Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Daniel Borkmann says:

====================
pull-request: bpf 2018-02-28

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Add schedule points and reduce the number of loop iterations
the test_bpf kernel module is performing in order to not hog
the CPU for too long, from Eric.

2) Fix an out of bounds access in tail calls in the ppc64 BPF
JIT compiler, from Daniel.

3) Fix a crash on arm64 on unaligned BPF xadd operations that
could be triggered via interpreter and JIT, from Daniel.

Please not that once you merge net into net-next at some point, there
is a minor merge conflict in test_verifier.c since test cases had
been added at the end in both trees. Resolution is trivial: keep all
the test cases from both trees.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 8 years ago a5f7b0ee a6d50512

+88 -17

4 changed files

expand all

arch

powerpc

net

bpf_jit_comp64.c

kernel

bpf

verifier.c

lib

test_bpf.c

tools

testing

selftests

bpf

test_verifier.c

arch/powerpc/net/bpf_jit_comp64.c

··· 240 240 * goto out; 241 241 */ 242 242 PPC_LWZ(b2p[TMP_REG_1], b2p_bpf_array, offsetof(struct bpf_array, map.max_entries)); 243 + PPC_RLWINM(b2p_index, b2p_index, 0, 0, 31); 243 244 PPC_CMPLW(b2p_index, b2p[TMP_REG_1]); 244 245 PPC_BCC(COND_GE, out); 245 246

+26 -16

kernel/bpf/verifier.c

··· 1356 1356 return reg->type == PTR_TO_CTX; 1357 1357 } 1358 1358 1359 + static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) 1360 + { 1361 + const struct bpf_reg_state *reg = cur_regs(env) + regno; 1362 + 1363 + return type_is_pkt_pointer(reg->type); 1364 + } 1365 + 1359 1366 static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, 1360 1367 const struct bpf_reg_state *reg, 1361 1368 int off, int size, bool strict) ··· 1423 1416 } 1424 1417 1425 1418 static int check_ptr_alignment(struct bpf_verifier_env *env, 1426 - const struct bpf_reg_state *reg, 1427 - int off, int size) 1419 + const struct bpf_reg_state *reg, int off, 1420 + int size, bool strict_alignment_once) 1428 1421 { 1429 - bool strict = env->strict_alignment; 1422 + bool strict = env->strict_alignment || strict_alignment_once; 1430 1423 const char *pointer_desc = ""; 1431 1424 1432 1425 switch (reg->type) { ··· 1583 1576 * if t==write && value_regno==-1, some unknown value is stored into memory 1584 1577 * if t==read && value_regno==-1, don't care what we read from memory 1585 1578 */ 1586 - static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, 1587 - int bpf_size, enum bpf_access_type t, 1588 - int value_regno) 1579 + static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, 1580 + int off, int bpf_size, enum bpf_access_type t, 1581 + int value_regno, bool strict_alignment_once) 1589 1582 { 1590 1583 struct bpf_reg_state *regs = cur_regs(env); 1591 1584 struct bpf_reg_state *reg = regs + regno; ··· 1597 1590 return size; 1598 1591 1599 1592 /* alignment checks will add in reg->off themselves */ 1600 - err = check_ptr_alignment(env, reg, off, size); 1593 + err = check_ptr_alignment(env, reg, off, size, strict_alignment_once); 1601 1594 if (err) 1602 1595 return err; 1603 1596 ··· 1742 1735 return -EACCES; 1743 1736 } 1744 1737 1745 - if (is_ctx_reg(env, insn->dst_reg)) { 1746 - verbose(env, "BPF_XADD stores into R%d context is not allowed\n", 1747 - insn->dst_reg); 1738 + if (is_ctx_reg(env, insn->dst_reg) || 1739 + is_pkt_reg(env, insn->dst_reg)) { 1740 + verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", 1741 + insn->dst_reg, is_ctx_reg(env, insn->dst_reg) ? 1742 + "context" : "packet"); 1748 1743 return -EACCES; 1749 1744 } 1750 1745 1751 1746 /* check whether atomic_add can read the memory */ 1752 1747 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, 1753 - BPF_SIZE(insn->code), BPF_READ, -1); 1748 + BPF_SIZE(insn->code), BPF_READ, -1, true); 1754 1749 if (err) 1755 1750 return err; 1756 1751 1757 1752 /* check whether atomic_add can write into the same memory */ 1758 1753 return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, 1759 - BPF_SIZE(insn->code), BPF_WRITE, -1); 1754 + BPF_SIZE(insn->code), BPF_WRITE, -1, true); 1760 1755 } 1761 1756 1762 1757 /* when register 'regno' is passed into function that will read 'access_size' ··· 2397 2388 * is inferred from register state. 2398 2389 */ 2399 2390 for (i = 0; i < meta.access_size; i++) { 2400 - err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1); 2391 + err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, 2392 + BPF_WRITE, -1, false); 2401 2393 if (err) 2402 2394 return err; 2403 2395 } ··· 4642 4632 */ 4643 4633 err = check_mem_access(env, insn_idx, insn->src_reg, insn->off, 4644 4634 BPF_SIZE(insn->code), BPF_READ, 4645 - insn->dst_reg); 4635 + insn->dst_reg, false); 4646 4636 if (err) 4647 4637 return err; 4648 4638 ··· 4694 4684 /* check that memory (dst_reg + off) is writeable */ 4695 4685 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, 4696 4686 BPF_SIZE(insn->code), BPF_WRITE, 4697 - insn->src_reg); 4687 + insn->src_reg, false); 4698 4688 if (err) 4699 4689 return err; 4700 4690 ··· 4729 4719 /* check that memory (dst_reg + off) is writeable */ 4730 4720 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, 4731 4721 BPF_SIZE(insn->code), BPF_WRITE, 4732 - -1); 4722 + -1, false); 4733 4723 if (err) 4734 4724 return err; 4735 4725

+3 -1

lib/test_bpf.c

··· 24 24 #include <linux/if_vlan.h> 25 25 #include <linux/random.h> 26 26 #include <linux/highmem.h> 27 + #include <linux/sched.h> 27 28 28 29 /* General test specific settings */ 29 30 #define MAX_SUBTESTS 3 30 - #define MAX_TESTRUNS 10000 31 + #define MAX_TESTRUNS 1000 31 32 #define MAX_DATA 128 32 33 #define MAX_INSNS 512 33 34 #define MAX_K 0xffffFFFF ··· 6583 6582 struct bpf_prog *fp; 6584 6583 int err; 6585 6584 6585 + cond_resched(); 6586 6586 if (exclude_test(i)) 6587 6587 continue; 6588 6588

+58

tools/testing/selftests/bpf/test_verifier.c

··· 11163 11163 .result = REJECT, 11164 11164 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 11165 11165 }, 11166 + { 11167 + "xadd/w check unaligned stack", 11168 + .insns = { 11169 + BPF_MOV64_IMM(BPF_REG_0, 1), 11170 + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 11171 + BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7), 11172 + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 11173 + BPF_EXIT_INSN(), 11174 + }, 11175 + .result = REJECT, 11176 + .errstr = "misaligned stack access off", 11177 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11178 + }, 11179 + { 11180 + "xadd/w check unaligned map", 11181 + .insns = { 11182 + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11183 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11184 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11185 + BPF_LD_MAP_FD(BPF_REG_1, 0), 11186 + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11187 + BPF_FUNC_map_lookup_elem), 11188 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 11189 + BPF_EXIT_INSN(), 11190 + BPF_MOV64_IMM(BPF_REG_1, 1), 11191 + BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3), 11192 + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3), 11193 + BPF_EXIT_INSN(), 11194 + }, 11195 + .fixup_map1 = { 3 }, 11196 + .result = REJECT, 11197 + .errstr = "misaligned value access off", 11198 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11199 + }, 11200 + { 11201 + "xadd/w check unaligned pkt", 11202 + .insns = { 11203 + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11204 + offsetof(struct xdp_md, data)), 11205 + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11206 + offsetof(struct xdp_md, data_end)), 11207 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 11208 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 11209 + BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2), 11210 + BPF_MOV64_IMM(BPF_REG_0, 99), 11211 + BPF_JMP_IMM(BPF_JA, 0, 0, 6), 11212 + BPF_MOV64_IMM(BPF_REG_0, 1), 11213 + BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11214 + BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0), 11215 + BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1), 11216 + BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2), 11217 + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1), 11218 + BPF_EXIT_INSN(), 11219 + }, 11220 + .result = REJECT, 11221 + .errstr = "BPF_XADD stores into R2 packet", 11222 + .prog_type = BPF_PROG_TYPE_XDP, 11223 + }, 11166 11224 }; 11167 11225 11168 11226 static int probe_filter_length(const struct bpf_insn *fp)