RE: [PATCH bpf] bpf: verifier: prevent userspace memory access

From: David Laight
Date: Sun Mar 24 2024 - 16:05:37 EST


From: Alexei Starovoitov
> Sent: 21 March 2024 06:08
>
> On Wed, Mar 20, 2024 at 3:55 AM Puranjay Mohan <puranjay12@xxxxxxxxx> wrote:
> >
> > The JITs need to implement bpf_arch_uaddress_limit() to define where
> > the userspace addresses end for that architecture or TASK_SIZE is taken
> > as default.
> >
> > The implementation is as follows:
> >
> > REG_AX = SRC_REG
> > if(offset)
> > REG_AX += offset;
> > REG_AX >>= 32;
> > if (REG_AX <= (uaddress_limit >> 32))
> > DST_REG = 0;
> > else
> > DST_REG = *(size *)(SRC_REG + offset);
>
> The patch looks good, but it seems to be causing s390 CI failures.

I'm confused by the need for this check (and, IIRC, some other bpf
code that does kernel copies that can fault - and return an error).

I though that the entire point of bpf was that is sanitised and
verified everything to limit what the 'program' could do in order
to stop it overwriting (or even reading) kernel structures that
is wasn't supposed to access.

So it just shouldn't have a address that might be (in any way)
invalid.

The only possible address verify is access_ok() to ensure that
a uses address really is a user address.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)