bpf: Fix an error around PTR_UNTRUSTED
Per discussion with Alexei, the PTR_UNTRUSTED flag should not been
cleared when we start to walk a new struct, because the struct in
question may be a struct nested in a union. We should also check and set
this flag before we walk its each member, in case itself is a union.
We will clear this flag if the field is BTF_TYPE_SAFE_RCU_OR_NULL.
Fixes: 6fcd486b3a
("bpf: Refactor RCU enforcement in the verifier.")
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Link: https://lore.kernel.org/r/20230713025642.27477-2-laoar.shao@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
parent
f892cac237
commit
7ce4dc3e4a
|
@ -6133,7 +6133,6 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf,
|
|||
const char *tname, *mname, *tag_value;
|
||||
u32 vlen, elem_id, mid;
|
||||
|
||||
*flag = 0;
|
||||
again:
|
||||
if (btf_type_is_modifier(t))
|
||||
t = btf_type_skip_modifiers(btf, t->type, NULL);
|
||||
|
@ -6144,6 +6143,14 @@ again:
|
|||
}
|
||||
|
||||
vlen = btf_type_vlen(t);
|
||||
if (BTF_INFO_KIND(t->info) == BTF_KIND_UNION && vlen != 1 && !(*flag & PTR_UNTRUSTED))
|
||||
/*
|
||||
* walking unions yields untrusted pointers
|
||||
* with exception of __bpf_md_ptr and other
|
||||
* unions with a single member
|
||||
*/
|
||||
*flag |= PTR_UNTRUSTED;
|
||||
|
||||
if (off + size > t->size) {
|
||||
/* If the last element is a variable size array, we may
|
||||
* need to relax the rule.
|
||||
|
@ -6304,15 +6311,6 @@ error:
|
|||
* of this field or inside of this struct
|
||||
*/
|
||||
if (btf_type_is_struct(mtype)) {
|
||||
if (BTF_INFO_KIND(mtype->info) == BTF_KIND_UNION &&
|
||||
btf_type_vlen(mtype) != 1)
|
||||
/*
|
||||
* walking unions yields untrusted pointers
|
||||
* with exception of __bpf_md_ptr and other
|
||||
* unions with a single member
|
||||
*/
|
||||
*flag |= PTR_UNTRUSTED;
|
||||
|
||||
/* our field must be inside that union or struct */
|
||||
t = mtype;
|
||||
|
||||
|
@ -6478,7 +6476,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log,
|
|||
bool strict)
|
||||
{
|
||||
const struct btf_type *type;
|
||||
enum bpf_type_flag flag;
|
||||
enum bpf_type_flag flag = 0;
|
||||
int err;
|
||||
|
||||
/* Are we already done? */
|
||||
|
|
|
@ -6067,6 +6067,11 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env,
|
|||
type_is_rcu_or_null(env, reg, field_name, btf_id)) {
|
||||
/* __rcu tagged pointers can be NULL */
|
||||
flag |= MEM_RCU | PTR_MAYBE_NULL;
|
||||
|
||||
/* We always trust them */
|
||||
if (type_is_rcu_or_null(env, reg, field_name, btf_id) &&
|
||||
flag & PTR_UNTRUSTED)
|
||||
flag &= ~PTR_UNTRUSTED;
|
||||
} else if (flag & (MEM_PERCPU | MEM_USER)) {
|
||||
/* keep as-is */
|
||||
} else {
|
||||
|
|
Loading…
Reference in New Issue