Message ID | 20210428161802.771519-1-jolsa@kernel.org |
---|---|
State | New |
Headers | show |
Series | bpf: Add deny list of btf ids check for tracing and ext programs | expand |
On Wed, Apr 28, 2021 at 9:19 AM Jiri Olsa <jolsa@kernel.org> wrote: > > The recursion check in __bpf_prog_enter and __bpf_prog_exit > leaves some (not inlined) functions unprotected: > > In __bpf_prog_enter: > - migrate_disable is called before prog->active is checked > > In __bpf_prog_exit: > - migrate_enable,rcu_read_unlock_strict are called after > prog->active is decreased > > When attaching trampoline to them we get panic like: > > traps: PANIC: double fault, error_code: 0x0 > double fault: 0000 [#1] SMP PTI > RIP: 0010:__bpf_prog_enter+0x4/0x50 > ... > Call Trace: > <IRQ> > bpf_trampoline_6442466513_0+0x18/0x1000 > migrate_disable+0x5/0x50 > __bpf_prog_enter+0x9/0x50 > bpf_trampoline_6442466513_0+0x18/0x1000 > migrate_disable+0x5/0x50 > __bpf_prog_enter+0x9/0x50 > bpf_trampoline_6442466513_0+0x18/0x1000 > migrate_disable+0x5/0x50 > __bpf_prog_enter+0x9/0x50 > bpf_trampoline_6442466513_0+0x18/0x1000 > migrate_disable+0x5/0x50 > ... > > Fixing this by adding deny list of btf ids for tracing > and ext programs and checking btf id during program > verification. Adding above functions to this list. > > Suggested-by: Alexei Starovoitov <ast@kernel.org> > Signed-off-by: Jiri Olsa <jolsa@kernel.org> > --- > kernel/bpf/verifier.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 2579f6fbb5c3..4ffd64eaffda 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -13112,6 +13112,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, > return 0; > } > > +BTF_SET_START(btf_id_deny) > +BTF_ID_UNUSED > +#ifdef CONFIG_SMP > +BTF_ID(func, migrate_disable) > +BTF_ID(func, migrate_enable) > +#endif > +#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU > +BTF_ID(func, rcu_read_unlock_strict) > +#endif > +BTF_SET_END(btf_id_deny) > + > static int check_attach_btf_id(struct bpf_verifier_env *env) > { > struct bpf_prog *prog = env->prog; > @@ -13171,6 +13182,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) > ret = bpf_lsm_verify_prog(&env->log, prog); > if (ret < 0) > return ret; > + } else if ((prog->type == BPF_PROG_TYPE_TRACING || > + prog->type == BPF_PROG_TYPE_EXT) && BPF_PROG_TYP_EXT can only replace other BPF programs/subprograms, it can't replace kernel functions, so the deny list shouldn't be checked for them. > + btf_id_set_contains(&btf_id_deny, btf_id)) { > + return -EINVAL; > } > > key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id); > -- > 2.30.2 >
On Wed, Apr 28, 2021 at 12:41:34PM -0700, Andrii Nakryiko wrote: > On Wed, Apr 28, 2021 at 9:19 AM Jiri Olsa <jolsa@kernel.org> wrote: > > > > The recursion check in __bpf_prog_enter and __bpf_prog_exit > > leaves some (not inlined) functions unprotected: > > > > In __bpf_prog_enter: > > - migrate_disable is called before prog->active is checked > > > > In __bpf_prog_exit: > > - migrate_enable,rcu_read_unlock_strict are called after > > prog->active is decreased > > > > When attaching trampoline to them we get panic like: > > > > traps: PANIC: double fault, error_code: 0x0 > > double fault: 0000 [#1] SMP PTI > > RIP: 0010:__bpf_prog_enter+0x4/0x50 > > ... > > Call Trace: > > <IRQ> > > bpf_trampoline_6442466513_0+0x18/0x1000 > > migrate_disable+0x5/0x50 > > __bpf_prog_enter+0x9/0x50 > > bpf_trampoline_6442466513_0+0x18/0x1000 > > migrate_disable+0x5/0x50 > > __bpf_prog_enter+0x9/0x50 > > bpf_trampoline_6442466513_0+0x18/0x1000 > > migrate_disable+0x5/0x50 > > __bpf_prog_enter+0x9/0x50 > > bpf_trampoline_6442466513_0+0x18/0x1000 > > migrate_disable+0x5/0x50 > > ... > > > > Fixing this by adding deny list of btf ids for tracing > > and ext programs and checking btf id during program > > verification. Adding above functions to this list. > > > > Suggested-by: Alexei Starovoitov <ast@kernel.org> > > Signed-off-by: Jiri Olsa <jolsa@kernel.org> > > --- > > kernel/bpf/verifier.c | 15 +++++++++++++++ > > 1 file changed, 15 insertions(+) > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index 2579f6fbb5c3..4ffd64eaffda 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -13112,6 +13112,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, > > return 0; > > } > > > > +BTF_SET_START(btf_id_deny) > > +BTF_ID_UNUSED > > +#ifdef CONFIG_SMP > > +BTF_ID(func, migrate_disable) > > +BTF_ID(func, migrate_enable) > > +#endif > > +#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU > > +BTF_ID(func, rcu_read_unlock_strict) > > +#endif > > +BTF_SET_END(btf_id_deny) > > + > > static int check_attach_btf_id(struct bpf_verifier_env *env) > > { > > struct bpf_prog *prog = env->prog; > > @@ -13171,6 +13182,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) > > ret = bpf_lsm_verify_prog(&env->log, prog); > > if (ret < 0) > > return ret; > > + } else if ((prog->type == BPF_PROG_TYPE_TRACING || > > + prog->type == BPF_PROG_TYPE_EXT) && > > BPF_PROG_TYP_EXT can only replace other BPF programs/subprograms, it > can't replace kernel functions, so the deny list shouldn't be checked > for them. right, will send new version jirka > > > + btf_id_set_contains(&btf_id_deny, btf_id)) { > > + return -EINVAL; > > } > > > > key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id); > > -- > > 2.30.2 > > >
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2579f6fbb5c3..4ffd64eaffda 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -13112,6 +13112,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, return 0; } +BTF_SET_START(btf_id_deny) +BTF_ID_UNUSED +#ifdef CONFIG_SMP +BTF_ID(func, migrate_disable) +BTF_ID(func, migrate_enable) +#endif +#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU +BTF_ID(func, rcu_read_unlock_strict) +#endif +BTF_SET_END(btf_id_deny) + static int check_attach_btf_id(struct bpf_verifier_env *env) { struct bpf_prog *prog = env->prog; @@ -13171,6 +13182,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) ret = bpf_lsm_verify_prog(&env->log, prog); if (ret < 0) return ret; + } else if ((prog->type == BPF_PROG_TYPE_TRACING || + prog->type == BPF_PROG_TYPE_EXT) && + btf_id_set_contains(&btf_id_deny, btf_id)) { + return -EINVAL; } key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id);
The recursion check in __bpf_prog_enter and __bpf_prog_exit leaves some (not inlined) functions unprotected: In __bpf_prog_enter: - migrate_disable is called before prog->active is checked In __bpf_prog_exit: - migrate_enable,rcu_read_unlock_strict are called after prog->active is decreased When attaching trampoline to them we get panic like: traps: PANIC: double fault, error_code: 0x0 double fault: 0000 [#1] SMP PTI RIP: 0010:__bpf_prog_enter+0x4/0x50 ... Call Trace: <IRQ> bpf_trampoline_6442466513_0+0x18/0x1000 migrate_disable+0x5/0x50 __bpf_prog_enter+0x9/0x50 bpf_trampoline_6442466513_0+0x18/0x1000 migrate_disable+0x5/0x50 __bpf_prog_enter+0x9/0x50 bpf_trampoline_6442466513_0+0x18/0x1000 migrate_disable+0x5/0x50 __bpf_prog_enter+0x9/0x50 bpf_trampoline_6442466513_0+0x18/0x1000 migrate_disable+0x5/0x50 ... Fixing this by adding deny list of btf ids for tracing and ext programs and checking btf id during program verification. Adding above functions to this list. Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Jiri Olsa <jolsa@kernel.org> --- kernel/bpf/verifier.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)