Commit 725f9dcd authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by David S. Miller

bpf: fix two bugs in verification logic when accessing 'ctx' pointer

1.
first bug is a silly mistake. It broke tracing examples and prevented
simple bpf programs from loading.

In the following code:
if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {
} else if (...) {
  // this part should have been executed when
  // insn->code == BPF_W and insn->imm != 0
}

Obviously it's not doing that. So simple instructions like:
r2 = *(u64 *)(r1 + 8)
will be rejected. Note the comments in the code around these branches
were and still valid and indicate the true intent.

Replace it with:
if (BPF_SIZE(insn->code) != BPF_W)
  continue;

if (insn->imm == 0) {
} else if (...) {
  // now this code will be executed when
  // insn->code == BPF_W and insn->imm != 0
}

2.
second bug is more subtle.
If malicious code is using the same dest register as source register,
the checks designed to prevent the same instruction to be used with different
pointer types will fail to trigger, since we were assigning src_reg_type
when it was already overwritten by check_mem_access().
The fix is trivial. Just move line:
src_reg_type = regs[insn->src_reg].type;
before check_mem_access().
Add new 'access skb fields bad4' test to check this case.

Fixes: 9bac3d6d ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a166151c
...@@ -1637,6 +1637,8 @@ static int do_check(struct verifier_env *env) ...@@ -1637,6 +1637,8 @@ static int do_check(struct verifier_env *env)
if (err) if (err)
return err; return err;
src_reg_type = regs[insn->src_reg].type;
/* check that memory (src_reg + off) is readable, /* check that memory (src_reg + off) is readable,
* the state of dst_reg will be updated by this func * the state of dst_reg will be updated by this func
*/ */
...@@ -1646,9 +1648,12 @@ static int do_check(struct verifier_env *env) ...@@ -1646,9 +1648,12 @@ static int do_check(struct verifier_env *env)
if (err) if (err)
return err; return err;
src_reg_type = regs[insn->src_reg].type; if (BPF_SIZE(insn->code) != BPF_W) {
insn_idx++;
continue;
}
if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) { if (insn->imm == 0) {
/* saw a valid insn /* saw a valid insn
* dst_reg = *(u32 *)(src_reg + off) * dst_reg = *(u32 *)(src_reg + off)
* use reserved 'imm' field to mark this insn * use reserved 'imm' field to mark this insn
......
...@@ -721,6 +721,28 @@ static struct bpf_test tests[] = { ...@@ -721,6 +721,28 @@ static struct bpf_test tests[] = {
.errstr = "different pointers", .errstr = "different pointers",
.result = REJECT, .result = REJECT,
}, },
{
"access skb fields bad4",
.insns = {
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
offsetof(struct __sk_buff, len)),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
BPF_LD_MAP_FD(BPF_REG_1, 0),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
BPF_JMP_IMM(BPF_JA, 0, 0, -13),
},
.fixup = {7},
.errstr = "different pointers",
.result = REJECT,
},
}; };
static int probe_filter_length(struct bpf_insn *fp) static int probe_filter_length(struct bpf_insn *fp)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment