Merge branch 'restrict-bpf_probe_read'

Daniel Borkmann says: ==================== Small set of fixes in order to restrict BPF helpers for tracing which are broken on archs with overlapping address ranges as per discussion in [0]. I've targetted this for -bpf tree so they can be routed as fixes. Thanks! v1 -> v2: - switch to reusable %pks, %pus format specifiers (Yonghong) - fixate %s on kernel_ds probing for archs with overlapping addr space [0] https://lore.kernel.org/bpf/CAHk-=wjJKo0GVixYLmqPn-Q22WFu0xHaBSjKEo7e7Yw72y5SPQ@mail.gmail.com/T/ ==================== Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2020-05-15 08:10:36 -07:00 · 2020-05-15 08:10:36 -07:00 · 59df9f1fb4
--- a/Documentation/core-api/printk-formats.rst
+++ b/Documentation/core-api/printk-formats.rst
@ -112,6 +112,20 @@ used when printing stack backtraces. The specifier takes into
 consideration the effect of compiler optimisations which may occur
 when tail-calls are used and marked with the noreturn GCC attribute.
 Probed Pointers from BPF / tracing
 ----------------------------------
 ::
 	%pks	kernel string
 	%pus	user string
 The ``k`` and ``u`` specifiers are used for printing prior probed memory from
 either kernel memory (k) or user memory (u). The subsequent ``s`` specifier
 results in printing a string. For direct use in regular vsnprintf() the (k)
 and (u) annotation is ignored, however, when used out of BPF's bpf_trace_printk(),
 for example, it reads the memory it is pointing to without faulting.
 Kernel Pointers
 ---------------
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@ -12,6 +12,7 @@ config ARM
 	select ARCH_HAS_KEEPINITRD
 	select ARCH_HAS_KCOV
 	select ARCH_HAS_MEMBARRIER_SYNC_CORE
 	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	select ARCH_HAS_PTE_SPECIAL if ARM_LPAE
 	select ARCH_HAS_PHYS_TO_DMA
 	select ARCH_HAS_SETUP_DMA_OPS
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@ -20,6 +20,7 @@ config ARM64
 	select ARCH_HAS_KCOV
 	select ARCH_HAS_KEEPINITRD
 	select ARCH_HAS_MEMBARRIER_SYNC_CORE
 	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	select ARCH_HAS_PTE_DEVMAP
 	select ARCH_HAS_PTE_SPECIAL
 	select ARCH_HAS_SETUP_DMA_OPS
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@ -68,6 +68,7 @@ config X86
 	select ARCH_HAS_KCOV			if X86_64
 	select ARCH_HAS_MEM_ENCRYPT
 	select ARCH_HAS_MEMBARRIER_SYNC_CORE
 	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	select ARCH_HAS_PMEM_API		if X86_64
 	select ARCH_HAS_PTE_DEVMAP		if X86_64
 	select ARCH_HAS_PTE_SPECIAL
--- a/init/Kconfig
+++ b/init/Kconfig
@ -2279,6 +2279,9 @@ config ASN1
 source "kernel/Kconfig.locks"
 config ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	bool
 config ARCH_HAS_SYNC_CORE_BEFORE_USERMODE
 	bool
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@ -4340,7 +4340,9 @@ static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,
 	if (ret_type != RET_INTEGER ||
 	    (func_id != BPF_FUNC_get_stack &&
-	     func_id != BPF_FUNC_probe_read_str))
+	     func_id != BPF_FUNC_probe_read_str &&
 	     func_id != BPF_FUNC_probe_read_kernel_str &&
 	     func_id != BPF_FUNC_probe_read_user_str))
 		return;
 	ret_reg->smax_value = meta->msize_max_value;
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@ -323,17 +323,15 @@ static const struct bpf_func_proto *bpf_get_probe_write_proto(void)
 /*
 * Only limited trace_printk() conversion specifiers allowed:
- * %d %i %u %x %ld %li %lu %lx %lld %lli %llu %llx %p %s
+ * %d %i %u %x %ld %li %lu %lx %lld %lli %llu %llx %p %pks %pus %s
 */
 BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
 	   u64, arg2, u64, arg3)
 {
 	int i, mod[3] = {}, fmt_cnt = 0;
 	char buf[64], fmt_ptype;
 	void *unsafe_ptr = NULL;
 	bool str_seen = false;
 	int mod[3] = {};
 	int fmt_cnt = 0;
 	u64 unsafe_addr;
 	char buf[64];
 	int i;
 	/*
 	 * bpf_check()->check_func_arg()->check_stack_boundary()
@ -359,40 +357,71 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
 		if (fmt[i] == 'l') {
 			mod[fmt_cnt]++;
 			i++;
-		} else if (fmt[i] == 'p' || fmt[i] == 's') {
+		} else if (fmt[i] == 'p') {
 			mod[fmt_cnt]++;
 			if ((fmt[i + 1] == 'k' ||
 			     fmt[i + 1] == 'u') &&
 			    fmt[i + 2] == 's') {
 				fmt_ptype = fmt[i + 1];
 				i += 2;
 				goto fmt_str;
 			}
 			/* disallow any further format extensions */
 			if (fmt[i + 1] != 0 &&
 			    !isspace(fmt[i + 1]) &&
 			    !ispunct(fmt[i + 1]))
 				return -EINVAL;
-			fmt_cnt++;
+
-			if (fmt[i] == 's') {
+			goto fmt_next;
 		} else if (fmt[i] == 's') {
 			mod[fmt_cnt]++;
 			fmt_ptype = fmt[i];
 fmt_str:
 			if (str_seen)
 				/* allow only one '%s' per fmt string */
 				return -EINVAL;
 			str_seen = true;
 			if (fmt[i + 1] != 0 &&
 			    !isspace(fmt[i + 1]) &&
 			    !ispunct(fmt[i + 1]))
 				return -EINVAL;
 			switch (fmt_cnt) {
 			case 0:
 				unsafe_ptr = (void *)(long)arg1;
 				arg1 = (long)buf;
 				break;
 			case 1:
-					unsafe_addr = arg1;
+				unsafe_ptr = (void *)(long)arg2;
-					arg1 = (long) buf;
+				arg2 = (long)buf;
 				break;
 			case 2:
-					unsafe_addr = arg2;
+				unsafe_ptr = (void *)(long)arg3;
-					arg2 = (long) buf;
+				arg3 = (long)buf;
 					break;
 				case 3:
 					unsafe_addr = arg3;
 					arg3 = (long) buf;
 				break;
 			}
 			buf[0] = 0;
-				strncpy_from_unsafe(buf,
+			switch (fmt_ptype) {
-						    (void *) (long) unsafe_addr,
+			case 's':
 #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 				strncpy_from_unsafe(buf, unsafe_ptr,
 						    sizeof(buf));
 				break;
 #endif
 			case 'k':
 				strncpy_from_unsafe_strict(buf, unsafe_ptr,
 							   sizeof(buf));
 				break;
 			case 'u':
 				strncpy_from_unsafe_user(buf,
 					(__force void __user *)unsafe_ptr,
 							 sizeof(buf));
 				break;
 			}
-			continue;
+			goto fmt_next;
 		}
 		if (fmt[i] == 'l') {
@ -403,6 +432,7 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
 		if (fmt[i] != 'i' && fmt[i] != 'd' &&
 		    fmt[i] != 'u' && fmt[i] != 'x')
 			return -EINVAL;
 fmt_next:
 		fmt_cnt++;
 	}
@ -825,14 +855,16 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_probe_read_user_proto;
 	case BPF_FUNC_probe_read_kernel:
 		return &bpf_probe_read_kernel_proto;
 	case BPF_FUNC_probe_read:
 		return &bpf_probe_read_compat_proto;
 	case BPF_FUNC_probe_read_user_str:
 		return &bpf_probe_read_user_str_proto;
 	case BPF_FUNC_probe_read_kernel_str:
 		return &bpf_probe_read_kernel_str_proto;
 #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
 	case BPF_FUNC_probe_read:
 		return &bpf_probe_read_compat_proto;
 	case BPF_FUNC_probe_read_str:
 		return &bpf_probe_read_compat_str_proto;
 #endif
 #ifdef CONFIG_CGROUPS
 	case BPF_FUNC_get_current_cgroup_id:
 		return &bpf_get_current_cgroup_id_proto;
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@ -2168,6 +2168,10 @@ char *fwnode_string(char *buf, char *end, struct fwnode_handle *fwnode,
 *		f full name
 *		P node name, including a possible unit address
 * - 'x' For printing the address. Equivalent to "%lx".
 * - '[ku]s' For a BPF/tracing related format specifier, e.g. used out of
 *           bpf_trace_printk() where [ku] prefix specifies either kernel (k)
 *           or user (u) memory to probe, and:
 *              s a string, equivalent to "%s" on direct vsnprintf() use
 *
 * ** When making changes please also update:
 *	Documentation/core-api/printk-formats.rst
@ -2251,6 +2255,14 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
 		if (!IS_ERR(ptr))
 			break;
 		return err_ptr(buf, end, ptr, spec);
 	case 'u':
 	case 'k':
 		switch (fmt[1]) {
 		case 's':
 			return string(buf, end, ptr, spec);
 		default:
 			return error_string(buf, end, "(einval)", spec);
 		}
 	}
 	/* default is to _not_ leak addresses, hash before printing */