tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.
In particular, the report is on tcp_congestion_ops that has
a "struct module *owner" member.

For struct_ops that has a "struct module *owner" member,
it can be extended either by the regular kernel module or
by the bpf_struct_ops. bpf_try_module_get() will be used
to do the refcounting and different refcount is done
based on the owner pointer. When CONFIG_MODULES=n,
the btf_id of the "struct module" is missing:

WARN: resolve_btfids: unresolved symbol module

Thus, the bpf_try_module_get() cannot do the correct refcounting.

Not all subsystem's struct_ops requires the "struct module *owner" member.
e.g. the recent sched_ext_ops.

This patch is to disable bpf_struct_ops registration if
the struct_ops has the "struct module *" member and the
"struct module" btf_id is missing. The btf_type_is_fwd() helper
is moved to the btf.h header file for this test.

This has happened since the beginning of bpf_struct_ops which has gone
through many changes. The Fixes tag is set to a recent commit that this
patch can apply cleanly. Considering CONFIG_MODULES=n is not
common and the age of the issue, targeting for bpf-next also.

Fixes: 1611603537a4 ("bpf: Create argument information for nullable arguments.")
Reported-by: Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/bpf/74665.1733669976@localhost/
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Tested-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20241220201818.127152-1-martin.lau@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Martin KaFai Lau and committed by
Alexei Starovoitov 96ea081e dfa94ce5

+26 -5
+5
include/linux/btf.h
··· 353 353 return btf_type_is_int(t) || btf_type_is_enum(t); 354 354 } 355 355 356 + static inline bool btf_type_is_fwd(const struct btf_type *t) 357 + { 358 + return BTF_INFO_KIND(t->info) == BTF_KIND_FWD; 359 + } 360 + 356 361 static inline bool btf_type_is_typedef(const struct btf_type *t) 357 362 { 358 363 return BTF_INFO_KIND(t->info) == BTF_KIND_TYPEDEF;
+21
kernel/bpf/bpf_struct_ops.c
··· 310 310 kfree(arg_info); 311 311 } 312 312 313 + static bool is_module_member(const struct btf *btf, u32 id) 314 + { 315 + const struct btf_type *t; 316 + 317 + t = btf_type_resolve_ptr(btf, id, NULL); 318 + if (!t) 319 + return false; 320 + 321 + if (!__btf_type_is_struct(t) && !btf_type_is_fwd(t)) 322 + return false; 323 + 324 + return !strcmp(btf_name_by_offset(btf, t->name_off), "module"); 325 + } 326 + 313 327 int bpf_struct_ops_desc_init(struct bpf_struct_ops_desc *st_ops_desc, 314 328 struct btf *btf, 315 329 struct bpf_verifier_log *log) ··· 399 385 if (__btf_member_bitfield_size(t, member)) { 400 386 pr_warn("bit field member %s in struct %s is not supported\n", 401 387 mname, st_ops->name); 388 + err = -EOPNOTSUPP; 389 + goto errout; 390 + } 391 + 392 + if (!st_ops_ids[IDX_MODULE_ID] && is_module_member(btf, member->type)) { 393 + pr_warn("'struct module' btf id not found. Is CONFIG_MODULES enabled? bpf_struct_ops '%s' needs module support.\n", 394 + st_ops->name); 402 395 err = -EOPNOTSUPP; 403 396 goto errout; 404 397 }
-5
kernel/bpf/btf.c
··· 498 498 return t == &btf_void; 499 499 } 500 500 501 - static bool btf_type_is_fwd(const struct btf_type *t) 502 - { 503 - return BTF_INFO_KIND(t->info) == BTF_KIND_FWD; 504 - } 505 - 506 501 static bool btf_type_is_datasec(const struct btf_type *t) 507 502 { 508 503 return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC;