bpf: Disallow negative offset in check_ptr_off_reg

check_ptr_off_reg only allows fixed offset to be set for PTR_TO_BTF_ID,
where reg->off < 0 doesn't make sense. This would shift the pointer
backwards, and fails later in btf_struct_ids_match or btf_struct_walk
due to out of bounds access (since offset is interpreted as unsigned).

Improve the verifier by rejecting this case by using a better error
message for BPF helpers and kfunc, by putting a check inside the
check_func_arg_reg_off function.

Also, update existing verifier selftests to work with new error string.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220304224645.3677453-4-memxor@gmail.com

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e37eb60..455b4ab 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3990,6 +3990,12 @@ static int __check_ptr_off_reg(struct bpf_verifier_env *env,
         * is only allowed in its original, unmodified form.
         */
 
+       if (reg->off < 0) {
+               verbose(env, "negative offset %s ptr R%d off=%d disallowed\n",
+                       reg_type_str(env, reg->type), regno, reg->off);
+               return -EACCES;
+       }
+
        if (!fixed_off_ok && reg->off) {
                verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",
                        reg_type_str(env, reg->type), regno, reg->off);

diff --git a/tools/testing/selftests/bpf/verifier/bounds_deduction.c b/tools/testing/selftests/bpf/verifier/bounds_deduction.c
index 91869ae..3931c48 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c
+++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c
@@ -105,7 +105,7 @@
                BPF_EXIT_INSN(),
        },
        .errstr_unpriv = "R1 has pointer with unsupported alu operation",
-       .errstr = "dereference of modified ctx ptr",
+       .errstr = "negative offset ctx ptr R1 off=-1 disallowed",
        .result = REJECT,
        .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
 },

diff --git a/tools/testing/selftests/bpf/verifier/ctx.c b/tools/testing/selftests/bpf/verifier/ctx.c
index 60f6fbe..c8eaf05 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/ctx.c
+++ b/tools/testing/selftests/bpf/verifier/ctx.c
@@ -58,7 +58,7 @@
        },
        .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        .result = REJECT,
-       .errstr = "dereference of modified ctx ptr",
+       .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
 },
 {
        "pass modified ctx pointer to helper, 2",
@@ -71,8 +71,8 @@
        },
        .result_unpriv = REJECT,
        .result = REJECT,
-       .errstr_unpriv = "dereference of modified ctx ptr",
-       .errstr = "dereference of modified ctx ptr",
+       .errstr_unpriv = "negative offset ctx ptr R1 off=-612 disallowed",
+       .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
 },
 {
        "pass modified ctx pointer to helper, 3",
@@ -141,7 +141,7 @@
        .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
        .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
        .result = REJECT,
-       .errstr = "dereference of modified ctx ptr",
+       .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
 },
 {
        "pass ctx or null check, 5: null (connect)",