diff options
| author | Yonghong Song <yhs@fb.com> | 2017-12-18 13:13:44 -0500 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2017-12-18 19:43:29 -0500 |
| commit | 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c (patch) | |
| tree | c8fae1e963a0468ce1cf803b92bb95c54d2a9775 | |
| parent | c060bc6115b6a204cb60e6b03fe64135731bc6c8 (diff) | |
bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog
The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)
libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (61) r2 = *(u32 *)(r1 +4)
1: (b7) r0 = 0
2: (55) if r2 != 0x1 goto pc+8
R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
3: (69) r2 = *(u16 *)(r1 +0)
invalid bpf_context access off=0 size=2
...
The culprit is the following statement in dev_cgroup.c:
short type = ctx->access_type & 0xFFFF;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
struct bpf_cgroup_dev_ctx ctx = {
.access_type = (access << 16) | dev_type,
.major = major,
.minor = minor,
};
The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.
This patch permits the field access_type to be accessible
with type u16 and u8 as well.
Signed-off-by: Yonghong Song <yhs@fb.com>
Tested-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
| -rw-r--r-- | include/uapi/linux/bpf.h | 3 | ||||
| -rw-r--r-- | kernel/bpf/cgroup.c | 15 |
2 files changed, 15 insertions, 3 deletions
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index d01f1cb3cfc0..69eabfcb9bdb 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h | |||
| @@ -1012,7 +1012,8 @@ struct bpf_perf_event_value { | |||
| 1012 | #define BPF_DEVCG_DEV_CHAR (1ULL << 1) | 1012 | #define BPF_DEVCG_DEV_CHAR (1ULL << 1) |
| 1013 | 1013 | ||
| 1014 | struct bpf_cgroup_dev_ctx { | 1014 | struct bpf_cgroup_dev_ctx { |
| 1015 | __u32 access_type; /* (access << 16) | type */ | 1015 | /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */ |
| 1016 | __u32 access_type; | ||
| 1016 | __u32 major; | 1017 | __u32 major; |
| 1017 | __u32 minor; | 1018 | __u32 minor; |
| 1018 | }; | 1019 | }; |
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index b789ab78d28f..c1c0b60d3f2f 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c | |||
| @@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size, | |||
| 568 | enum bpf_access_type type, | 568 | enum bpf_access_type type, |
| 569 | struct bpf_insn_access_aux *info) | 569 | struct bpf_insn_access_aux *info) |
| 570 | { | 570 | { |
| 571 | const int size_default = sizeof(__u32); | ||
| 572 | |||
| 571 | if (type == BPF_WRITE) | 573 | if (type == BPF_WRITE) |
| 572 | return false; | 574 | return false; |
| 573 | 575 | ||
| @@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size, | |||
| 576 | /* The verifier guarantees that size > 0. */ | 578 | /* The verifier guarantees that size > 0. */ |
| 577 | if (off % size != 0) | 579 | if (off % size != 0) |
| 578 | return false; | 580 | return false; |
| 579 | if (size != sizeof(__u32)) | 581 | |
| 580 | return false; | 582 | switch (off) { |
| 583 | case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type): | ||
| 584 | bpf_ctx_record_field_size(info, size_default); | ||
| 585 | if (!bpf_ctx_narrow_access_ok(off, size, size_default)) | ||
| 586 | return false; | ||
| 587 | break; | ||
| 588 | default: | ||
| 589 | if (size != size_default) | ||
| 590 | return false; | ||
| 591 | } | ||
| 581 | 592 | ||
| 582 | return true; | 593 | return true; |
| 583 | } | 594 | } |