Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

Thu, 01 Aug 2024 21:06:50 -0700 

On Wed, Jul 31, 2024 at 6:52 AM Polampalli, Archana
<[email protected]> wrote:
>
> Hi Bruce,
>
> I have checked linux-yocto -stable updates , not seen these changes in 
> 5.10.y. could please point me the commit which you pushed to the 5.10.y

Do you have this commit in your tree ?

commit 02fd398f5e2b0b4ed1693b110acc2224b3a99b98
Author: Hao Sun <[email protected]>
Date:   Thu Jul 18 06:45:12 2024 +0000

    bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

    [ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]

    For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
    for validation. However, variable offset ptr alu is not prohibited
    for this ptr kind. So the variable offset is not checked.

% git branch --contains 02fd398f5e2b0b
  v5.10/standard/arm-versatile-926ejs
* v5.10/standard/base
  v5.10/standard/bcm-2xxx-rpi
  v5.10/standard/beaglebone
  v5.10/standard/cn-sdkv4.18/cn96xx
  v5.10/standard/cn-sdkv5.4/octeon
  v5.10/standard/edgerouter
  v5.10/standard/fsl-mpc8315e-rdb
  v5.10/standard/intel-sdk-5.10/intel-socfpga
  v5.10/standard/mti-malta32
  v5.10/standard/mti-malta64
  v5.10/standard/nxp-ls20xx
  v5.10/standard/nxp-sdk-5.10/nxp-s32g2xx
  v5.10/standard/nxp-sdk-5.10/nxp-soc
  v5.10/standard/preempt-rt/base
  v5.10/standard/preempt-rt/bcm-2xxx-rpi
  v5.10/standard/preempt-rt/cn-sdkv4.18/cn96xx
  v5.10/standard/preempt-rt/cn-sdkv5.4/octeon
  v5.10/standard/preempt-rt/intel-sdk-5.10/intel-socfpga
  v5.10/standard/preempt-rt/nxp-sdk-5.10/nxp-s32g2xx
  v5.10/standard/preempt-rt/nxp-sdk-5.10/nxp-soc
  v5.10/standard/preempt-rt/sdkv5.10/axxia
  v5.10/standard/preempt-rt/sdkv5.10/xlnx-soc
  v5.10/standard/preempt-rt/ti-sdk-5.10/ti-j72xx
  v5.10/standard/preempt-rt/x86
  v5.10/standard/qemuarm64
  v5.10/standard/qemuppc
  v5.10/standard/sdkv5.10/axxia
  v5.10/standard/sdkv5.10/xlnx-soc
  v5.10/standard/sdkv5.4/xlnx-soc
  v5.10/standard/ti-am335x
  v5.10/standard/ti-sdk-5.10/ti-j72xx
  v5.10/standard/tiny/arm-versatile-926ejs
  v5.10/standard/tiny/base
  v5.10/standard/tiny/common-pc
  v5.10/standard/tiny/x86
  v5.10/standard/x86
  v5.10/standard/xilinx-zynqmp

That looks like the same change to me, and is preventing me from
applying that patch.

Bruce

>
> Regards,
> Archana
>
> ________________________________
> From: Bruce Ashfield <[email protected]>
> Sent: Thursday, July 18, 2024 18:54
> To: Polampalli, Archana <[email protected]>
> Cc: [email protected] <[email protected]>
> Subject: Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject 
> variable offset alu on PTR_TO_FLOW_KEYS
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and 
> know the content is safe.
>
> In message: Re: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject 
> variable offset alu on PTR_TO_FLOW_KEYS
> on 18/07/2024 Polampalli, Archana wrote:
>
> > Hi Bruce,
> >
> > This commit is not backported to older stable kernels, therefore backported 
> > it
> > from 5.15.y series. Kindly approve.
>
> Can you double check against the linux-yocto -stable updates
> that I pushed a few days ago ?
>
> I'm seeing this commit already in my tree.
>
> Bruce
>
> >
> > Regards,
> > Archana
> > ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
> > From: [email protected] 
> > <[email protected]>
> > on behalf of Polampalli, Archana via lists.yoctoproject.org 
> > <archana.polampalli
> > [email protected]>
> > Sent: Thursday, July 18, 2024 12:15
> > To: [email protected] <[email protected]>
> > Cc: [email protected] <[email protected]>
> > Subject: [linux-yocto][v5.10/standard/base][PATCH 1/1] bpf: Reject variable
> > offset alu on PTR_TO_FLOW_KEYS
> >
> > From: Hao Sun <[email protected]>
> >
> > [ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]
> >
> > For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
> > for validation. However, variable offset ptr alu is not prohibited
> > for this ptr kind. So the variable offset is not checked.
> >
> > The following prog is accepted:
> >
> >   func#0 @0
> >   0: R1=ctx() R10=fp0
> >   0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()
> >   1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()
> >   2: (b7) r8 = 1024                     ; R8_w=1024
> >   3: (37) r8 /= 1                       ; R8_w=scalar()
> >   4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,
> >   smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
> >   5: (0f) r7 += r8
> >   mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
> >   mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
> >   mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
> >   mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
> >   6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
> >   =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
> >   var_off=(0x0; 0x400))
> >   6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()
> >   7: (95) exit
> >
> > This prog loads flow_keys to r7, and adds the variable offset r8
> > to r7, and finally causes out-of-bounds access:
> >
> >   BUG: unable to handle page fault for address: ffffc90014c80038
> >   [...]
> >   Call Trace:
> >    <TASK>
> >    bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
> >    __bpf_prog_run include/linux/filter.h:651 [inline]
> >    bpf_prog_run include/linux/filter.h:658 [inline]
> >    bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
> >    bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
> >    bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
> >    bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
> >    __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
> >    __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
> >    __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
> >    __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
> >    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
> >    entry_SYSCALL_64_after_hwframe+0x63/0x6b
> >
> > Fix this by rejecting ptr alu with variable offset on flow_keys.
> > Applying the patch rejects the program with "R7 pointer arithmetic
> > on flow_keys prohibited".
> >
> > Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
> > Signed-off-by: Hao Sun <[email protected]>
> > Signed-off-by: Daniel Borkmann <[email protected]>
> > Acked-by: Yonghong Song <[email protected]>
> > Link: https://lore.kernel.org/bpf/[email protected]
> >
> > Signed-off-by: Archana Polampalli <[email protected]>
> > ---
> >  kernel/bpf/verifier.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 25f8a8716e88..e2818d4d5d1b 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -6250,6 +6250,10 @@ static int adjust_ptr_min_max_vals(struct
> > bpf_verifier_env *env,
> >          }
> >
> >          switch (ptr_reg->type) {
> > +       case PTR_TO_FLOW_KEYS:
> > +               if (known)
> > +                       break;
> > +               fallthrough;
> >          case PTR_TO_MAP_VALUE_OR_NULL:
> >                  verbose(env, "R%d pointer arithmetic on %s prohibited,
> > null-check it first\n",
> >                          dst, reg_type_str[ptr_reg->type]);
> > --
> > 2.40.0
> >



-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14215): 
https://lists.yoctoproject.org/g/linux-yocto/message/14215
Mute This Topic: https://lists.yoctoproject.org/mt/107412947/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to