On Thu, Feb 13, 2025 at 9:03 AM Jiayuan Chen mrpre@163.com wrote:
On Thu, Feb 13, 2025 at 08:02:55AM -0800, Alexei Starovoitov wrote:
On Thu, Feb 13, 2025 at 5:13 AM Jiayuan Chen mrpre@163.com wrote:
may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size.
- If a BPF program is rewritten, re-evaluate the stack size. For non-JIT
cases, reject loading directly.
- For non-JIT cases, calculating interpreters[idx] may still cause
out-of-bounds array access, and just warn about it.
- For jit_requested cases, the execution of bpf_func also needs to be
warned. So Move the definition of function __bpf_prog_ret0_warn out of the macro definition CONFIG_BPF_JIT_ALWAYS_ON
[...]
EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384) EVAL4(PROG_NAME_LIST, 416, 448, 480, 512) };
+#define MAX_INTERPRETERS_CALLBACK (sizeof(interpreters) / sizeof(*interpreters))
There is ARRAY_SIZE macro.
Thanks, I will use it.
#undef PROG_NAME_LIST #define PROG_NAME_LIST(stack_size) PROG_NAME_ARGS(stack_size), static __maybe_unused @@ -2290,17 +2293,18 @@ void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth) insn->code = BPF_JMP | BPF_CALL_ARGS; } #endif -#else +#endif
static unsigned int __bpf_prog_ret0_warn(const void *ctx, const struct bpf_insn *insn) { /* If this handler ever gets executed, then BPF_JIT_ALWAYS_ON
* is not working properly, so warn about it!
* is not working properly, or interpreter is being used when* prog->jit_requested is not 0, so warn about it! */ WARN_ON_ONCE(1); return 0;} -#endif
bool bpf_prog_map_compatible(struct bpf_map *map, const struct bpf_prog *fp) @@ -2380,8 +2384,14 @@ static void bpf_prog_select_func(struct bpf_prog *fp) { #ifndef CONFIG_BPF_JIT_ALWAYS_ON u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1);
u32 idx = (round_up(stack_depth, 32) / 32) - 1;
fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1];
if (!fp->jit_requested) {I don't think above check is necessary. Why not just if (WARN_ON_ONCE(idx >= ARRAY_SIZE(interpreters))) fp->bpf_func = __bpf_prog_ret0_warn; else fp->bpf_func = interpreters[idx];
When jit_requested is set 1, the stack_depth can still go above 512, and we'd end up executing this function, where the index calculation would overflow, triggering an array out-of-bounds warning from USCAN or WAR().
Ok, then do: if (!fp->jit_requested && WARN_ON_ONCE(idx >= ARRAY_SIZE(interpreters)))
WARN_ON_ONCE(idx >= MAX_INTERPRETERS_CALLBACK);fp->bpf_func = interpreters[idx];
since warning and anyway proceeding to access the array out of bounds is just wrong.