Privileged programs are supposed to be able to read uninitialized stack memory (ever since6715df8d5
) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv. Fixes:01f810ace9
("bpf: Allow variable-offset stack access") Reported-by: Hao Sun <sunhao.th@gmail.com> Signed-off-by: Andrei Matei <andreimatei1@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20231208032519.260451-3-andreimatei1@gmail.com Closes: https://lore.kernel.org/bpf/CABWLsev9g8UP_c3a=1qbuZUi20tGoUXoU07FPf-5FLvhOKOY+Q@mail.gmail.com/
159 lines
3.6 KiB
C
159 lines
3.6 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */
|
|
|
|
#include <linux/bpf.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include "bpf_misc.h"
|
|
|
|
SEC("socket")
|
|
__description("ARG_PTR_TO_LONG uninitialized")
|
|
__success
|
|
__failure_unpriv __msg_unpriv("invalid indirect read from stack R4 off -16+0 size 8")
|
|
__naked void arg_ptr_to_long_uninitialized(void)
|
|
{
|
|
asm volatile (" \
|
|
/* bpf_strtoul arg1 (buf) */ \
|
|
r7 = r10; \
|
|
r7 += -8; \
|
|
r0 = 0x00303036; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r1 = r7; \
|
|
/* bpf_strtoul arg2 (buf_len) */ \
|
|
r2 = 4; \
|
|
/* bpf_strtoul arg3 (flags) */ \
|
|
r3 = 0; \
|
|
/* bpf_strtoul arg4 (res) */ \
|
|
r7 += -8; \
|
|
r4 = r7; \
|
|
/* bpf_strtoul() */ \
|
|
call %[bpf_strtoul]; \
|
|
r0 = 1; \
|
|
exit; \
|
|
" :
|
|
: __imm(bpf_strtoul)
|
|
: __clobber_all);
|
|
}
|
|
|
|
SEC("socket")
|
|
__description("ARG_PTR_TO_LONG half-uninitialized")
|
|
/* in privileged mode reads from uninitialized stack locations are permitted */
|
|
__success __failure_unpriv
|
|
__msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8")
|
|
__retval(0)
|
|
__naked void ptr_to_long_half_uninitialized(void)
|
|
{
|
|
asm volatile (" \
|
|
/* bpf_strtoul arg1 (buf) */ \
|
|
r7 = r10; \
|
|
r7 += -8; \
|
|
r0 = 0x00303036; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r1 = r7; \
|
|
/* bpf_strtoul arg2 (buf_len) */ \
|
|
r2 = 4; \
|
|
/* bpf_strtoul arg3 (flags) */ \
|
|
r3 = 0; \
|
|
/* bpf_strtoul arg4 (res) */ \
|
|
r7 += -8; \
|
|
*(u32*)(r7 + 0) = r0; \
|
|
r4 = r7; \
|
|
/* bpf_strtoul() */ \
|
|
call %[bpf_strtoul]; \
|
|
r0 = 0; \
|
|
exit; \
|
|
" :
|
|
: __imm(bpf_strtoul)
|
|
: __clobber_all);
|
|
}
|
|
|
|
SEC("cgroup/sysctl")
|
|
__description("ARG_PTR_TO_LONG misaligned")
|
|
__failure __msg("misaligned stack access off 0+-20+0 size 8")
|
|
__naked void arg_ptr_to_long_misaligned(void)
|
|
{
|
|
asm volatile (" \
|
|
/* bpf_strtoul arg1 (buf) */ \
|
|
r7 = r10; \
|
|
r7 += -8; \
|
|
r0 = 0x00303036; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r1 = r7; \
|
|
/* bpf_strtoul arg2 (buf_len) */ \
|
|
r2 = 4; \
|
|
/* bpf_strtoul arg3 (flags) */ \
|
|
r3 = 0; \
|
|
/* bpf_strtoul arg4 (res) */ \
|
|
r7 += -12; \
|
|
r0 = 0; \
|
|
*(u32*)(r7 + 0) = r0; \
|
|
*(u64*)(r7 + 4) = r0; \
|
|
r4 = r7; \
|
|
/* bpf_strtoul() */ \
|
|
call %[bpf_strtoul]; \
|
|
r0 = 1; \
|
|
exit; \
|
|
" :
|
|
: __imm(bpf_strtoul)
|
|
: __clobber_all);
|
|
}
|
|
|
|
SEC("cgroup/sysctl")
|
|
__description("ARG_PTR_TO_LONG size < sizeof(long)")
|
|
__failure __msg("invalid indirect access to stack R4 off=-4 size=8")
|
|
__naked void to_long_size_sizeof_long(void)
|
|
{
|
|
asm volatile (" \
|
|
/* bpf_strtoul arg1 (buf) */ \
|
|
r7 = r10; \
|
|
r7 += -16; \
|
|
r0 = 0x00303036; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r1 = r7; \
|
|
/* bpf_strtoul arg2 (buf_len) */ \
|
|
r2 = 4; \
|
|
/* bpf_strtoul arg3 (flags) */ \
|
|
r3 = 0; \
|
|
/* bpf_strtoul arg4 (res) */ \
|
|
r7 += 12; \
|
|
*(u32*)(r7 + 0) = r0; \
|
|
r4 = r7; \
|
|
/* bpf_strtoul() */ \
|
|
call %[bpf_strtoul]; \
|
|
r0 = 1; \
|
|
exit; \
|
|
" :
|
|
: __imm(bpf_strtoul)
|
|
: __clobber_all);
|
|
}
|
|
|
|
SEC("cgroup/sysctl")
|
|
__description("ARG_PTR_TO_LONG initialized")
|
|
__success
|
|
__naked void arg_ptr_to_long_initialized(void)
|
|
{
|
|
asm volatile (" \
|
|
/* bpf_strtoul arg1 (buf) */ \
|
|
r7 = r10; \
|
|
r7 += -8; \
|
|
r0 = 0x00303036; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r1 = r7; \
|
|
/* bpf_strtoul arg2 (buf_len) */ \
|
|
r2 = 4; \
|
|
/* bpf_strtoul arg3 (flags) */ \
|
|
r3 = 0; \
|
|
/* bpf_strtoul arg4 (res) */ \
|
|
r7 += -8; \
|
|
*(u64*)(r7 + 0) = r0; \
|
|
r4 = r7; \
|
|
/* bpf_strtoul() */ \
|
|
call %[bpf_strtoul]; \
|
|
r0 = 1; \
|
|
exit; \
|
|
" :
|
|
: __imm(bpf_strtoul)
|
|
: __clobber_all);
|
|
}
|
|
|
|
char _license[] SEC("license") = "GPL";
|