From: Greg Kroah-Hartman Date: Mon, 15 Jul 2024 12:09:23 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.318~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=900f5a356c0693ecf347afc448ed7e876ed53fab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bpf-allow-reads-from-uninit-stack.patch --- diff --git a/queue-5.15/bpf-allow-reads-from-uninit-stack.patch b/queue-5.15/bpf-allow-reads-from-uninit-stack.patch new file mode 100644 index 00000000000..6843fb32645 --- /dev/null +++ b/queue-5.15/bpf-allow-reads-from-uninit-stack.patch @@ -0,0 +1,795 @@ +From 6715df8d5d24655b9fd368e904028112b54c7de1 Mon Sep 17 00:00:00 2001 +From: Eduard Zingerman +Date: Sun, 19 Feb 2023 22:04:26 +0200 +Subject: bpf: Allow reads from uninit stack + +From: Eduard Zingerman + +commit 6715df8d5d24655b9fd368e904028112b54c7de1 upstream. + +This commits updates the following functions to allow reads from +uninitialized stack locations when env->allow_uninit_stack option is +enabled: +- check_stack_read_fixed_off() +- check_stack_range_initialized(), called from: + - check_stack_read_var_off() + - check_helper_mem_access() + +Such change allows to relax logic in stacksafe() to treat STACK_MISC +and STACK_INVALID in a same way and make the following stack slot +configurations equivalent: + + | Cached state | Current state | + | stack slot | stack slot | + |------------------+------------------| + | STACK_INVALID or | STACK_INVALID or | + | STACK_MISC | STACK_SPILL or | + | | STACK_MISC or | + | | STACK_ZERO or | + | | STACK_DYNPTR | + +This leads to significant verification speed gains (see below). + +The idea was suggested by Andrii Nakryiko [1] and initial patch was +created by Alexei Starovoitov [2]. + +Currently the env->allow_uninit_stack is allowed for programs loaded +by users with CAP_PERFMON or CAP_SYS_ADMIN capabilities. + +A number of test cases from verifier/*.c were expecting uninitialized +stack access to be an error. These test cases were updated to execute +in unprivileged mode (thus preserving the tests). + +The test progs/test_global_func10.c expected "invalid indirect read +from stack" error message because of the access to uninitialized +memory region. This error is no longer possible in privileged mode. +The test is updated to provoke an error "invalid indirect access to +stack" because of access to invalid stack address (such error is not +verified by progs/test_global_func*.c series of tests). + +The following tests had to be removed because these can't be made +unprivileged: +- verifier/sock.c: + - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init + stack_value" + BPF_PROG_TYPE_SCHED_CLS programs are not executed in unprivileged mode. +- verifier/var_off.c: + - "indirect variable-offset stack access, max_off+size > max_initialized" + - "indirect variable-offset stack access, uninitialized" + These tests verify that access to uninitialized stack values is + detected when stack offset is not a constant. However, variable + stack access is prohibited in unprivileged mode, thus these tests + are no longer valid. + + * * * + +Here is veristat log comparing this patch with current master on a +set of selftest binaries listed in tools/testing/selftests/bpf/veristat.cfg +and cilium BPF binaries (see [3]): + +$ ./veristat -e file,prog,states -C -f 'states_pct<-30' master.log current.log +File Program States (A) States (B) States (DIFF) +-------------------------- -------------------------- ---------- ---------- ---------------- +bpf_host.o tail_handle_ipv6_from_host 349 244 -105 (-30.09%) +bpf_host.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) +bpf_lxc.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) +bpf_sock.o cil_sock4_connect 70 48 -22 (-31.43%) +bpf_sock.o cil_sock4_sendmsg 68 46 -22 (-32.35%) +bpf_xdp.o tail_handle_nat_fwd_ipv4 1554 803 -751 (-48.33%) +bpf_xdp.o tail_lb_ipv4 6457 2473 -3984 (-61.70%) +bpf_xdp.o tail_lb_ipv6 7249 3908 -3341 (-46.09%) +pyperf600_bpf_loop.bpf.o on_event 287 145 -142 (-49.48%) +strobemeta.bpf.o on_event 15915 4772 -11143 (-70.02%) +strobemeta_nounroll2.bpf.o on_event 17087 3820 -13267 (-77.64%) +xdp_synproxy_kern.bpf.o syncookie_tc 21271 6635 -14636 (-68.81%) +xdp_synproxy_kern.bpf.o syncookie_xdp 23122 6024 -17098 (-73.95%) +-------------------------- -------------------------- ---------- ---------- ---------------- + +Note: I limited selection by states_pct<-30%. + +Inspection of differences in pyperf600_bpf_loop behavior shows that +the following patch for the test removes almost all differences: + + - a/tools/testing/selftests/bpf/progs/pyperf.h + + b/tools/testing/selftests/bpf/progs/pyperf.h + @ -266,8 +266,8 @ int __on_event(struct bpf_raw_tracepoint_args *ctx) + } + + if (event->pthread_match || !pidData->use_tls) { + - void* frame_ptr; + - FrameData frame; + + void* frame_ptr = 0; + + FrameData frame = {}; + Symbol sym = {}; + int cur_cpu = bpf_get_smp_processor_id(); + +W/o this patch the difference comes from the following pattern +(for different variables): + + static bool get_frame_data(... FrameData *frame ...) + { + ... + bpf_probe_read_user(&frame->f_code, ...); + if (!frame->f_code) + return false; + ... + bpf_probe_read_user(&frame->co_name, ...); + if (frame->co_name) + ...; + } + + int __on_event(struct bpf_raw_tracepoint_args *ctx) + { + FrameData frame; + ... + get_frame_data(... &frame ...) // indirectly via a bpf_loop & callback + ... + } + + SEC("raw_tracepoint/kfree_skb") + int on_event(struct bpf_raw_tracepoint_args* ctx) + { + ... + ret |= __on_event(ctx); + ret |= __on_event(ctx); + ... + } + +With regards to value `frame->co_name` the following is important: +- Because of the conditional `if (!frame->f_code)` each call to + __on_event() produces two states, one with `frame->co_name` marked + as STACK_MISC, another with it as is (and marked STACK_INVALID on a + first call). +- The call to bpf_probe_read_user() does not mark stack slots + corresponding to `&frame->co_name` as REG_LIVE_WRITTEN but it marks + these slots as BPF_MISC, this happens because of the following loop + in the check_helper_call(): + + for (i = 0; i < meta.access_size; i++) { + err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, + BPF_WRITE, -1, false); + if (err) + return err; + } + + Note the size of the write, it is a one byte write for each byte + touched by a helper. The BPF_B write does not lead to write marks + for the target stack slot. +- Which means that w/o this patch when second __on_event() call is + verified `if (frame->co_name)` will propagate read marks first to a + stack slot with STACK_MISC marks and second to a stack slot with + STACK_INVALID marks and these states would be considered different. + +[1] https://lore.kernel.org/bpf/CAEf4BzY3e+ZuC6HUa8dCiUovQRg2SzEk7M-dSkqNZyn=xEmnPA@mail.gmail.com/ +[2] https://lore.kernel.org/bpf/CAADnVQKs2i1iuZ5SUGuJtxWVfGYR9kDgYKhq3rNV+kBLQCu7rA@mail.gmail.com/ +[3] git@github.com:anakryiko/cilium.git + +Suggested-by: Andrii Nakryiko +Co-developed-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20230219200427.606541-2-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 11 + tools/testing/selftests/bpf/progs/test_global_func10.c | 9 + tools/testing/selftests/bpf/verifier/calls.c | 13 + tools/testing/selftests/bpf/verifier/helper_access_var_len.c | 104 +++-- + tools/testing/selftests/bpf/verifier/int_ptr.c | 9 + tools/testing/selftests/bpf/verifier/search_pruning.c | 13 + tools/testing/selftests/bpf/verifier/sock.c | 27 - + tools/testing/selftests/bpf/verifier/spill_fill.c | 211 +++++++++++ + tools/testing/selftests/bpf/verifier/var_off.c | 52 -- + 9 files changed, 316 insertions(+), 133 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3159,6 +3159,8 @@ static int check_stack_read_fixed_off(st + continue; + if (type == STACK_MISC) + continue; ++ if (type == STACK_INVALID && env->allow_uninit_stack) ++ continue; + verbose(env, "invalid read from stack off %d+%d size %d\n", + off, i, size); + return -EACCES; +@@ -3196,6 +3198,8 @@ static int check_stack_read_fixed_off(st + continue; + if (type == STACK_ZERO) + continue; ++ if (type == STACK_INVALID && env->allow_uninit_stack) ++ continue; + verbose(env, "invalid read from stack off %d+%d size %d\n", + off, i, size); + return -EACCES; +@@ -4782,7 +4786,8 @@ static int check_stack_range_initialized + stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; + if (*stype == STACK_MISC) + goto mark; +- if (*stype == STACK_ZERO) { ++ if ((*stype == STACK_ZERO) || ++ (*stype == STACK_INVALID && env->allow_uninit_stack)) { + if (clobber) { + /* helper can write anything into the stack */ + *stype = STACK_MISC; +@@ -10625,6 +10630,10 @@ static bool stacksafe(struct bpf_verifie + if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) + continue; + ++ if (env->allow_uninit_stack && ++ old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) ++ continue; ++ + /* explored stack has more populated slots than current stack + * and these slots were used + */ +--- a/tools/testing/selftests/bpf/progs/test_global_func10.c ++++ b/tools/testing/selftests/bpf/progs/test_global_func10.c +@@ -4,12 +4,12 @@ + #include + + struct Small { +- int x; ++ long x; + }; + + struct Big { +- int x; +- int y; ++ long x; ++ long y; + }; + + __noinline int foo(const struct Big *big) +@@ -21,7 +21,8 @@ __noinline int foo(const struct Big *big + } + + SEC("cgroup_skb/ingress") +-int test_cls(struct __sk_buff *skb) ++__failure __msg("invalid indirect access to stack") ++int global_func10(struct __sk_buff *skb) + { + const struct Small small = {.x = skb->len }; + +--- a/tools/testing/selftests/bpf/verifier/calls.c ++++ b/tools/testing/selftests/bpf/verifier/calls.c +@@ -1967,19 +1967,22 @@ + * that fp-8 stack slot was unused in the fall-through + * branch and will accept the program incorrectly + */ +- BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2), ++ BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), ++ BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 2, 2), + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_JMP_IMM(BPF_JA, 0, 0, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .fixup_map_hash_48b = { 6 }, +- .errstr = "invalid indirect read from stack R2 off -8+0 size 8", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_XDP, ++ .fixup_map_hash_48b = { 7 }, ++ .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "calls: ctx read at start of subprog", +--- a/tools/testing/selftests/bpf/verifier/helper_access_var_len.c ++++ b/tools/testing/selftests/bpf/verifier/helper_access_var_len.c +@@ -29,19 +29,30 @@ + { + "helper access to variable memory: stack, bitwise AND, zero included", + .insns = { +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), +- BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), +- BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), +- BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), +- BPF_MOV64_IMM(BPF_REG_3, 0), +- BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), ++ /* set max stack size */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), ++ /* set r3 to a random value */ ++ BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), ++ BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), ++ /* use bitwise AND to limit r3 range to [0, 64] */ ++ BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 64), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), ++ BPF_MOV64_IMM(BPF_REG_4, 0), ++ /* Call bpf_ringbuf_output(), it is one of a few helper functions with ++ * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. ++ * For unpriv this should signal an error, because memory at &fp[-64] is ++ * not initialized. ++ */ ++ BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), + BPF_EXIT_INSN(), + }, +- .errstr = "invalid indirect read from stack R1 off -64+0 size 64", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_TRACEPOINT, ++ .fixup_map_ringbuf = { 4 }, ++ .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "helper access to variable memory: stack, bitwise AND + JMP, wrong max", +@@ -183,20 +194,31 @@ + { + "helper access to variable memory: stack, JMP, no min check", + .insns = { +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), +- BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), +- BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), +- BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), +- BPF_MOV64_IMM(BPF_REG_3, 0), +- BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), ++ /* set max stack size */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), ++ /* set r3 to a random value */ ++ BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), ++ BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), ++ /* use JMP to limit r3 range to [0, 64] */ ++ BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 64, 6), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), ++ BPF_MOV64_IMM(BPF_REG_4, 0), ++ /* Call bpf_ringbuf_output(), it is one of a few helper functions with ++ * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. ++ * For unpriv this should signal an error, because memory at &fp[-64] is ++ * not initialized. ++ */ ++ BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .errstr = "invalid indirect read from stack R1 off -64+0 size 64", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_TRACEPOINT, ++ .fixup_map_ringbuf = { 4 }, ++ .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "helper access to variable memory: stack, JMP (signed), no min check", +@@ -564,29 +586,41 @@ + { + "helper access to variable memory: 8 bytes leak", + .insns = { +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), +- BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), ++ /* set max stack size */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), ++ /* set r3 to a random value */ ++ BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), ++ BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), ++ /* Note: fp[-32] left uninitialized */ + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), +- BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), +- BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), +- BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), +- BPF_MOV64_IMM(BPF_REG_3, 0), +- BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), +- BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), ++ /* Limit r3 range to [1, 64] */ ++ BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 63), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1), ++ BPF_MOV64_IMM(BPF_REG_4, 0), ++ /* Call bpf_ringbuf_output(), it is one of a few helper functions with ++ * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. ++ * For unpriv this should signal an error, because memory region [1, 64] ++ * at &fp[-64] is not fully initialized. ++ */ ++ BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .errstr = "invalid indirect read from stack R1 off -64+32 size 64", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_TRACEPOINT, ++ .fixup_map_ringbuf = { 3 }, ++ .errstr_unpriv = "invalid indirect read from stack R2 off -64+32 size 64", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "helper access to variable memory: 8 bytes no leak (init memory)", +--- a/tools/testing/selftests/bpf/verifier/int_ptr.c ++++ b/tools/testing/selftests/bpf/verifier/int_ptr.c +@@ -54,12 +54,13 @@ + /* bpf_strtoul() */ + BPF_EMIT_CALL(BPF_FUNC_strtoul), + +- BPF_MOV64_IMM(BPF_REG_0, 1), ++ BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_CGROUP_SYSCTL, +- .errstr = "invalid indirect read from stack R4 off -16+4 size 8", ++ .result_unpriv = REJECT, ++ .errstr_unpriv = "invalid indirect read from stack R4 off -16+4 size 8", ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "ARG_PTR_TO_LONG misaligned", +--- a/tools/testing/selftests/bpf/verifier/search_pruning.c ++++ b/tools/testing/selftests/bpf/verifier/search_pruning.c +@@ -128,9 +128,10 @@ + BPF_EXIT_INSN(), + }, + .fixup_map_hash_8b = { 3 }, +- .errstr = "invalid read from stack off -16+0 size 8", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_TRACEPOINT, ++ .errstr_unpriv = "invalid read from stack off -16+0 size 8", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, + { + "allocated_stack", +@@ -187,6 +188,8 @@ + BPF_EXIT_INSN(), + }, + .flags = BPF_F_TEST_STATE_FREQ, +- .errstr = "invalid read from stack off -8+1 size 8", +- .result = REJECT, ++ .errstr_unpriv = "invalid read from stack off -8+1 size 8", ++ .result_unpriv = REJECT, ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, + }, +--- a/tools/testing/selftests/bpf/verifier/sock.c ++++ b/tools/testing/selftests/bpf/verifier/sock.c +@@ -531,33 +531,6 @@ + .result = ACCEPT, + }, + { +- "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value", +- .insns = { +- BPF_MOV64_IMM(BPF_REG_2, 0), +- BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), +- BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), +- BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), +- BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_EXIT_INSN(), +- BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), +- BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), +- BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_EXIT_INSN(), +- BPF_MOV64_IMM(BPF_REG_4, 1), +- BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), +- BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), +- BPF_LD_MAP_FD(BPF_REG_1, 0), +- BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), +- BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_EXIT_INSN(), +- }, +- .fixup_sk_storage_map = { 14 }, +- .prog_type = BPF_PROG_TYPE_SCHED_CLS, +- .result = REJECT, +- .errstr = "invalid indirect read from stack", +-}, +-{ + "bpf_map_lookup_elem(smap, &key)", + .insns = { + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), +--- a/tools/testing/selftests/bpf/verifier/spill_fill.c ++++ b/tools/testing/selftests/bpf/verifier/spill_fill.c +@@ -104,3 +104,214 @@ + .result = ACCEPT, + .retval = POINTER_VALUE, + }, ++{ ++ "Spill and refill a u32 const scalar. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ /* r4 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_4, 20), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = *(u32 *)(r10 -8) */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), ++ /* r0 = r2 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=20 */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), ++ /* if (r0 > r3) R0=pkt,off=20 R2=pkt R3=pkt_end R4=20 */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r2 R0=pkt,off=20,r=20 R2=pkt,r=20 R3=pkt_end R4=20 */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = ACCEPT, ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill a u32 const, refill from another half of the uninit u32 from the stack", ++ .insns = { ++ /* r4 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_4, 20), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = *(u32 *)(r10 -4) fp-8=????rrrr*/ ++ BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result_unpriv = REJECT, ++ .errstr_unpriv = "invalid read from stack off -4+0 size 4", ++ /* in privileged mode reads from uninitialized stack locations are permitted */ ++ .result = ACCEPT, ++}, ++{ ++ "Spill a u32 const scalar. Refill as u16. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ /* r4 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_4, 20), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = *(u16 *)(r10 -8) */ ++ BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), ++ /* r0 = r2 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), ++ /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = REJECT, ++ .errstr = "invalid access to packet", ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill u32 const scalars. Refill as u64. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ /* r6 = 0 */ ++ BPF_MOV32_IMM(BPF_REG_6, 0), ++ /* r7 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_7, 20), ++ /* *(u32 *)(r10 -4) = r6 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4), ++ /* *(u32 *)(r10 -8) = r7 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8), ++ /* r4 = *(u64 *)(r10 -8) */ ++ BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), ++ /* r0 = r2 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), ++ /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = REJECT, ++ .errstr = "invalid access to packet", ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill a u32 const scalar. Refill as u16 from fp-6. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ /* r4 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_4, 20), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = *(u16 *)(r10 -6) */ ++ BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -6), ++ /* r0 = r2 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), ++ /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = REJECT, ++ .errstr = "invalid access to packet", ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill and refill a u32 const scalar at non 8byte aligned stack addr. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ /* r4 = 20 */ ++ BPF_MOV32_IMM(BPF_REG_4, 20), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* *(u32 *)(r10 -4) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), ++ /* r4 = *(u32 *)(r10 -4), */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), ++ /* r0 = r2 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=U32_MAX */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), ++ /* if (r0 > r3) R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r2 R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = REJECT, ++ .errstr = "invalid access to packet", ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill and refill a umax=40 bounded scalar. Offset to skb->data", ++ .insns = { ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, ++ offsetof(struct __sk_buff, data)), ++ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, ++ offsetof(struct __sk_buff, data_end)), ++ BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, ++ offsetof(struct __sk_buff, tstamp)), ++ BPF_JMP_IMM(BPF_JLE, BPF_REG_4, 40, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ /* *(u32 *)(r10 -8) = r4 R4=umax=40 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = (*u32 *)(r10 - 8) */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), ++ /* r2 += r4 R2=pkt R4=umax=40 */ ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_4), ++ /* r0 = r2 R2=pkt,umax=40 R4=umax=40 */ ++ BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), ++ /* r2 += 20 R0=pkt,umax=40 R2=pkt,umax=40 */ ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 20), ++ /* if (r2 > r3) R0=pkt,umax=40 R2=pkt,off=20,umax=40 */ ++ BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 1), ++ /* r0 = *(u32 *)r0 R0=pkt,r=20,umax=40 R2=pkt,off=20,r=20,umax=40 */ ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = ACCEPT, ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, ++{ ++ "Spill a u32 scalar at fp-4 and then at fp-8", ++ .insns = { ++ /* r4 = 4321 */ ++ BPF_MOV32_IMM(BPF_REG_4, 4321), ++ /* *(u32 *)(r10 -4) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), ++ /* *(u32 *)(r10 -8) = r4 */ ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), ++ /* r4 = *(u64 *)(r10 -8) */ ++ BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .result = ACCEPT, ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++}, +--- a/tools/testing/selftests/bpf/verifier/var_off.c ++++ b/tools/testing/selftests/bpf/verifier/var_off.c +@@ -213,31 +213,6 @@ + .prog_type = BPF_PROG_TYPE_LWT_IN, + }, + { +- "indirect variable-offset stack access, max_off+size > max_initialized", +- .insns = { +- /* Fill only the second from top 8 bytes of the stack. */ +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), +- /* Get an unknown value. */ +- BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), +- /* Make it small and 4-byte aligned. */ +- BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), +- BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16), +- /* Add it to fp. We now have either fp-12 or fp-16, but we don't know +- * which. fp-12 size 8 is partially uninitialized stack. +- */ +- BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), +- /* Dereference it indirectly. */ +- BPF_LD_MAP_FD(BPF_REG_1, 0), +- BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), +- BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_EXIT_INSN(), +- }, +- .fixup_map_hash_8b = { 5 }, +- .errstr = "invalid indirect read from stack R2 var_off", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_LWT_IN, +-}, +-{ + "indirect variable-offset stack access, min_off < min_initialized", + .insns = { + /* Fill only the top 8 bytes of the stack. */ +@@ -290,33 +265,6 @@ + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + }, + { +- "indirect variable-offset stack access, uninitialized", +- .insns = { +- BPF_MOV64_IMM(BPF_REG_2, 6), +- BPF_MOV64_IMM(BPF_REG_3, 28), +- /* Fill the top 16 bytes of the stack. */ +- BPF_ST_MEM(BPF_W, BPF_REG_10, -16, 0), +- BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), +- /* Get an unknown value. */ +- BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 0), +- /* Make it small and 4-byte aligned. */ +- BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 4), +- BPF_ALU64_IMM(BPF_SUB, BPF_REG_4, 16), +- /* Add it to fp. We now have either fp-12 or fp-16, we don't know +- * which, but either way it points to initialized stack. +- */ +- BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_10), +- BPF_MOV64_IMM(BPF_REG_5, 8), +- /* Dereference it indirectly. */ +- BPF_EMIT_CALL(BPF_FUNC_getsockopt), +- BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_EXIT_INSN(), +- }, +- .errstr = "invalid indirect read from stack R4 var_off", +- .result = REJECT, +- .prog_type = BPF_PROG_TYPE_SOCK_OPS, +-}, +-{ + "indirect variable-offset stack access, ok", + .insns = { + /* Fill the top 16 bytes of the stack. */ diff --git a/queue-5.15/series b/queue-5.15/series index b313ed76b8d..3b625e2d035 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -128,3 +128,4 @@ wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch ipv6-annotate-data-races-around-cnf.disable_ipv6.patch ipv6-prevent-null-dereference-in-ip6_output.patch +bpf-allow-reads-from-uninit-stack.patch