Commit 15baa55f authored by Benjamin Tissoires's avatar Benjamin Tissoires Committed by Alexei Starovoitov
Browse files

bpf/verifier: allow all functions to read user provided context 



When a function was trying to access data from context in a syscall eBPF
program, the verifier was rejecting the call unless it was accessing the
first element.
This is because the syscall context is not known at compile time, and
so we need to check this when actually accessing it.

Check for the valid memory access if there is no convert_ctx callback,
and allow such situation to happen.

Acked-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20220906151303.2780789-4-benjamin.tissoires@redhat.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 95f2f26f

kernel/bpf/verifier.c

+19 −0
Original line number Diff line number Diff line
@@ -5233,6 +5233,25 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, 
				env,

				regno, reg->off, access_size,

				zero_size_allowed, ACCESS_HELPER, meta);

	case PTR_TO_CTX:

		/* in case the function doesn't know how to access the context,

		 * (because we are in a program of type SYSCALL for example), we

		 * can not statically check its size.

		 * Dynamically check it now.

		 */

		if (!env->ops->convert_ctx_access) {

			enum bpf_access_type atype = meta && meta->raw_mode ? BPF_WRITE : BPF_READ;

			int offset = access_size - 1;



			/* Allow zero-byte read from PTR_TO_CTX */

			if (access_size == 0)

				return zero_size_allowed ? 0 : -EACCES;



			return check_mem_access(env, env->insn_idx, regno, offset, BPF_B,

						atype, -1, false);

		}



		fallthrough;

	default: /* scalar_value or invalid ptr */

		/* Allow zero-byte read from NULL, regardless of pointer type */

		if (zero_size_allowed && access_size == 0 &&