Commit c33ae9a0 authored by Hao Luo's avatar Hao Luo Committed by Zheng Zengkai
Browse files

bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 

mainline inclusion
from mainline-v5.17-rc1
commit 216e3cd2
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4WRPV
CVE: CVE-2022-0500

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=216e3cd2f28dbbf1fe86848e0e29e6693b9f0a20



--------------------------------

Some helper functions may modify its arguments, for example,
bpf_d_path, bpf_get_stack etc. Previously, their argument types
were marked as ARG_PTR_TO_MEM, which is compatible with read-only
mem types, such as PTR_TO_RDONLY_BUF. Therefore it's legitimate,
but technically incorrect, to modify a read-only memory by passing
it into one of such helper functions.

This patch tags the bpf_args compatible with immutable memory with
MEM_RDONLY flag. The arguments that don't have this flag will be
only compatible with mutable memory types, preventing the helper
from modifying a read-only memory. The bpf_args that have
MEM_RDONLY are compatible with both mutable memory and immutable
memory.

Signed-off-by: default avatarHao Luo <haoluo@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20211217003152.48334-9-haoluo@google.com


Conflicts:
	kernel/bpf/btf.c
	kernel/bpf/helpers.c
	kernel/bpf/syscall.c
	kernel/trace/bpf_trace.c
	net/core/filter.c
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
Reviewed-by: default avatarKuohai Xu <xukuohai@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 34b8d21d

include/linux/bpf.h

+3 −1
Original line number Diff line number Diff line
@@ -268,7 +268,9 @@ enum bpf_type_flag { 
	/* PTR may be NULL. */

	PTR_MAYBE_NULL		= BIT(0 + BPF_BASE_TYPE_BITS),



	/* MEM is read-only. */

	/* MEM is read-only. When applied on bpf_arg, it indicates the arg is

	 * compatible with both mutable and immutable memory.

	 */

	MEM_RDONLY		= BIT(1 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_LAST_FLAG	= MEM_RDONLY,

kernel/bpf/cgroup.c

+1 −1
Original line number Diff line number Diff line
@@ -1703,7 +1703,7 @@ static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = { 
	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_PTR_TO_MEM,

	.arg2_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg3_type	= ARG_CONST_SIZE,

};

kernel/bpf/helpers.c

+3 −3
Original line number Diff line number Diff line
@@ -499,7 +499,7 @@ const struct bpf_func_proto bpf_strtol_proto = { 
	.func		= bpf_strtol,

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_MEM,

	.arg1_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg2_type	= ARG_CONST_SIZE,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_LONG,
@@ -527,7 +527,7 @@ const struct bpf_func_proto bpf_strtoul_proto = { 
	.func		= bpf_strtoul,

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_MEM,

	.arg1_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg2_type	= ARG_CONST_SIZE,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_LONG,
@@ -599,7 +599,7 @@ const struct bpf_func_proto bpf_event_output_data_proto = { 
	.arg1_type      = ARG_PTR_TO_CTX,

	.arg2_type      = ARG_CONST_MAP_PTR,

	.arg3_type      = ARG_ANYTHING,

	.arg4_type      = ARG_PTR_TO_MEM,

	.arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg5_type      = ARG_CONST_SIZE_OR_ZERO,

};

kernel/bpf/ringbuf.c

+1 −1
Original line number Diff line number Diff line
@@ -463,7 +463,7 @@ const struct bpf_func_proto bpf_ringbuf_output_proto = { 
	.func		= bpf_ringbuf_output,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_CONST_MAP_PTR,

	.arg2_type	= ARG_PTR_TO_MEM,

	.arg2_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg3_type	= ARG_CONST_SIZE_OR_ZERO,

	.arg4_type	= ARG_ANYTHING,

};

kernel/bpf/verifier.c

+17 −3
Original line number Diff line number Diff line
@@ -4365,7 +4365,6 @@ static const struct bpf_reg_types mem_types = { 
		PTR_TO_MAP_VALUE,

		PTR_TO_MEM,

		PTR_TO_BUF,

		PTR_TO_BUF | MEM_RDONLY,

	},

};
@@ -4426,6 +4425,21 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, 
		return -EFAULT;

	}



	/* ARG_PTR_TO_MEM + RDONLY is compatible with PTR_TO_MEM and PTR_TO_MEM + RDONLY,

	 * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM and NOT with PTR_TO_MEM + RDONLY

	 *

	 * Same for MAYBE_NULL:

	 *

	 * ARG_PTR_TO_MEM + MAYBE_NULL is compatible with PTR_TO_MEM and PTR_TO_MEM + MAYBE_NULL,

	 * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM but NOT with PTR_TO_MEM + MAYBE_NULL

	 *

	 * Therefore we fold these flags depending on the arg_type before comparison.

	 */

	if (arg_type & MEM_RDONLY)

		type &= ~MEM_RDONLY;

	if (arg_type & PTR_MAYBE_NULL)

		type &= ~PTR_MAYBE_NULL;



	for (i = 0; i < ARRAY_SIZE(compatible->types); i++) {

		expected = compatible->types[i];

		if (expected == NOT_INIT)
@@ -4435,14 +4449,14 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, 
			goto found;

	}



	verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, type));

	verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, reg->type));

	for (j = 0; j + 1 < i; j++)

		verbose(env, "%s, ", reg_type_str(env, compatible->types[j]));

	verbose(env, "%s\n", reg_type_str(env, compatible->types[j]));

	return -EACCES;



found:

	if (type == PTR_TO_BTF_ID) {

	if (reg->type == PTR_TO_BTF_ID) {

		if (!arg_btf_id) {

			if (!compatible->btf_id) {

				verbose(env, "verifier internal error: missing arg compatible BTF ID\n");