Commit d0208fde authored by Joanne Koong's avatar Joanne Koong Committed by Xiaomeng Zhang
Browse files

bpf: Add MEM_UNINIT as a bpf_type_flag 

mainline inclusion
from mainline-v5.19-rc1
commit 16d1e00c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQOP
CVE: CVE-2024-49861

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16d1e00c7e8a



--------------------------------

Instead of having uninitialized versions of arguments as separate
bpf_arg_types (eg ARG_PTR_TO_UNINIT_MEM as the uninitialized version
of ARG_PTR_TO_MEM), we can instead use MEM_UNINIT as a bpf_type_flag
modifier to denote that the argument is uninitialized.

Doing so cleans up some of the logic in the verifier. We no longer
need to do two checks against an argument type (eg "if
(base_type(arg_type) == ARG_PTR_TO_MEM || base_type(arg_type) ==
ARG_PTR_TO_UNINIT_MEM)"), since uninitialized and initialized
versions of the same argument type will now share the same base type.

In the near future, MEM_UNINIT will be used by dynptr helper functions
as well.

Signed-off-by: default avatarJoanne Koong <joannelkoong@gmail.com>
Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarDavid Vernet <void@manifault.com>
Link: https://lore.kernel.org/r/20220509224257.3222614-2-joannelkoong@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Conflicts:
	include/linux/bpf.h
	kernel/bpf/helpers.c
	kernel/bpf/verifier.c
[The conflicts were due to not merge some bpf_type_flag]
Signed-off-by: default avatarXiaomeng Zhang <zhangxiaomeng13@huawei.com>
parent a1fd264a

include/linux/bpf.h

+10 −8
Original line number Diff line number Diff line
@@ -290,7 +290,10 @@ enum bpf_type_flag { 
	 */

	MEM_ALLOC		= BIT(2 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_LAST_FLAG	= MEM_ALLOC,

	MEM_UNINIT		= BIT(7 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_FLAG_MAX,

	__BPF_TYPE_LAST_FLAG	= __BPF_TYPE_FLAG_MAX - 1,

};



/* Max number of base types. */
@@ -309,16 +312,11 @@ enum bpf_arg_type { 
	ARG_CONST_MAP_PTR,	/* const argument used as pointer to bpf_map */

	ARG_PTR_TO_MAP_KEY,	/* pointer to stack used as map key */

	ARG_PTR_TO_MAP_VALUE,	/* pointer to stack used as map value */

	ARG_PTR_TO_UNINIT_MAP_VALUE,	/* pointer to valid memory used to store a map value */



	/* the following constraints used to prototype bpf_memcmp() and other

	 * functions that access data on eBPF program stack

	/* Used to prototype bpf_memcmp() and other functions that access data

	 * on eBPF program stack

	 */

	ARG_PTR_TO_MEM,		/* pointer to valid memory (stack, packet, map value) */

	ARG_PTR_TO_UNINIT_MEM,	/* pointer to memory does not need to be initialized,

				 * helper function must fill all bytes or clear

				 * them in error case.

				 */



	ARG_CONST_SIZE,		/* number of bytes accessed from memory */

	ARG_CONST_SIZE_OR_ZERO,	/* number of bytes accessed from memory or 0 */
@@ -343,6 +341,10 @@ enum bpf_arg_type { 
	ARG_PTR_TO_CTX_OR_NULL		= PTR_MAYBE_NULL | ARG_PTR_TO_CTX,

	ARG_PTR_TO_SOCKET_OR_NULL	= PTR_MAYBE_NULL | ARG_PTR_TO_SOCKET,

	ARG_PTR_TO_ALLOC_MEM_OR_NULL	= PTR_MAYBE_NULL | ARG_PTR_TO_ALLOC_MEM,

	/* pointer to memory does not need to be initialized, helper function must fill

	 * all bytes or clear them in error case.

	 */

	ARG_PTR_TO_UNINIT_MEM		= MEM_UNINIT | ARG_PTR_TO_MEM,



	/* This must be the last entry. Its purpose is to ensure the enum is

	 * wide enough to hold the higher bits reserved for bpf_type_flag.

kernel/bpf/helpers.c

+2 −2
Original line number Diff line number Diff line
@@ -101,7 +101,7 @@ const struct bpf_func_proto bpf_map_pop_elem_proto = { 
	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_CONST_MAP_PTR,

	.arg2_type	= ARG_PTR_TO_UNINIT_MAP_VALUE,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,

};



BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value)
@@ -114,7 +114,7 @@ const struct bpf_func_proto bpf_map_peek_elem_proto = { 
	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_CONST_MAP_PTR,

	.arg2_type	= ARG_PTR_TO_UNINIT_MAP_VALUE,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,

};



const struct bpf_func_proto bpf_get_prandom_u32_proto = {

kernel/bpf/verifier.c

+8 −20
Original line number Diff line number Diff line
@@ -4700,12 +4700,6 @@ static int process_spin_lock(struct bpf_verifier_env *env, int regno, 
	return 0;

}



static bool arg_type_is_mem_ptr(enum bpf_arg_type type)

{

	return base_type(type) == ARG_PTR_TO_MEM ||

	       base_type(type) == ARG_PTR_TO_UNINIT_MEM;

}



static bool arg_type_is_mem_size(enum bpf_arg_type type)

{

	return type == ARG_CONST_SIZE ||
@@ -4829,7 +4823,6 @@ static const struct bpf_reg_types percpu_btf_ptr_types = { .types = { PTR_TO_PER 
static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {

	[ARG_PTR_TO_MAP_KEY]		= &map_key_value_types,

	[ARG_PTR_TO_MAP_VALUE]		= &map_key_value_types,

	[ARG_PTR_TO_UNINIT_MAP_VALUE]	= &map_key_value_types,

	[ARG_CONST_SIZE]		= &scalar_types,

	[ARG_CONST_SIZE_OR_ZERO]	= &scalar_types,

	[ARG_CONST_ALLOC_SIZE_OR_ZERO]	= &scalar_types,
@@ -4843,7 +4836,6 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = { 
	[ARG_PTR_TO_BTF_ID]		= &btf_ptr_types,

	[ARG_PTR_TO_SPIN_LOCK]		= &spin_lock_types,

	[ARG_PTR_TO_MEM]		= &mem_types,

	[ARG_PTR_TO_UNINIT_MEM]		= &mem_types,

	[ARG_PTR_TO_ALLOC_MEM]		= &alloc_mem_types,

	[ARG_PTR_TO_INT]		= &int_ptr_types,

	[ARG_PTR_TO_LONG]		= &int_ptr_types,
@@ -4949,8 +4941,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
		return -EACCES;

	}



	if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE ||

	    base_type(arg_type) == ARG_PTR_TO_UNINIT_MAP_VALUE) {

	if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE) {

		err = resolve_map_arg_type(env, meta, &arg_type);

		if (err)

			return err;
@@ -5025,8 +5016,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
		err = check_helper_mem_access(env, regno,

					      meta->map_ptr->key_size, false,

					      NULL);

	} else if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE ||

		   base_type(arg_type) == ARG_PTR_TO_UNINIT_MAP_VALUE) {

	} else if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE) {

		if (type_may_be_null(arg_type) && register_is_null(reg))

			return 0;
@@ -5038,7 +5028,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
			verbose(env, "invalid map_ptr to access map->value\n");

			return -EACCES;

		}

		meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);

		meta->raw_mode = arg_type & MEM_UNINIT;

		err = check_helper_mem_access(env, regno,

					      meta->map_ptr->value_size, false,

					      meta);
@@ -5059,11 +5049,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
			verbose(env, "verifier internal error\n");

			return -EFAULT;

		}

	} else if (arg_type_is_mem_ptr(arg_type)) {

	} else if (base_type(arg_type) == ARG_PTR_TO_MEM) {

		/* The access to this pointer is only checked when we hit the

		 * next is_mem_size argument below.

		 */

		meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MEM);

		meta->raw_mode = arg_type & MEM_UNINIT;

	} else if (arg_type_is_mem_size(arg_type)) {

		bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
@@ -5396,10 +5386,8 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn) 
static bool check_args_pair_invalid(enum bpf_arg_type arg_curr,

				    enum bpf_arg_type arg_next)

{

	return (arg_type_is_mem_ptr(arg_curr) &&

	        !arg_type_is_mem_size(arg_next)) ||

	       (!arg_type_is_mem_ptr(arg_curr) &&

		arg_type_is_mem_size(arg_next));

	return (base_type(arg_curr) == ARG_PTR_TO_MEM) !=

		arg_type_is_mem_size(arg_next);

}



static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
@@ -5410,7 +5398,7 @@ static bool check_arg_pair_ok(const struct bpf_func_proto *fn) 
	 * helper function specification.

	 */

	if (arg_type_is_mem_size(fn->arg1_type) ||

	    arg_type_is_mem_ptr(fn->arg5_type)  ||

	    base_type(fn->arg5_type) == ARG_PTR_TO_MEM ||

	    check_args_pair_invalid(fn->arg1_type, fn->arg2_type) ||

	    check_args_pair_invalid(fn->arg2_type, fn->arg3_type) ||

	    check_args_pair_invalid(fn->arg3_type, fn->arg4_type) ||