[PATCH OLK-6.6 2/7] bpf: enforce precise retval range on program exit

28 Oct 2024

From: Andrii Nakryiko andrii@kernel.org
mainline inclusion
from mainline-v6.8-rc1
commit c871d0e00f0e8c207ce8ff89025e35cc49a8a3c3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJF
CVE: CVE-2024-47703
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Similarly to subprog/callback logic, enforce return value of BPF program
using more precise smin/smax range.
We need to adjust a bunch of tests due to a changed format of an error
message.
Acked-by: Eduard Zingerman eddyz87@gmail.com
Acked-by: Shung-Hsi Yu shung-hsi.yu@suse.com
Signed-off-by: Andrii Nakryiko andrii@kernel.org
Link: https://lore.kernel.org/r/20231202175705.885270-7-andrii@kernel.org
Signed-off-by: Alexei Starovoitov ast@kernel.org
Conflicts:
    kernel/bpf/verifier.c
    tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
    tools/testing/selftests/bpf/progs/exceptions_assert.c
    tools/testing/selftests/bpf/progs/exceptions_fail.c
[The conflicts are due to We did not backport 5fad52bee304, d2a93715bfb0
and 60a6b2c78c62]
Signed-off-by: Tengda Wu wutengda2@huawei.com
---
 kernel/bpf/verifier.c                         | 56 ++++++++++---------
 .../selftests/bpf/progs/test_global_func15.c  |  2 +-
 .../selftests/bpf/progs/timer_failure.c       |  2 +-
 .../selftests/bpf/progs/user_ringbuf_fail.c   |  2 +-
 .../bpf/progs/verifier_cgroup_inv_retcode.c   |  8 +--
 .../bpf/progs/verifier_netfilter_retcode.c    |  2 +-
 6 files changed, 37 insertions(+), 35 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 126414babca6..33b838be156a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -413,20 +413,23 @@ __printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env,
static void verbose_invalid_scalar(struct bpf_verifier_env *env,
    			   struct bpf_reg_state *reg,
-				   struct tnum *range, const char *ctx,
+				   struct bpf_retval_range range, const char *ctx,
    			   const char *reg_name)
 {
-	char tn_buf[48];
+	bool unknown = true;
-	verbose(env, "At %s the register %s ", ctx, reg_name);
-	if (!tnum_is_unknown(reg->var_off)) {
-		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
-		verbose(env, "has value %s", tn_buf);
-	} else {
-		verbose(env, "has unknown scalar value");
+	verbose(env, "At %s the register %s has", ctx, reg_name);
+	if (reg->smin_value > S64_MIN) {
+		verbose(env, " smin=%lld", reg->smin_value);
+		unknown = false;
    }
-	tnum_strn(tn_buf, sizeof(tn_buf), *range);
-	verbose(env, " should have been in %s\n", tn_buf);
+	if (reg->smax_value < S64_MAX) {
+		verbose(env, " smax=%lld", reg->smax_value);
+		unknown = false;
+	}
+	if (unknown)
+		verbose(env, " unknown scalar value");
+	verbose(env, " should have been in [%d, %d]\n", range.minval, range.maxval);
 }
static bool type_is_pkt_pointer(enum bpf_reg_type type)
@@ -9673,10 +9676,8 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
/* enforce R0 return value range */
    	if (!retval_range_within(callee->callback_ret_range, r0)) {
-			struct tnum range = tnum_range(callee->callback_ret_range.minval,
-						       callee->callback_ret_range.maxval);
-
-			verbose_invalid_scalar(env, r0, &range, "callback return", "R0");
+			verbose_invalid_scalar(env, r0, callee->callback_ret_range,
+					       "callback return", "R0");
    		return -EINVAL;
    	}
    	if (!calls_callback(env, callee->callsite)) {
@@ -14951,7 +14952,8 @@ static int check_return_code(struct bpf_verifier_env *env)
    struct tnum enforce_attach_type_range = tnum_unknown;
    const struct bpf_prog *prog = env->prog;
    struct bpf_reg_state *reg;
-	struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0);
+	struct bpf_retval_range range = retval_range(0, 1);
+	struct bpf_retval_range const_0 = retval_range(0, 0);
    enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
    int err;
    struct bpf_func_state *frame = env->cur_state->frame[0];
@@ -14999,8 +15001,8 @@ static int check_return_code(struct bpf_verifier_env *env)
    		return -EINVAL;
    	}
-		if (!tnum_in(const_0, reg->var_off)) {
-			verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0");
+		if (!retval_range_within(const_0, reg)) {
+			verbose_invalid_scalar(env, reg, const_0, "async callback", "R0");
    		return -EINVAL;
    	}
    	return 0;
@@ -15023,14 +15025,14 @@ static int check_return_code(struct bpf_verifier_env *env)
    	    env->prog->expected_attach_type == BPF_CGROUP_INET6_GETPEERNAME ||
    	    env->prog->expected_attach_type == BPF_CGROUP_INET4_GETSOCKNAME ||
    	    env->prog->expected_attach_type == BPF_CGROUP_INET6_GETSOCKNAME)
-			range = tnum_range(1, 1);
+			range = retval_range(1, 1);
    	if (env->prog->expected_attach_type == BPF_CGROUP_INET4_BIND ||
    	    env->prog->expected_attach_type == BPF_CGROUP_INET6_BIND)
-			range = tnum_range(0, 3);
+			range = retval_range(0, 3);
    	break;
    case BPF_PROG_TYPE_CGROUP_SKB:
    	if (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {
-			range = tnum_range(0, 3);
+			range = retval_range(0, 3);
    		enforce_attach_type_range = tnum_range(2, 3);
    	}
    	break;
@@ -15043,13 +15045,13 @@ static int check_return_code(struct bpf_verifier_env *env)
    case BPF_PROG_TYPE_RAW_TRACEPOINT:
    	if (!env->prog->aux->attach_btf_id)
    		return 0;
-		range = tnum_const(0);
+		range = retval_range(0, 0);
    	break;
    case BPF_PROG_TYPE_TRACING:
    	switch (env->prog->expected_attach_type) {
    	case BPF_TRACE_FENTRY:
    	case BPF_TRACE_FEXIT:
-			range = tnum_const(0);
+			range = retval_range(0, 0);
    		break;
    	case BPF_TRACE_RAW_TP:
    	case BPF_MODIFY_RETURN:
@@ -15061,7 +15063,7 @@ static int check_return_code(struct bpf_verifier_env *env)
    	}
    	break;
    case BPF_PROG_TYPE_SK_LOOKUP:
-		range = tnum_range(SK_DROP, SK_PASS);
+		range = retval_range(SK_DROP, SK_PASS);
    	break;
case BPF_PROG_TYPE_LSM:
@@ -15075,12 +15077,12 @@ static int check_return_code(struct bpf_verifier_env *env)
    		/* Make sure programs that attach to void
    		 * hooks don't try to modify return value.
    		 */
-			range = tnum_range(1, 1);
+			range = retval_range(1, 1);
    	}
    	break;
case BPF_PROG_TYPE_NETFILTER:
-		range = tnum_range(NF_DROP, NF_ACCEPT);
+		range = retval_range(NF_DROP, NF_ACCEPT);
    	break;
    case BPF_PROG_TYPE_EXT:
    	/* freplace program can return anything as its return value
@@ -15096,8 +15098,8 @@ static int check_return_code(struct bpf_verifier_env *env)
    	return -EINVAL;
    }
-	if (!tnum_in(range, reg->var_off)) {
-		verbose_invalid_scalar(env, reg, &range, "program exit", "R0");
+	if (!retval_range_within(range, reg)) {
+		verbose_invalid_scalar(env, reg, range, "program exit", "R0");
    	if (prog->expected_attach_type == BPF_LSM_CGROUP &&
    	    prog_type == BPF_PROG_TYPE_LSM &&
    	    !prog->aux->attach_func_proto->type)
diff --git a/tools/testing/selftests/bpf/progs/test_global_func15.c b/tools/testing/selftests/bpf/progs/test_global_func15.c
index b512d6a6c75e..f80207480e8a 100644
--- a/tools/testing/selftests/bpf/progs/test_global_func15.c
+++ b/tools/testing/selftests/bpf/progs/test_global_func15.c
@@ -13,7 +13,7 @@ __noinline int foo(unsigned int *v)
 }
SEC("cgroup_skb/ingress")
-__failure __msg("At program exit the register R0 has value")
+__failure __msg("At program exit the register R0 has ")
 int global_func15(struct __sk_buff *skb)
 {
    unsigned int v = 1;
diff --git a/tools/testing/selftests/bpf/progs/timer_failure.c b/tools/testing/selftests/bpf/progs/timer_failure.c
index 226d33b5a05c..9000da1e2120 100644
--- a/tools/testing/selftests/bpf/progs/timer_failure.c
+++ b/tools/testing/selftests/bpf/progs/timer_failure.c
@@ -30,7 +30,7 @@ static int timer_cb_ret1(void *map, int *key, struct bpf_timer *timer)
 }
SEC("fentry/bpf_fentry_test1")
-__failure __msg("should have been in (0x0; 0x0)")
+__failure __msg("should have been in [0, 0]")
 int BPF_PROG2(test_ret_1, int, a)
 {
    int key = 0;
diff --git a/tools/testing/selftests/bpf/progs/user_ringbuf_fail.c b/tools/testing/selftests/bpf/progs/user_ringbuf_fail.c
index 03ee946c6bf7..11ab25c42c36 100644
--- a/tools/testing/selftests/bpf/progs/user_ringbuf_fail.c
+++ b/tools/testing/selftests/bpf/progs/user_ringbuf_fail.c
@@ -184,7 +184,7 @@ invalid_drain_callback_return(struct bpf_dynptr *dynptr, void *context)
  * not be able to write to that pointer.
  */
 SEC("?raw_tp")
-__failure __msg("At callback return the register R0 has value")
+__failure __msg("At callback return the register R0 has ")
 int user_ringbuf_callback_invalid_return(void *ctx)
 {
    bpf_user_ringbuf_drain(&user_ringbuf, invalid_drain_callback_return, NULL, 0);
diff --git a/tools/testing/selftests/bpf/progs/verifier_cgroup_inv_retcode.c b/tools/testing/selftests/bpf/progs/verifier_cgroup_inv_retcode.c
index d6c4a7f3f790..6e0f349f8f15 100644
--- a/tools/testing/selftests/bpf/progs/verifier_cgroup_inv_retcode.c
+++ b/tools/testing/selftests/bpf/progs/verifier_cgroup_inv_retcode.c
@@ -7,7 +7,7 @@
SEC("cgroup/sock")
 __description("bpf_exit with invalid return code. test1")
-__failure __msg("R0 has value (0x0; 0xffffffff)")
+__failure __msg("smin=0 smax=4294967295 should have been in [0, 1]")
 __naked void with_invalid_return_code_test1(void)
 {
    asm volatile ("					\
@@ -30,7 +30,7 @@ __naked void with_invalid_return_code_test2(void)
SEC("cgroup/sock")
 __description("bpf_exit with invalid return code. test3")
-__failure __msg("R0 has value (0x0; 0x3)")
+__failure __msg("smin=0 smax=3 should have been in [0, 1]")
 __naked void with_invalid_return_code_test3(void)
 {
    asm volatile ("					\
@@ -53,7 +53,7 @@ __naked void with_invalid_return_code_test4(void)
SEC("cgroup/sock")
 __description("bpf_exit with invalid return code. test5")
-__failure __msg("R0 has value (0x2; 0x0)")
+__failure __msg("smin=2 smax=2 should have been in [0, 1]")
 __naked void with_invalid_return_code_test5(void)
 {
    asm volatile ("					\
@@ -75,7 +75,7 @@ __naked void with_invalid_return_code_test6(void)
SEC("cgroup/sock")
 __description("bpf_exit with invalid return code. test7")
-__failure __msg("R0 has unknown scalar value")
+__failure __msg("R0 has unknown scalar value should have been in [0, 1]")
 __naked void with_invalid_return_code_test7(void)
 {
    asm volatile ("					\
diff --git a/tools/testing/selftests/bpf/progs/verifier_netfilter_retcode.c b/tools/testing/selftests/bpf/progs/verifier_netfilter_retcode.c
index 353ae6da00e1..e1ffa5d32ff0 100644
--- a/tools/testing/selftests/bpf/progs/verifier_netfilter_retcode.c
+++ b/tools/testing/selftests/bpf/progs/verifier_netfilter_retcode.c
@@ -39,7 +39,7 @@ __naked void with_valid_return_code_test3(void)
SEC("netfilter")
 __description("bpf_exit with invalid return code. test4")
-__failure __msg("R0 has value (0x2; 0x0)")
+__failure __msg("R0 has smin=2 smax=2 should have been in [0, 1]")
 __naked void with_invalid_return_code_test4(void)
 {
    asm volatile ("					\
-- 
2.34.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-6.6 2/7] bpf: enforce precise retval range on program exit