tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Undo ptr_to_map_key alu sanitation for now

Remove PTR_TO_MAP_KEY for the time being from being sanitized on pointer ALU
through sanitize_ptr_alu() mainly for 3 reasons:

1) It's currently unused and not available from unprivileged. However that by
itself is not yet a strong reason to drop the code.

2) Commit 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") implemented
the sanitation not fully correct in that unlike stack or map_value pointer
it doesn't probe whether the access to the map key /after/ the simulated ALU
operation is still in bounds. This means that the generated mask can truncate
the offset in the non-speculative domain whereas it should only truncate in
the speculative domain. The verifier should instead reject such program as
we do for other types.

3) Given the recent fixes from f232326f6966 ("bpf: Prohibit alu ops for pointer
types not defining ptr_limit"), 10d2bb2e6b1d ("bpf: Fix off-by-one for area
size in creating mask to left"), b5871dca250c ("bpf: Simplify alu_limit masking
for pointer arithmetic") as well as 1b1597e64e1a ("bpf: Add sanity check for
upper ptr_limit") the code changed quite a bit and the merge in efd13b71a3fa
broke the PTR_TO_MAP_KEY case due to an incorrect merge conflict.

Remove the relevant pieces for the time being and we can rework the PTR_TO_MAP_KEY
case once everything settles.

Fixes: efd13b71a3fa ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net")
Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

Daniel Borkmann 80847a71 241949e4

-14
-14
kernel/bpf/verifier.c
··· 6062 6062 else 6063 6063 *ptr_limit = -off - 1; 6064 6064 return *ptr_limit >= max ? -ERANGE : 0; 6065 - case PTR_TO_MAP_KEY: 6066 - /* Currently, this code is not exercised as the only use 6067 - * is bpf_for_each_map_elem() helper which requires 6068 - * bpf_capble. The code has been tested manually for 6069 - * future use. 6070 - */ 6071 - if (mask_to_left) { 6072 - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; 6073 - } else { 6074 - off = ptr_reg->smin_value + ptr_reg->off; 6075 - *ptr_limit = ptr_reg->map_ptr->key_size - off; 6076 - } 6077 - return 0; 6078 6065 case PTR_TO_MAP_VALUE: 6079 6066 max = ptr_reg->map_ptr->value_size; 6080 6067 if (mask_to_left) { ··· 6268 6281 verbose(env, "R%d pointer arithmetic on %s prohibited\n", 6269 6282 dst, reg_type_str[ptr_reg->type]); 6270 6283 return -EACCES; 6271 - case PTR_TO_MAP_KEY: 6272 6284 case PTR_TO_MAP_VALUE: 6273 6285 if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { 6274 6286 verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",