bpf: Fix an error around PTR_UNTRUSTED

[ Upstream commit 7ce4dc3e4a9d954c8a1fb483c7a527e9b060b860 ]

Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
cleared when we start to walk a new struct, because the struct in
question may be a struct nested in a union. We should also check and set
this flag before we walk its each member, in case itself is a union.
We will clear this flag if the field is BTF_TYPE_SAFE_RCU_OR_NULL.

Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Link: https://lore.kernel.org/r/20230713025642.27477-2-laoar.shao@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 8b4e92439d1d6a7e3d25ce4c1f61310c651be307..5dd8534b778d156d65b9a4ca55306783bdb25105 100644 (file)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6126,7 +6126,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
        const char *tname, *mname, *tag_value;
        u32 vlen, elem_id, mid;
 
-       *flag = 0;
 again:
        tname = __btf_name_by_offset(btf, t->name_off);
        if (!btf_type_is_struct(t)) {
@@ -6135,6 +6134,14 @@ again:
        }
 
        vlen = btf_type_vlen(t);
+       if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1 && !(*flag & PTR_UNTRUSTED))
+               /*
+                * walking unions yields untrusted pointers
+                * with exception of __bpf_md_ptr and other
+                * unions with a single member
+                */
+               *flag |= PTR_UNTRUSTED;
+
        if (off + size > t->size) {
                /* If the last element is a variable size array, we may
                 * need to relax the rule.
@@ -6295,15 +6302,6 @@ error:
                 * of this field or inside of this struct
                 */
                if (btf_type_is_struct(mtype)) {
-                       if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
-                           btf_type_vlen(mtype) != 1)
-                               /*
-                                * walking unions yields untrusted pointers
-                                * with exception of __bpf_md_ptr and other
-                                * unions with a single member
-                                */
-                               *flag |= PTR_UNTRUSTED;
-
                        /* our field must be inside that union or struct */
                        t = mtype;
 
@@ -6469,7 +6467,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
                          bool strict)
 {
        const struct btf_type *type;
-       enum bpf_type_flag flag;
+       enum bpf_type_flag flag = 0;
        int err;
 
        /* Are we already done? */

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4fbfe1d086467d6093e99aef57c72c031e712b22..cef173614fc8ff15c36f615c16f8e010c0c00af7 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5893,6 +5893,11 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env,
                                   type_is_rcu_or_null(env, reg, field_name, btf_id)) {
                                /* __rcu tagged pointers can be NULL */
                                flag |= MEM_RCU | PTR_MAYBE_NULL;
+
+                               /* We always trust them */
+                               if (type_is_rcu_or_null(env, reg, field_name, btf_id) &&
+                                   flag & PTR_UNTRUSTED)
+                                       flag &= ~PTR_UNTRUSTED;
                        } else if (flag & (MEM_PERCPU | MEM_USER)) {
                                /* keep as-is */
                        } else {