linux/tools
Jakub Kicinski 28e33f9d78 bpf: disallow arithmetic operations on context pointer
Commit f1174f77b5 ("bpf/verifier: rework value tracking")
removed the crafty selection of which pointer types are
allowed to be modified.  This is OK for most pointer types
since adjust_ptr_min_max_vals() will catch operations on
immutable pointers.  One exception is PTR_TO_CTX which is
now allowed to be offseted freely.

The intent of aforementioned commit was to allow context
access via modified registers.  The offset passed to
->is_valid_access() verifier callback has been adjusted
by the value of the variable offset.

What is missing, however, is taking the variable offset
into account when the context register is used.  Or in terms
of the code adding the offset to the value passed to the
->convert_ctx_access() callback.  This leads to the following
eBPF user code:

     r1 += 68
     r0 = *(u32 *)(r1 + 8)
     exit

being translated to this in kernel space:

   0: (07) r1 += 68
   1: (61) r0 = *(u32 *)(r1 +180)
   2: (95) exit

Offset 8 is corresponding to 180 in the kernel, but offset
76 is valid too.  Verifier will "accept" access to offset
68+8=76 but then "convert" access to offset 8 as 180.
Effective access to offset 248 is beyond the kernel context.
(This is a __sk_buff example on a debug-heavy kernel -
packet mark is 8 -> 180, 76 would be data.)

Dereferencing the modified context pointer is not as easy
as dereferencing other types, because we have to translate
the access to reading a field in kernel structures which is
usually at a different offset and often of a different size.
To allow modifying the pointer we would have to make sure
that given eBPF instruction will always access the same
field or the fields accessed are "compatible" in terms of
offset and size...

Disallow dereferencing modified context pointers and add
to selftests the test case described here.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-18 13:21:13 +01:00
..
accounting
arch tools include: Sync kernel ABI headers with tooling headers 2017-09-25 10:39:44 -03:00
build tools build tests: Don't hardcode gcc name 2017-08-28 16:44:44 -03:00
cgroup
firewire
gpio gpio-hammer: fix make consumer_label suitable to work on gpio-nails 2017-01-26 16:29:09 +01:00
hv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-09-06 14:45:08 -07:00
iio iio: tools: add install section 2017-08-09 14:31:58 +01:00
include tools include: Sync kernel ABI headers with tooling headers 2017-09-25 10:39:44 -03:00
kvm/kvm_stat tools/kvm_stat: add '-f help' to get the available event list 2017-07-26 19:04:53 +02:00
laptop
leds tools/leds: Add led_hw_brightness_mon program 2017-02-14 22:20:23 +01:00
lib perf/urgent fixes: 2017-09-13 09:25:10 +02:00
net tools: bpf_jit_disasm: Handle large images. 2017-06-14 15:03:22 -04:00
nfsd
objtool objtool: Support unoptimized frame pointer setup 2017-09-28 07:25:54 +02:00
pci tools: PCI: Add a missing option help line 2017-08-29 16:03:34 -05:00
pcmcia
perf perf/urgent fixes: 2017-09-29 19:31:46 +02:00
power Kbuild updates for v4.14 2017-09-14 13:46:33 -07:00
scripts Kbuild updates for v4.14 2017-09-14 13:46:33 -07:00
spi spi: tools: add install section 2017-07-26 12:25:28 +01:00
testing bpf: disallow arithmetic operations on context pointer 2017-10-18 13:21:13 +01:00
thermal/tmon
time
usb usbip: auto retry for concurrent attach 2017-08-31 18:08:45 +02:00
virtio tools/virtio: fix spelling mistake: "wakeus" -> "wakeups" 2017-05-09 16:43:24 +03:00
vm tools/vm: add missing Makefile rules 2017-02-22 16:41:26 -08:00
Makefile spi: Updates for v4.14 2017-09-05 11:40:38 -07:00