792,8 @@ static int check_xadd(struct verifier_env *env, struct bpf_insn *insn)
* and all elements of stack are initialized * and all elements of stack are initialized
*/ */
static int check_stack_boundary(struct verifier_env *env, int regno, static int check_stack_boundary(struct verifier_env *env, int regno,
int access_size, bool zero_size_allowed) int access_size, bool zero_size_allowed,
struct bpf_call_arg_meta *meta)
{ {
struct verifier_state *state = &env->cur_state; struct verifier_state *state = &env->cur_state;
struct reg_state *regs = state->regs; struct reg_state *regs = state->regs;
...@@ -811,6 +819,12 @@ static int check_stack_boundary(struct verifier_env *env, int regno, ...@@ -811,6 +819,12 @@ static int check_stack_boundary(struct verifier_env *env, int regno,
return -EACCES; return -EACCES;
} }
if (meta && meta->raw_mode) {
meta->access_size = access_size;
meta->regno = regno;
return 0;
}
for (i = 0; i < access_size; i++) { for (i = 0; i < access_size; i++) {
if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) {
verbose("invalid indirect read from stack off %d+%d size %d\n", verbose("invalid indirect read from stack off %d+%d size %d\n",
...@@ -822,7 +836,8 @@ static int check_stack_boundary(struct verifier_env *env, int regno, ...@@ -822,7 +836,8 @@ static int check_stack_boundary(struct verifier_env *env, int regno,
} }
static int check_func_arg(struct verifier_env *env, u32 regno, static int check_func_arg(struct verifier_env *env, u32 regno,
enum bpf_arg_type arg_type, struct bpf_map **mapp) enum bpf_arg_type arg_type,
struct bpf_call_arg_meta *meta)
{ {
struct reg_state *reg = env->cur_state.regs + regno; struct reg_state *reg = env->cur_state.regs + regno;
enum bpf_reg_type expected_type; enum bpf_reg_type expected_type;
...@@ -854,7 +869,8 @@ static int check_func_arg(struct verifier_env *env, u32 regno, ...@@ -854,7 +869,8 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
expected_type = CONST_PTR_TO_MAP; expected_type = CONST_PTR_TO_MAP;
} else if (arg_type == ARG_PTR_TO_CTX) { } else if (arg_type == ARG_PTR_TO_CTX) {
expected_type = PTR_TO_CTX; expected_type = PTR_TO_CTX;
} else if (arg_type == ARG_PTR_TO_STACK) { } else if (arg_type == ARG_PTR_TO_STACK ||
arg_type == ARG_PTR_TO_RAW_STACK) {
expected_type = PTR_TO_STACK; expected_type = PTR_TO_STACK;
/* One exception here. In case function allows for NULL to be /* One exception here. In case function allows for NULL to be
* passed in as argument, it's a CONST_IMM type. Final test * passed in as argument, it's a CONST_IMM type. Final test
...@@ -862,6 +878,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno, ...@@ -862,6 +878,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
*/ */
if (reg->type == CONST_IMM && reg->imm == 0) if (reg->type == CONST_IMM && reg->imm == 0)
expected_type = CONST_IMM; expected_type = CONST_IMM;
meta->raw_mode = arg_type == ARG_PTR_TO_RAW_STACK;
} else { } else {
verbose("unsupported arg_type %d\n", arg_type); verbose("unsupported arg_type %d\n", arg_type);
return -EFAULT; return -EFAULT;
...@@ -875,14 +892,13 @@ static int check_func_arg(struct verifier_env *env, u32 regno, ...@@ -875,14 +892,13 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
if (arg_type == ARG_CONST_MAP_PTR) { if (arg_type == ARG_CONST_MAP_PTR) {
/* bpf_map_xxx(map_ptr) call: remember that map_ptr */ /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
*mapp = reg->map_ptr; meta->map_ptr = reg->map_ptr;
} else if (arg_type == ARG_PTR_TO_MAP_KEY) { } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
/* bpf_map_xxx(..., map_ptr, ..., key) call: /* bpf_map_xxx(..., map_ptr, ..., key) call:
* check that [key, key + map->key_size) are within * check that [key, key + map->key_size) are within
* stack limits and initialized * stack limits and initialized
*/ */
if (!*mapp) { if (!meta->map_ptr) {
/* in function declaration map_ptr must come before /* in function declaration map_ptr must come before
* map_key, so that it's verified and known before * map_key, so that it's verified and known before
* we have to check map_key here. Otherwise it means * we have to check map_key here. Otherwise it means
...@@ -891,19 +907,20 @@ static int check_func_arg(struct verifier_env *env, u32 regno, ...@@ -891,19 +907,20 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
verbose("invalid map_ptr to access map->key\n"); verbose("invalid map_ptr to access map->key\n");
return -EACCES; return -EACCES;
} }
err = check_stack_boundary(env, regno, (*mapp)->key_size, err = check_stack_boundary(env, regno, meta->map_ptr->key_size,
false); false, NULL);
} else if (arg_type == ARG_PTR_TO_MAP_VALUE) { } else if (arg_type == ARG_PTR_TO_MAP_VALUE) {
/* bpf_map_xxx(..., map_ptr, ..., value) call: /* bpf_map_xxx(..., map_ptr, ..., value) call:
* check [value, value + map->value_size) validity * check [value, value + map->value_size) validity
*/ */
if (!*mapp) { if (!meta->map_ptr) {
/* kernel subsystem misconfigured verifier */ /* kernel subsystem misconfigured verifier */
verbose("invalid map_ptr to access map->value\n"); verbose("invalid map_ptr to access map->value\n");
return -EACCES; return -EACCES;
} }
err = check_stack_boundary(env, regno, (*mapp)->value_size, err = check_stack_boundary(env, regno,
false); meta->map_ptr->value_size,
false, NULL);
} else if (arg_type == ARG_CONST_STACK_SIZE || } else if (arg_type == ARG_CONST_STACK_SIZE ||
arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) { arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {
bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO); bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO);
...@@ -918,7 +935,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno, ...@@ -918,7 +935,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
return -EACCES; return -EACCES;
} }
err = check_stack_boundary(env, regno - 1, reg->imm, err = check_stack_boundary(env, regno - 1, reg->imm,
zero_size_allowed); zero_size_allowed, meta);
} }
return err; return err;
...@@ -949,13 +966,31 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id) ...@@ -949,13 +966,31 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
return 0; return 0;
} }
static int check_raw_mode(const struct bpf_func_proto *fn)
{
int count = 0;
if (fn->arg1_type == ARG_PTR_TO_RAW_STACK)
count++;
if (fn->arg2_type == ARG_PTR_TO_RAW_STACK)
count++;
if (fn->arg3_type == ARG_PTR_TO_RAW_STACK)
count++;
if (fn->arg4_type == ARG_PTR_TO_RAW_STACK)
count++;
if (fn->arg5_type == ARG_PTR_TO_RAW_STACK)
count++;
return count > 1 ? -EINVAL : 0;
}
static int check_call(struct verifier_env *env, int func_id) static int check_call(struct verifier_env *env, int func_id)
{ {
struct verifier_state *state = &env->cur_state; struct verifier_state *state = &env->cur_state;
const struct bpf_func_proto *fn = NULL; const struct bpf_func_proto *fn = NULL;
struct reg_state *regs = state->regs; struct reg_state *regs = state->regs;
struct bpf_map *map = NULL;
struct reg_state *reg; struct reg_state *reg;
struct bpf_call_arg_meta meta;
int i, err; int i, err;
/* find function prototype */ /* find function prototype */
...@@ -978,23 +1013,43 @@ static int check_call(struct verifier_env *env, int func_id) ...@@ -978,23 +1013,43 @@ static int check_call(struct verifier_env *env, int func_id)
return -EINVAL; return -EINVAL;
} }
memset(&meta, 0, sizeof(meta));
/* We only support one arg being in raw mode at the moment, which
* is sufficient for the helper functions we have right now.
*/
err = check_raw_mode(fn);
if (err) {
verbose("kernel subsystem misconfigured func %d\n", func_id);
return err;
}
/* check args */ /* check args */
err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &map); err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta);
if (err) if (err)
return err; return err;
err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &map); err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
if (err) if (err)
return err; return err;
err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &map); err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
if (err) if (err)
return err; return err;
err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &map); err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta);
if (err) if (err)
return err; return err;
err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &map); err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta);
if (err) if (err)
return err; return err;
/* Mark slots with STACK_MISC in case of raw mode, stack offset
* is inferred from register state.
*/
for (i = 0; i < meta.access_size; i++) {
err = check_mem_access(env, meta.regno, i, BPF_B, BPF_WRITE, -1);
if (err)
return err;
}
/* reset caller saved regs */ /* reset caller saved regs */
for (i = 0; i < CALLER_SAVED_REGS; i++) { for (i = 0; i < CALLER_SAVED_REGS; i++) {
reg = regs + caller_saved[i]; reg = regs + caller_saved[i];
...@@ -1013,18 +1068,18 @@ static int check_call(struct verifier_env *env, int func_id) ...@@ -1013,18 +1068,18 @@ static int check_call(struct verifier_env *env, int func_id)
* can check 'value_size' boundary of memory access * can check 'value_size' boundary of memory access
* to map element returned from bpf_map_lookup_elem() * to map element returned from bpf_map_lookup_elem()
*/ */
if (map == NULL) { if (meta.map_ptr == NULL) {
verbose("kernel subsystem misconfigured verifier\n"); verbose("kernel subsystem misconfigured verifier\n");
return -EINVAL; return -EINVAL;
} }
regs[BPF_REG_0].map_ptr = map; regs[BPF_REG_0].map_ptr = meta.map_ptr;
} else { } else {
verbose("unknown return type %d of func %d\n", verbose("unknown return type %d of func %d\n",
fn->ret_type, func_id); fn->ret_type, func_id);
return -EINVAL; return -EINVAL;
} }
err = check_map_func_compatibility(map, func_id); err = check_map_func_compatibility(meta.map_ptr, func_id);
if (err) if (err)
return err; return err;
......
...@@ -62,17 +62,21 @@ EXPORT_SYMBOL_GPL(trace_call_bpf); ...@@ -62,17 +62,21 @@ EXPORT_SYMBOL_GPL(trace_call_bpf);
static u64 bpf_probe_read(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) static u64 bpf_probe_read(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
{ {
void *dst = (void *) (long) r1; void *dst = (void *) (long) r1;
int size = (int) r2; int ret, size = (int) r2;
void *unsafe_ptr = (void *) (long) r3; void *unsafe_ptr = (void *) (long) r3;
return probe_kernel_read(dst, unsafe_ptr, size); ret = probe_kernel_read(dst, unsafe_ptr, size);
if (unlikely(ret < 0))
memset(dst, 0, size);
return ret;
} }
static const struct bpf_func_proto bpf_probe_read_proto = { static const struct bpf_func_proto bpf_probe_read_proto = {
.func = bpf_probe_read, .func = bpf_probe_read,
.gpl_only = true, .gpl_only = true,
.ret_type = RET_INTEGER, .ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_STACK, .arg1_type = ARG_PTR_TO_RAW_STACK,
.arg2_type = ARG_CONST_STACK_SIZE, .arg2_type = ARG_CONST_STACK_SIZE,
.arg3_type = ARG_ANYTHING, .arg3_type = ARG_ANYTHING,
}; };
......
...@@ -1409,16 +1409,19 @@ static u64 bpf_skb_load_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) ...@@ -1409,16 +1409,19 @@ static u64 bpf_skb_load_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
unsigned int len = (unsigned int) r4; unsigned int len = (unsigned int) r4;
void *ptr; void *ptr;
if (unlikely((u32) offset > 0xffff || len > MAX_BPF_STACK)) if (unlikely((u32) offset > 0xffff))
return -EFAULT; goto err_clear;
ptr = skb_header_pointer(skb, offset, len, to); ptr = skb_header_pointer(skb, offset, len, to);
if (unlikely(!ptr)) if (unlikely(!ptr))
return -EFAULT; goto err_clear;
if (ptr != to) if (ptr != to)
memcpy(to, ptr, len); memcpy(to, ptr, len);
return 0; return 0;
err_clear:
memset(to, 0, len);
return -EFAULT;
} }
static const struct bpf_func_proto bpf_skb_load_bytes_proto = { static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
...@@ -1427,7 +1430,7 @@ static const struct bpf_func_proto bpf_skb_load_bytes_proto = { ...@@ -1427,7 +1430,7 @@ static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
.ret_type = RET_INTEGER, .ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX, .arg1_type = ARG_PTR_TO_CTX,
.arg2_type = ARG_ANYTHING, .arg2_type = ARG_ANYTHING,
.arg3_type = ARG_PTR_TO_STACK, .arg3_type = ARG_PTR_TO_RAW_STACK,
.arg4_type = ARG_CONST_STACK_SIZE, .arg4_type = ARG_CONST_STACK_SIZE,
}; };
...@@ -1756,12 +1759,19 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5) ...@@ -1756,12 +1759,19 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5)
struct bpf_tunnel_key *to = (struct bpf_tunnel_key *) (long) r2; struct bpf_tunnel_key *to = (struct bpf_tunnel_key *) (long) r2;
const struct ip_tunnel_info *info = skb_tunnel_info(skb); const struct ip_tunnel_info *info = skb_tunnel_info(skb);
u8 compat[sizeof(struct bpf_tunnel_key)]; u8 compat[sizeof(struct bpf_tunnel_key)];
void *to_orig = to;
int err;
if (unlikely(!info || (flags & ~(BPF_F_TUNINFO_IPV6)))) if (unlikely(!info || (flags & ~(BPF_F_TUNINFO_IPV6)))) {
return -EINVAL; err = -EINVAL;
if (ip_tunnel_info_af(info) != bpf_tunnel_key_af(flags)) goto err_clear;
return -EPROTO; }
if (ip_tunnel_info_af(info) != bpf_tunnel_key_af(flags)) {
err = -EPROTO;
goto err_clear;
}
if (unlikely(size != sizeof(struct bpf_tunnel_key))) { if (unlikely(size != sizeof(struct bpf_tunnel_key))) {
err = -EINVAL;
switch (size) { switch (size) {
case offsetof(struct bpf_tunnel_key, tunnel_label): case offsetof(struct bpf_tunnel_key, tunnel_label):
case offsetof(struct bpf_tunnel_key, tunnel_ext): case offsetof(struct bpf_tunnel_key, tunnel_ext):
...@@ -1771,12 +1781,12 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5) ...@@ -1771,12 +1781,12 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5)
* a common path later on. * a common path later on.
*/ */
if (ip_tunnel_info_af(info) != AF_INET) if (ip_tunnel_info_af(info) != AF_INET)
return -EINVAL; goto err_clear;
set_compat: set_compat:
to = (struct bpf_tunnel_key *)compat; to = (struct bpf_tunnel_key *)compat;
break; break;
default: default:
return -EINVAL; goto err_clear;
} }
} }
...@@ -1793,9 +1803,12 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5) ...@@ -1793,9 +1803,12 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5)
} }
if (unlikely(size != sizeof(struct bpf_tunnel_key))) if (unlikely(size != sizeof(struct bpf_tunnel_key)))
memcpy((void *)(long) r2, to, size); memcpy(to_orig, to, size);
return 0; return 0;
err_clear:
memset(to_orig, 0, size);
return err;
} }
static const struct bpf_func_proto bpf_skb_get_tunnel_key_proto = { static const struct bpf_func_proto bpf_skb_get_tunnel_key_proto = {
...@@ -1803,7 +1816,7 @@ static const struct bpf_func_proto bpf_skb_get_tunnel_key_proto = { ...@@ -1803,7 +1816,7 @@ static const struct bpf_func_proto bpf_skb_get_tunnel_key_proto = {
.gpl_only = false, .gpl_only = false,
.ret_type = RET_INTEGER, .ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX, .arg1_type = ARG_PTR_TO_CTX,
.arg2_type = ARG_PTR_TO_STACK, .arg2_type = ARG_PTR_TO_RAW_STACK,
.arg3_type = ARG_CONST_STACK_SIZE, .arg3_type = ARG_CONST_STACK_SIZE,
.arg4_type = ARG_ANYTHING, .arg4_type = ARG_ANYTHING,
}; };
...@@ -1813,16 +1826,26 @@ static u64 bpf_skb_get_tunnel_opt(u64 r1, u64 r2, u64 size, u64 r4, u64 r5) ...@@ -1813,16 +1826,26 @@ static u64 bpf_skb_get_tunnel_opt(u64 r1, u64 r2, u64 size, u64 r4, u64 r5)
struct sk_buff *skb = (struct sk_buff *) (long) r1; struct sk_buff *skb = (struct sk_buff *) (long) r1;
u8 *to = (u8 *) (long) r2; u8 *to = (u8 *) (long) r2;
const struct ip_tunnel_info *info = skb_tunnel_info(skb); const struct ip_tunnel_info *info = skb_tunnel_info(skb);
int err;
if (unlikely(!info || if (unlikely(!info ||
!(info->key.tun_flags & TUNNEL_OPTIONS_PRESENT))) !(info->key.tun_flags & TUNNEL_OPTIONS_PRESENT))) {
return -ENOENT; err = -ENOENT;
if (unlikely(size < info->options_len)) goto err_clear;
return -ENOMEM; }
if (unlikely(size < info->options_len)) {
err = -ENOMEM;
goto err_clear;
}
ip_tunnel_info_opts_get(to, info); ip_tunnel_info_opts_get(to, info);
if (size > info->options_len)
memset(to + info->options_len, 0, size - info->options_len);
return info->options_len; return info->options_len;
err_clear:
memset(to, 0, size);
return err;
} }
static const struct bpf_func_proto bpf_skb_get_tunnel_opt_proto = { static const struct bpf_func_proto bpf_skb_get_tunnel_opt_proto = {
...@@ -1830,7 +1853,7 @@ static const struct bpf_func_proto bpf_skb_get_tunnel_opt_proto = { ...@@ -1830,7 +1853,7 @@ static const struct bpf_func_proto bpf_skb_get_tunnel_opt_proto = {
.gpl_only = false, .gpl_only = false,
.ret_type = RET_INTEGER, .ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX, .arg1_type = ARG_PTR_TO_CTX,
.arg2_type = ARG_PTR_TO_STACK, .arg2_type = ARG_PTR_TO_RAW_STACK,
.arg3_type = ARG_CONST_STACK_SIZE, .arg3_type = ARG_CONST_STACK_SIZE,
}; };
......
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
#include <linux/version.h> #include <linux/version.h>
#include <linux/sched.h> #include <linux/sched.h>
#define _(P) ({typeof(P) val = 0; bpf_probe_read(&val, sizeof(val), &P); val;}) #define _(P) ({typeof(P) val; bpf_probe_read(&val, sizeof(val), &P); val;})
#define MINBLOCK_US 1 #define MINBLOCK_US 1
...@@ -61,7 +61,7 @@ SEC("kprobe/try_to_wake_up") ...@@ -61,7 +61,7 @@ SEC("kprobe/try_to_wake_up")
int waker(struct pt_regs *ctx) int waker(struct pt_regs *ctx)
{ {
struct task_struct *p = (void *) PT_REGS_PARM1(ctx); struct task_struct *p = (void *) PT_REGS_PARM1(ctx);
struct wokeby_t woke = {}; struct wokeby_t woke;
u32 pid; u32 pid;
pid = _(p->pid); pid = _(p->pid);
...@@ -75,17 +75,19 @@ int waker(struct pt_regs *ctx) ...@@ -75,17 +75,19 @@ int waker(struct pt_regs *ctx)
static inline int update_counts(void *ctx, u32 pid, u64 delta) static inline int update_counts(void *ctx, u32 pid, u64 delta)
{ {
struct key_t key = {};
struct wokeby_t *woke; struct wokeby_t *woke;
u64 zero = 0, *val; u64 zero = 0, *val;
struct key_t key;
__builtin_memset(&key.waker, 0, sizeof(key.waker));
bpf_get_current_comm(&key.target, sizeof(key.target)); bpf_get_current_comm(&key.target, sizeof(key.target));
key.tret = bpf_get_stackid(ctx, &stackmap, STACKID_FLAGS); key.tret = bpf_get_stackid(ctx, &stackmap, STACKID_FLAGS);
key.wret = 0;
woke = bpf_map_lookup_elem(&wokeby, &pid); woke = bpf_map_lookup_elem(&wokeby, &pid);
if (woke) { if (woke) {
key.wret = woke->ret; key.wret = woke->ret;
__builtin_memcpy(&key.waker, woke->name, TASK_COMM_LEN); __builtin_memcpy(&key.waker, woke->name, sizeof(key.waker));
bpf_map_delete_elem(&wokeby, &pid); bpf_map_delete_elem(&wokeby, &pid);
} }
......
...@@ -308,6 +308,19 @@ static struct bpf_test tests[] = { ...@@ -308,6 +308,19 @@ static struct bpf_test tests[] = {
.result = ACCEPT, .result = ACCEPT,
.result_unpriv = REJECT, .result_unpriv = REJECT,
}, },
{
"check valid spill/fill, skb mark",
.insns = {
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.result_unpriv = ACCEPT,
},
{ {
"check corrupted spill/fill", "check corrupted spill/fill",
.insns = { .insns = {
...@@ -1180,6 +1193,261 @@ static struct bpf_test tests[] = { ...@@ -1180,6 +1193,261 @@ static struct bpf_test tests[] = {
.result_unpriv = REJECT, .result_unpriv = REJECT,
.result = ACCEPT, .result = ACCEPT,
}, },
{
"raw_stack: no skb_load_bytes",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
/* Call to skb_load_bytes() omitted. */
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid read from stack off -8+0 size 8",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, no init",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, init",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, spilled regs around bounds",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
offsetof(struct __sk_buff, priority)),
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, spilled regs corruption",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), /* fill ctx into R0 */
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "R0 invalid mem access 'inv'",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, spilled regs corruption 2",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), /* fill ctx into R3 */
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
offsetof(struct __sk_buff, priority)),
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
offsetof(struct __sk_buff, pkt_type)),
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "R3 invalid mem access 'inv'",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, spilled regs + data",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), /* fill data into R3 */
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
offsetof(struct __sk_buff, priority)),
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 1",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-513 access_size=8",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 2",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 8),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-1 access_size=8",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 3",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-1 access_size=-1",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 4",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-1 access_size=2147483647",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 5",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-512 access_size=2147483647",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, invalid access 6",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 0),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr = "invalid stack type R3 off=-512 access_size=0",
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
{
"raw_stack: skb_load_bytes, large access",
.insns = {
BPF_MOV64_IMM(BPF_REG_2, 4),
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
BPF_MOV64_IMM(BPF_REG_4, 512),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
}; };
static int probe_filter_length(struct bpf_insn *fp) static int probe_filter_length(struct bpf_insn *fp)
......
...@@ -23,16 +23,14 @@ int bpf_prog1(struct pt_regs *ctx) ...@@ -23,16 +23,14 @@ int bpf_prog1(struct pt_regs *ctx)
/* attaches to kprobe netif_receive_skb, /* attaches to kprobe netif_receive_skb,
* looks for packets on loobpack device and prints them * looks for packets on loobpack device and prints them
*/ */
char devname[IFNAMSIZ] = {}; char devname[IFNAMSIZ];
struct net_device *dev; struct net_device *dev;
struct sk_buff *skb; struct sk_buff *skb;
int len; int len;
/* non-portable! works for the given kernel only */ /* non-portable! works for the given kernel only */
skb = (struct sk_buff *) PT_REGS_PARM1(ctx); skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
dev = _(skb->dev); dev = _(skb->dev);
len = _(skb->len); len = _(skb->len);
bpf_probe_read(devname, sizeof(devname), dev->name); bpf_probe_read(devname, sizeof(devname), dev->name);
......
...@@ -66,7 +66,7 @@ struct hist_key { ...@@ -66,7 +66,7 @@ struct hist_key {
char comm[16]; char comm[16];
u64 pid_tgid; u64 pid_tgid;
u64 uid_gid; u64 uid_gid;
u32 index; u64 index;
}; };
struct bpf_map_def SEC("maps") my_hist_map = { struct bpf_map_def SEC("maps") my_hist_map = {
...@@ -82,7 +82,7 @@ int bpf_prog3(struct pt_regs *ctx) ...@@ -82,7 +82,7 @@ int bpf_prog3(struct pt_regs *ctx)
long write_size = PT_REGS_PARM3(ctx); long write_size = PT_REGS_PARM3(ctx);
long init_val = 1; long init_val = 1;
long *value; long *value;
struct hist_key key = {}; struct hist_key key;
key.index = log2l(write_size); key.index = log2l(write_size);
key.pid_tgid = bpf_get_current_pid_tgid(); key.pid_tgid = bpf_get_current_pid_tgid();
......
...@@ -22,7 +22,7 @@ struct bpf_map_def SEC("maps") progs = { ...@@ -22,7 +22,7 @@ struct bpf_map_def SEC("maps") progs = {
SEC("kprobe/seccomp_phase1") SEC("kprobe/seccomp_phase1")
int bpf_prog1(struct pt_regs *ctx) int bpf_prog1(struct pt_regs *ctx)
{ {
struct seccomp_data sd = {}; struct seccomp_data sd;
bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx)); bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx));
...@@ -40,7 +40,7 @@ int bpf_prog1(struct pt_regs *ctx) ...@@ -40,7 +40,7 @@ int bpf_prog1(struct pt_regs *ctx)
/* we jump here when syscall number == __NR_write */ /* we jump here when syscall number == __NR_write */
PROG(__NR_write)(struct pt_regs *ctx) PROG(__NR_write)(struct pt_regs *ctx)
{ {
struct seccomp_data sd = {}; struct seccomp_data sd;
bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx)); bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx));
if (sd.args[2] == 512) { if (sd.args[2] == 512) {
...@@ -53,7 +53,7 @@ PROG(__NR_write)(struct pt_regs *ctx) ...@@ -53,7 +53,7 @@ PROG(__NR_write)(struct pt_regs *ctx)
PROG(__NR_read)(struct pt_regs *ctx) PROG(__NR_read)(struct pt_regs *ctx)
{ {
struct seccomp_data sd = {}; struct seccomp_data sd;
bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx)); bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx));
if (sd.args[2] > 128 && sd.args[2] <= 1024) { if (sd.args[2] > 128 && sd.args[2] <= 1024) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册