Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

Wed, 31 Jul 2024 03:52:32 -0700 

Hi Bruce,

I have checked linux-yocto -stable updates , not seen these changes in 5.10.y. 
could please point me the commit which you pushed to the 5.10.y

Regards,
Archana

________________________________
From: Bruce Ashfield <[email protected]>
Sent: Thursday, July 18, 2024 18:54
To: Polampalli, Archana <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject variable 
offset alu on PTR_TO_FLOW_KEYS

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

In message: Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject 
variable offset alu on PTR_TO_FLOW_KEYS
on 18/07/2024 Polampalli, Archana wrote:

> Hi Bruce,
>
> This commit is not backported to older stable kernels, therefore backported it
> from 5.15.y series. Kindly approve.

Can you double check against the linux-yocto -stable updates
that I pushed a few days ago ?

I'm seeing this commit already in my tree.

Bruce

>
> Regards,
> Archana
> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
> From: [email protected] <[email protected]>
> on behalf of Polampalli, Archana via lists.yoctoproject.org 
> <archana.polampalli
> [email protected]>
> Sent: Thursday, July 18, 2024 12:15
> To: [email protected] <[email protected]>
> Cc: [email protected] <[email protected]>
> Subject: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject variable
> offset alu on PTR_TO_FLOW_KEYS
>
> From: Hao Sun <[email protected]>
>
> [ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]
>
> For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
> for validation. However, variable offset ptr alu is not prohibited
> for this ptr kind. So the variable offset is not checked.
>
> The following prog is accepted:
>
>   func#0 @0
>   0: R1=ctx() R10=fp0
>   0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()
>   1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()
>   2: (b7) r8 = 1024                     ; R8_w=1024
>   3: (37) r8 /= 1                       ; R8_w=scalar()
>   4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,
>   smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
>   5: (0f) r7 += r8
>   mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
>   mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
>   mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
>   mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
>   6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
>   =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
>   var_off=(0x0; 0x400))
>   6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()
>   7: (95) exit
>
> This prog loads flow_keys to r7, and adds the variable offset r8
> to r7, and finally causes out-of-bounds access:
>
>   BUG: unable to handle page fault for address: ffffc90014c80038
>   [...]
>   Call Trace:
>    <TASK>
>    bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
>    __bpf_prog_run include/linux/filter.h:651 [inline]
>    bpf_prog_run include/linux/filter.h:658 [inline]
>    bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
>    bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
>    bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
>    bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
>    __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
>    __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
>    __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
>    __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
>    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
>    entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Fix this by rejecting ptr alu with variable offset on flow_keys.
> Applying the patch rejects the program with "R7 pointer arithmetic
> on flow_keys prohibited".
>
> Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
> Signed-off-by: Hao Sun <[email protected]>
> Signed-off-by: Daniel Borkmann <[email protected]>
> Acked-by: Yonghong Song <[email protected]>
> Link: https://lore.kernel.org/bpf/[email protected]
>
> Signed-off-by: Archana Polampalli <[email protected]>
> ---
>  kernel/bpf/verifier.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 25f8a8716e88..e2818d4d5d1b 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6250,6 +6250,10 @@ static int adjust_ptr_min_max_vals(struct
> bpf_verifier_env *env,
>          }
>
>          switch (ptr_reg->type) {
> +       case PTR_TO_FLOW_KEYS:
> +               if (known)
> +                       break;
> +               fallthrough;
>          case PTR_TO_MAP_VALUE_OR_NULL:
>                  verbose(env, "R%d pointer arithmetic on %s prohibited,
> null-check it first\n",
>                          dst, reg_type_str[ptr_reg->type]);
> --
> 2.40.0
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14209): 
https://lists.yoctoproject.org/g/linux-yocto/message/14209
Mute This Topic: https://lists.yoctoproject.org/mt/107412947/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to