Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog

The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)

  libbpf: load bpf program failed: Permission denied
  libbpf: -- BEGIN DUMP LOG ---
  libbpf:
  0: (61) r2 = *(u32 *)(r1 +4)
  1: (b7) r0 = 0
  2: (55) if r2 != 0x1 goto pc+8
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
  3: (69) r2 = *(u16 *)(r1 +0)
  invalid bpf_context access off=0 size=2
  ...

The culprit is the following statement in dev_cgroup.c:
  short type = ctx->access_type & 0xFFFF;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
  struct bpf_cgroup_dev_ctx ctx = {
        .access_type = (access << 16) | dev_type,
        .major = major,
        .minor = minor,
  };

The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.

This patch permits the field access_type to be accessible
with type u16 and u8 as well.

Signed-off-by: Yonghong Song <yhs@fb.com>
Tested-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Yonghong Song 7 years ago
parent
c060bc6115
commit
06ef0ccb5a
2 changed files with 15 additions and 3 deletions
Unified View Show Diff Stats
  1. 2 1
      include/uapi/linux/bpf.h
  2. 13 2
      kernel/bpf/cgroup.c

+ 2 - 1
include/uapi/linux/bpf.h
View File 

@@ -1012,7 +1012,8 @@ struct bpf_perf_event_value {
 
 #define BPF_DEVCG_DEV_CHAR	(1ULL << 1)
 
 #define BPF_DEVCG_DEV_CHAR	(1ULL << 1)
 
 
 
 struct bpf_cgroup_dev_ctx {
 
 struct bpf_cgroup_dev_ctx {
 
-	__u32 access_type; /* (access << 16) | type */
 
+	/* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
 
+	__u32 access_type;
 
 	__u32 major;
 
 	__u32 major;
 
 	__u32 minor;
 
 	__u32 minor;
 
 };
 
 };

+ 13 - 2
kernel/bpf/cgroup.c
View File 

@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
 
 				       enum bpf_access_type type,
 
 				       enum bpf_access_type type,
 
 				       struct bpf_insn_access_aux *info)
 
 				       struct bpf_insn_access_aux *info)
 
 {
 
 {
 
+	const int size_default = sizeof(__u32);
 
+
 
 	if (type == BPF_WRITE)
 
 	if (type == BPF_WRITE)
 
 		return false;
 
 		return false;
 
 
 
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
 
 	/* The verifier guarantees that size > 0. */
 
 	/* The verifier guarantees that size > 0. */
 
 	if (off % size != 0)
 
 	if (off % size != 0)
 
 		return false;
 
 		return false;
 
-	if (size != sizeof(__u32))
 
-		return false;
 
+
 
+	switch (off) {
 
+	case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
 
+		bpf_ctx_record_field_size(info, size_default);
 
+		if (!bpf_ctx_narrow_access_ok(off, size, size_default))
 
+			return false;
 
+		break;
 
+	default:
 
+		if (size != size_default)
 
+			return false;
 
+	}
 
 
 
 	return true;
 
 	return true;
 
 }
 
 }