On Tue, Apr 20, 2021 at 12:54 AM Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > > On Mon, Apr 19, 2021 at 05:52:39PM +0200, Florent Revest wrote: > > This type provides the guarantee that an argument is going to be a const > > pointer to somewhere in a read-only map value. It also checks that this > > pointer is followed by a zero character before the end of the map value. > > > > Signed-off-by: Florent Revest <rev...@chromium.org> > > Acked-by: Andrii Nakryiko <and...@kernel.org> > > --- > > include/linux/bpf.h | 1 + > > kernel/bpf/verifier.c | 41 +++++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 42 insertions(+) > > > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > > index 77d1d8c65b81..c160526fc8bf 100644 > > --- a/include/linux/bpf.h > > +++ b/include/linux/bpf.h > > @@ -309,6 +309,7 @@ enum bpf_arg_type { > > ARG_PTR_TO_PERCPU_BTF_ID, /* pointer to in-kernel percpu type */ > > ARG_PTR_TO_FUNC, /* pointer to a bpf program function */ > > ARG_PTR_TO_STACK_OR_NULL, /* pointer to stack or NULL */ > > + ARG_PTR_TO_CONST_STR, /* pointer to a null terminated read-only > > string */ > > __BPF_ARG_TYPE_MAX, > > }; > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index 852541a435ef..5f46dd6f3383 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -4787,6 +4787,7 @@ static const struct bpf_reg_types spin_lock_types = { > > .types = { PTR_TO_MAP_VALU > > static const struct bpf_reg_types percpu_btf_ptr_types = { .types = { > > PTR_TO_PERCPU_BTF_ID } }; > > static const struct bpf_reg_types func_ptr_types = { .types = { > > PTR_TO_FUNC } }; > > static const struct bpf_reg_types stack_ptr_types = { .types = { > > PTR_TO_STACK } }; > > +static const struct bpf_reg_types const_str_ptr_types = { .types = { > > PTR_TO_MAP_VALUE } }; > > > > static const struct bpf_reg_types > > *compatible_reg_types[__BPF_ARG_TYPE_MAX] = { > > [ARG_PTR_TO_MAP_KEY] = &map_key_value_types, > > @@ -4817,6 +4818,7 @@ static const struct bpf_reg_types > > *compatible_reg_types[__BPF_ARG_TYPE_MAX] = { > > [ARG_PTR_TO_PERCPU_BTF_ID] = &percpu_btf_ptr_types, > > [ARG_PTR_TO_FUNC] = &func_ptr_types, > > [ARG_PTR_TO_STACK_OR_NULL] = &stack_ptr_types, > > + [ARG_PTR_TO_CONST_STR] = &const_str_ptr_types, > > }; > > > > static int check_reg_type(struct bpf_verifier_env *env, u32 regno, > > @@ -5067,6 +5069,45 @@ static int check_func_arg(struct bpf_verifier_env > > *env, u32 arg, > > if (err) > > return err; > > err = check_ptr_alignment(env, reg, 0, size, true); > > + } else if (arg_type == ARG_PTR_TO_CONST_STR) { > > + struct bpf_map *map = reg->map_ptr; > > + int map_off; > > + u64 map_addr; > > + char *str_ptr; > > + > > + if (reg->type != PTR_TO_MAP_VALUE || !map || > > I think the 'type' check is redundant, > since check_reg_type() did it via compatible_reg_types. > If so it's probably better to remove it here ? > > '!map' looks unnecessary. Can it ever happen? If yes, it's a verifier bug. > For example in check_mem_access() we just deref reg->map_ptr without checking > which, I think, is correct.
I agree with all of the above. I only thought it's better to be safe than sorry but if you'd like I could follow up with a patch that removes some checks? > > + !bpf_map_is_rdonly(map)) { > > This check is needed, of course. > > > + verbose(env, "R%d does not point to a readonly > > map'\n", regno); > > + return -EACCES; > > + } > > + > > + if (!tnum_is_const(reg->var_off)) { > > + verbose(env, "R%d is not a constant address'\n", > > regno); > > + return -EACCES; > > + } > > + > > + if (!map->ops->map_direct_value_addr) { > > + verbose(env, "no direct value access support for this > > map type\n"); > > + return -EACCES; > > + } > > + > > + err = check_map_access(env, regno, reg->off, > > + map->value_size - reg->off, false); > > + if (err) > > + return err; > > + > > + map_off = reg->off + reg->var_off.value; > > + err = map->ops->map_direct_value_addr(map, &map_addr, > > map_off); > > + if (err) { > > since the code checks it here the same check in check_bpf_snprintf_call() > should > probably do: > if (err) { > verbose("verifier bug\n"); > return -EFAULT; > } > > instead of just "return err;" > ? Sure, does not hurt. I can also follow up with a patch unless if you prefer doing it yourself. > > + verbose(env, "direct value access on string > > failed\n"); > > I think the message doesn't tell users much, but they probably should never > see it unless they try to do lookup from readonly array with > more than one element. > So I guess it's fine to keep this one as-is. Just flagging. Ack > Anyway the whole set looks great, so I've applied to bpf-next. > Thanks! Thank you :D