Re: [PATCH bpf] bpf: verifier: prevent userspace memory access

From: Ilya Leoshkevich
Date: Thu Mar 21 2024 - 04:46:10 EST


On Wed, Mar 20, 2024 at 11:08:00PM -0700, Alexei Starovoitov wrote:
> On Wed, Mar 20, 2024 at 3:55 AM Puranjay Mohan <puranjay12@xxxxxxxxx> wrote:
> >
> > The JITs need to implement bpf_arch_uaddress_limit() to define where
> > the userspace addresses end for that architecture or TASK_SIZE is taken
> > as default.
> >
> > The implementation is as follows:
> >
> > REG_AX = SRC_REG
> > if(offset)
> > REG_AX += offset;
> > REG_AX >>= 32;
> > if (REG_AX <= (uaddress_limit >> 32))
> > DST_REG = 0;
> > else
> > DST_REG = *(size *)(SRC_REG + offset);
>
> The patch looks good, but it seems to be causing s390 CI failures.
>
> Ilya,
> could you help us understand is this check needed on s390
> and if so, what should be the uaddress_limit ?

s390x does not define ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE.
Userspace and kernel run in completely different and isolated address
spaces, so it's not possible to determine from a pointer value whether
it's a user or a kernel pointer.
But the good news is that whatever you deference without using
special instruction sequences will refer to the kernel address space.
So I wonder if we could somehow disable this check on s390x altogether?
And if we are not sure whether it's a valid pointer, use BPF_PROBE_MEM
as always.