[linux-morello] [PATCH 08/12] bpf: compat64: support CHECK_ATTR macro

12 Sep 2023

The CHECK_ATTR macro needs adapting to support union compat_bpf_attr as
well as union bpf_attr.
The union bpf_attr passed in from userspace contains many structs of
various sizes for each of the bpf syscall's multiplexed options. Since
most of the structs do not take up the full memory footprint of the
union, we should not have any data past the last struct member for any
given option.
The CHECK_ATTR macro checks for non-null data in the gap between the end
of the last member and the end of the union. Any non-zero data signals a
malformed request from userspace so should be rejected.
Adapt the macro to be able to handle the compat64 offsets based on
in_compat64_syscall().
Since compat64 conversion involves copying out individual fields to a
new native sized union, we need to check for invalid data before the
conversion occurs i.e. in copy_bpf_attr_from_user.
This presents a problem since the existing macro relies on the string
XYZ_LAST_FIELD called inside each sub-command handler. However at the
__sys_bpf + copy_bpf_attr_from_user stage we have only int cmd to
distinguish subcommands as per enum bpf_cmd, and:
    1. there is no way to go cleanly from int to enum string/name
    2. enum bpf_cmd does not cleanly match 1:1 in all cases for
       XYZ_LAST_FIELD
We can either:
    a) rework/refactor XYZ_LAST_FIELD system to encode by int cmd
    b) add a check_attr function with case statement to call the macro
       with the correct XYZ_LAST_FIELD argument
The latter is preferred here for being the slightly easier and cleaner
approach. Rather than refactor the entire system, abstract the details
away in a check_attr() function called from copy_bpf_attr_from_user().
Signed-off-by: Zachary Leaf zachary.leaf@arm.com
---
 kernel/bpf/syscall.c | 177 +++++++++++++++++++++----------------------
 1 file changed, 87 insertions(+), 90 deletions(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 17f55deddf48..89c202b69f6c 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -974,13 +974,17 @@ int bpf_get_file_flag(int flags)
    return O_RDWR;
 }
-/* helper macro to check that unused fields 'union bpf_attr' are zero */
+#define __CHECK_ATTR(CMD, TYPE) \
+	(memchr_inv((void *) &(((TYPE *)vattr)->CMD##_LAST_FIELD) + \
+		sizeof(((TYPE *)vattr)->CMD##_LAST_FIELD), 0, \
+		sizeof(*(TYPE *)vattr) - \
+		offsetof(TYPE, CMD##_LAST_FIELD) - \
+		sizeof(((TYPE *)vattr)->CMD##_LAST_FIELD)) != NULL)
+
 #define CHECK_ATTR(CMD) \
-	memchr_inv((void *) &attr->CMD##_LAST_FIELD + \
-		   sizeof(attr->CMD##_LAST_FIELD), 0, \
-		   sizeof(*attr) - \
-		   offsetof(union bpf_attr, CMD##_LAST_FIELD) - \
-		   sizeof(attr->CMD##_LAST_FIELD)) != NULL
+	(in_compat64_syscall() ? \
+		__CHECK_ATTR(CMD, union compat_bpf_attr) : \
+		__CHECK_ATTR(CMD, union bpf_attr))
/* dst and src must have at least "size" number of bytes.
  * Return strlen on success and < 0 on error.
@@ -1134,10 +1138,6 @@ static int map_create(union bpf_attr *attr)
    int f_flags;
    int err;
-	err = CHECK_ATTR(BPF_MAP_CREATE);
-	if (err)
-		return -EINVAL;
-
    if (attr->btf_vmlinux_value_type_id) {
    	if (attr->map_type != BPF_MAP_TYPE_STRUCT_OPS ||
    	    attr->btf_key_type_id || attr->btf_value_type_id)
@@ -1367,9 +1367,6 @@ static int map_lookup_elem(union bpf_attr *attr)
    struct fd f;
    int err;
-	if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
-		return -EINVAL;
-
    if (attr->flags & ~BPF_F_LOCK)
    	return -EINVAL;
@@ -1442,9 +1439,6 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr)
    struct fd f;
    int err;
-	if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
-		return -EINVAL;
-
    f = fdget(ufd);
    map = __bpf_map_get(f);
    if (IS_ERR(map))
@@ -1496,9 +1490,6 @@ static int map_delete_elem(union bpf_attr *attr, bpfptr_t uattr)
    void *key;
    int err;
-	if (CHECK_ATTR(BPF_MAP_DELETE_ELEM))
-		return -EINVAL;
-
    f = fdget(ufd);
    map = __bpf_map_get(f);
    if (IS_ERR(map))
@@ -1552,9 +1543,6 @@ static int map_get_next_key(union bpf_attr *attr)
    struct fd f;
    int err;
-	if (CHECK_ATTR(BPF_MAP_GET_NEXT_KEY))
-		return -EINVAL;
-
    f = fdget(ufd);
    map = __bpf_map_get(f);
    if (IS_ERR(map))
@@ -1832,9 +1820,6 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
    struct fd f;
    int err;
-	if (CHECK_ATTR(BPF_MAP_LOOKUP_AND_DELETE_ELEM))
-		return -EINVAL;
-
    if (attr->flags & ~BPF_F_LOCK)
    	return -EINVAL;
@@ -1920,9 +1905,6 @@ static int map_freeze(const union bpf_attr *attr)
    struct bpf_map *map;
    struct fd f;
-	if (CHECK_ATTR(BPF_MAP_FREEZE))
-		return -EINVAL;
-
    f = fdget(ufd);
    map = __bpf_map_get(f);
    if (IS_ERR(map))
@@ -2510,9 +2492,6 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
    char license[128];
    bool is_gpl;
-	if (CHECK_ATTR(BPF_PROG_LOAD))
-		return -EINVAL;
-
    if (attr->prog_flags & ~(BPF_F_STRICT_ALIGNMENT |
    			 BPF_F_ANY_ALIGNMENT |
    			 BPF_F_TEST_STATE_FREQ |
@@ -2707,7 +2686,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
static int bpf_obj_pin(const union bpf_attr *attr)
 {
-	if (CHECK_ATTR(BPF_OBJ) || attr->file_flags != 0)
+	if (attr->file_flags != 0)
    	return -EINVAL;
return bpf_obj_pin_user(attr->bpf_fd, u64_to_user_ptr(attr->pathname));
@@ -2715,8 +2694,7 @@ static int bpf_obj_pin(const union bpf_attr *attr)
static int bpf_obj_get(const union bpf_attr *attr)
 {
-	if (CHECK_ATTR(BPF_OBJ) || attr->bpf_fd != 0 ||
-	    attr->file_flags & ~BPF_OBJ_FLAG_MASK)
+	if (attr->bpf_fd != 0 || attr->file_flags & ~BPF_OBJ_FLAG_MASK)
    	return -EINVAL;
return bpf_obj_get_user(u64_to_user_ptr(attr->pathname),
@@ -3411,9 +3389,6 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
    struct bpf_prog *prog;
    int fd;
-	if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
-		return -EINVAL;
-
    prog = bpf_prog_get(attr->raw_tracepoint.prog_fd);
    if (IS_ERR(prog))
    	return PTR_ERR(prog);
@@ -3526,9 +3501,6 @@ static int bpf_prog_attach(const union bpf_attr *attr)
    struct bpf_prog *prog;
    int ret;
-	if (CHECK_ATTR(BPF_PROG_ATTACH))
-		return -EINVAL;
-
    if (attr->attach_flags & ~BPF_F_ATTACH_MASK)
    	return -EINVAL;
@@ -3585,9 +3557,6 @@ static int bpf_prog_detach(const union bpf_attr *attr)
 {
    enum bpf_prog_type ptype;
-	if (CHECK_ATTR(BPF_PROG_DETACH))
-		return -EINVAL;
-
    ptype = attach_type_to_prog_type(attr->attach_type);
switch (ptype) {
@@ -3619,8 +3588,6 @@ static int bpf_prog_query(const union bpf_attr *attr,
 {
    if (!capable(CAP_NET_ADMIN))
    	return -EPERM;
-	if (CHECK_ATTR(BPF_PROG_QUERY))
-		return -EINVAL;
    if (attr->query.query_flags & ~BPF_F_QUERY_EFFECTIVE)
    	return -EINVAL;
@@ -3673,9 +3640,6 @@ static int bpf_prog_test_run(const union bpf_attr *attr,
    struct bpf_prog *prog;
    int ret = -ENOTSUPP;
-	if (CHECK_ATTR(BPF_PROG_TEST_RUN))
-		return -EINVAL;
-
    if ((attr->test.ctx_size_in && !attr->test.ctx_in) ||
        (!attr->test.ctx_size_in && attr->test.ctx_in))
    	return -EINVAL;
@@ -3705,7 +3669,7 @@ static int bpf_obj_get_next_id(const union bpf_attr *attr,
    u32 next_id = attr->start_id;
    int err = 0;
-	if (CHECK_ATTR(BPF_OBJ_GET_NEXT_ID) || next_id >= INT_MAX)
+	if (next_id >= INT_MAX)
    	return -EINVAL;
if (!capable(CAP_SYS_ADMIN))
@@ -3786,9 +3750,6 @@ static int bpf_prog_get_fd_by_id(const union bpf_attr *attr)
    u32 id = attr->prog_id;
    int fd;
-	if (CHECK_ATTR(BPF_PROG_GET_FD_BY_ID))
-		return -EINVAL;
-
    if (!capable(CAP_SYS_ADMIN))
    	return -EPERM;
@@ -3812,8 +3773,7 @@ static int bpf_map_get_fd_by_id(const union bpf_attr *attr)
    int f_flags;
    int fd;
-	if (CHECK_ATTR(BPF_MAP_GET_FD_BY_ID) ||
-	    attr->open_flags & ~BPF_OBJ_FLAG_MASK)
+	if (attr->open_flags & ~BPF_OBJ_FLAG_MASK)
    	return -EINVAL;
if (!capable(CAP_SYS_ADMIN))
@@ -4592,9 +4552,6 @@ static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
    struct fd f;
    int err;
-	if (CHECK_ATTR(BPF_OBJ_GET_INFO_BY_FD))
-		return -EINVAL;
-
    f = fdget(ufd);
    if (!f.file)
    	return -EBADFD;
@@ -4621,9 +4578,6 @@ static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_size)
 {
-	if (CHECK_ATTR(BPF_BTF_LOAD))
-		return -EINVAL;
-
    if (!bpf_capable())
    	return -EPERM;
@@ -4634,9 +4588,6 @@ static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr, __u32 uattr_
static int bpf_btf_get_fd_by_id(const union bpf_attr *attr)
 {
-	if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID))
-		return -EINVAL;
-
    if (!capable(CAP_SYS_ADMIN))
    	return -EPERM;
@@ -4702,9 +4653,6 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
    struct file *file;
    int err;
-	if (CHECK_ATTR(BPF_TASK_FD_QUERY))
-		return -EINVAL;
-
    if (!capable(CAP_SYS_ADMIN))
    	return -EPERM;
@@ -4786,9 +4734,6 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
    int err, ufd;
    struct fd f;
-	if (CHECK_ATTR(BPF_MAP_BATCH))
-		return -EINVAL;
-
    ufd = attr->batch.map_fd;
    f = fdget(ufd);
    map = __bpf_map_get(f);
@@ -4827,9 +4772,6 @@ static int link_create(union bpf_attr *attr, bpfptr_t uattr)
    struct bpf_prog *prog;
    int ret;
-	if (CHECK_ATTR(BPF_LINK_CREATE))
-		return -EINVAL;
-
    if (attr->link_create.attach_type == BPF_STRUCT_OPS)
    	return bpf_struct_ops_link_create(attr);
@@ -4978,9 +4920,6 @@ static int link_update(union bpf_attr *attr)
    u32 flags;
    int ret;
-	if (CHECK_ATTR(BPF_LINK_UPDATE))
-		return -EINVAL;
-
    flags = attr->link_update.flags;
    if (flags & ~BPF_F_REPLACE)
    	return -EINVAL;
@@ -5034,9 +4973,6 @@ static int link_detach(union bpf_attr *attr)
    struct bpf_link *link;
    int ret;
-	if (CHECK_ATTR(BPF_LINK_DETACH))
-		return -EINVAL;
-
    link = bpf_link_get_from_fd(attr->link_detach.link_fd);
    if (IS_ERR(link))
    	return PTR_ERR(link);
@@ -5104,9 +5040,6 @@ static int bpf_link_get_fd_by_id(const union bpf_attr *attr)
    u32 id = attr->link_id;
    int fd;
-	if (CHECK_ATTR(BPF_LINK_GET_FD_BY_ID))
-		return -EINVAL;
-
    if (!capable(CAP_SYS_ADMIN))
    	return -EPERM;
@@ -5160,9 +5093,6 @@ static int bpf_enable_runtime_stats(void)
 static int bpf_enable_stats(union bpf_attr *attr)
 {
-	if (CHECK_ATTR(BPF_ENABLE_STATS))
-		return -EINVAL;
-
    if (!capable(CAP_SYS_ADMIN))
    	return -EPERM;
@@ -5182,9 +5112,6 @@ static int bpf_iter_create(union bpf_attr *attr)
    struct bpf_link *link;
    int err;
-	if (CHECK_ATTR(BPF_ITER_CREATE))
-		return -EINVAL;
-
    if (attr->iter_create.flags)
    	return -EINVAL;
@@ -5207,9 +5134,6 @@ static int bpf_prog_bind_map(union bpf_attr *attr)
    struct bpf_map **used_maps_old, **used_maps_new;
    int i, ret = 0;
-	if (CHECK_ATTR(BPF_PROG_BIND_MAP))
-		return -EINVAL;
-
    if (attr->prog_bind_map.flags)
    	return -EINVAL;
@@ -5391,6 +5315,75 @@ static int dispatch_bpf(int cmd, union bpf_attr *attr, bpfptr_t uattr,
    return err;
 }
+static int check_attr(int cmd, void *vattr)
+{
+	switch (cmd) {
+	case BPF_MAP_CREATE:
+		return CHECK_ATTR(BPF_MAP_CREATE);
+	case BPF_MAP_LOOKUP_ELEM:
+		return CHECK_ATTR(BPF_MAP_LOOKUP_ELEM);
+	case BPF_MAP_GET_NEXT_KEY:
+		return CHECK_ATTR(BPF_MAP_GET_NEXT_KEY);
+	case BPF_MAP_FREEZE:
+		return CHECK_ATTR(BPF_MAP_FREEZE);
+	case BPF_PROG_LOAD:
+		return CHECK_ATTR(BPF_PROG_LOAD);
+	case BPF_OBJ_PIN:
+		return CHECK_ATTR(BPF_OBJ);
+	case BPF_OBJ_GET:
+		return CHECK_ATTR(BPF_OBJ);
+	case BPF_PROG_ATTACH:
+		return CHECK_ATTR(BPF_PROG_ATTACH);
+	case BPF_PROG_DETACH:
+		return CHECK_ATTR(BPF_PROG_DETACH);
+	case BPF_PROG_QUERY:
+		return CHECK_ATTR(BPF_PROG_QUERY);
+	case BPF_PROG_TEST_RUN:
+		return CHECK_ATTR(BPF_PROG_TEST_RUN);
+	case BPF_PROG_GET_NEXT_ID:
+		return CHECK_ATTR(BPF_OBJ_GET_NEXT_ID);
+	case BPF_MAP_GET_NEXT_ID:
+		return CHECK_ATTR(BPF_OBJ_GET_NEXT_ID);
+	case BPF_BTF_GET_NEXT_ID:
+		return CHECK_ATTR(BPF_OBJ_GET_NEXT_ID);
+	case BPF_PROG_GET_FD_BY_ID:
+		return CHECK_ATTR(BPF_PROG_GET_FD_BY_ID);
+	case BPF_MAP_GET_FD_BY_ID:
+		return CHECK_ATTR(BPF_MAP_GET_FD_BY_ID);
+	case BPF_OBJ_GET_INFO_BY_FD:
+		return CHECK_ATTR(BPF_OBJ_GET_INFO_BY_FD);
+	case BPF_RAW_TRACEPOINT_OPEN:
+		return CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN);
+	case BPF_BTF_LOAD:
+		return CHECK_ATTR(BPF_BTF_LOAD);
+	case BPF_BTF_GET_FD_BY_ID:
+		return CHECK_ATTR(BPF_BTF_GET_FD_BY_ID);
+	case BPF_TASK_FD_QUERY:
+		return CHECK_ATTR(BPF_TASK_FD_QUERY);
+	case BPF_MAP_LOOKUP_AND_DELETE_ELEM:
+		return CHECK_ATTR(BPF_MAP_LOOKUP_AND_DELETE_ELEM);
+	case BPF_LINK_CREATE:
+		return CHECK_ATTR(BPF_LINK_CREATE);
+	case BPF_LINK_UPDATE:
+		return CHECK_ATTR(BPF_LINK_UPDATE);
+	case BPF_LINK_GET_FD_BY_ID:
+		return CHECK_ATTR(BPF_LINK_GET_FD_BY_ID);
+	case BPF_LINK_GET_NEXT_ID:
+		return CHECK_ATTR(BPF_OBJ_GET_NEXT_ID);
+	case BPF_ENABLE_STATS:
+		return CHECK_ATTR(BPF_ENABLE_STATS);
+	case BPF_ITER_CREATE:
+		return CHECK_ATTR(BPF_ITER_CREATE);
+	case BPF_LINK_DETACH:
+		return CHECK_ATTR(BPF_LINK_DETACH);
+	case BPF_PROG_BIND_MAP:
+		return CHECK_ATTR(BPF_PROG_BIND_MAP);
+	default:
+		return 0;
+	}
+
+}
+
 static void convert_compat_bpf_attr(union bpf_attr *dest,
    			    const union compat_bpf_attr *cattr, int cmd)
 {
@@ -5691,6 +5684,10 @@ static int copy_bpf_attr_from_user(union bpf_attr *attr, int cmd,
    if (copy_from_bpfptr(select_attr, uattr, *size) != 0)
    	return -EFAULT;
+	err = check_attr(cmd, select_attr);
+	if (err)
+		return -EINVAL;
+
    if (in_compat64_syscall())
    	convert_compat_bpf_attr(attr, &cattr, cmd);
-- 
2.34.1


    

2024

2023

2022

[linux-morello] [PATCH 08/12] bpf: compat64: support CHECK_ATTR macro