bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog

BugLink: http://bugs.launchpad.net/bugs/1758886
[ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ]

The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)

  libbpf: load bpf program failed: Permission denied
  libbpf: -- BEGIN DUMP LOG ---
  libbpf:
  0: (61) r2 = *(u32 *)(r1 +4)
  1: (b7) r0 = 0
  2: (55) if r2 != 0x1 goto pc+8
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
  3: (69) r2 = *(u16 *)(r1 +0)
  invalid bpf_context access off=0 size=2
  ...

The culprit is the following statement in dev_cgroup.c:
  short type = ctx->access_type & 0xFFFF;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
  struct bpf_cgroup_dev_ctx ctx = {
        .access_type = (access << 16) | dev_type,
        .major = major,
        .minor = minor,
  };

The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.

This patch permits the field access_type to be accessible
with type u16 and u8 as well.

Signed-off-by: Yonghong Song <yhs@fb.com>
Tested-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 4c223ab30293cd1e07248b960e213c7f22b778c5..04b2f613dd066e993a4e9c1792f6f2fc41e536ed 100644 (file)
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -995,7 +995,8 @@ struct bpf_perf_event_value {
 #define BPF_DEVCG_DEV_CHAR     (1ULL << 1)
 
 struct bpf_cgroup_dev_ctx {
-       __u32 access_type; /* (access << 16) | type */
+       /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
+       __u32 access_type;
        __u32 major;
        __u32 minor;
 };

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b789ab78d28f0d85d4d2338a49bc3c41f5eeae38..c1c0b60d3f2f2e0e5a695b578d8bd181163b96e8 100644 (file)
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
                                       enum bpf_access_type type,
                                       struct bpf_insn_access_aux *info)
 {
+       const int size_default = sizeof(__u32);
+
        if (type == BPF_WRITE)
                return false;
 
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
        /* The verifier guarantees that size > 0. */
        if (off % size != 0)
                return false;
-       if (size != sizeof(__u32))
-               return false;
+
+       switch (off) {
+       case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
+               bpf_ctx_record_field_size(info, size_default);
+               if (!bpf_ctx_narrow_access_ok(off, size, size_default))
+                       return false;
+               break;
+       default:
+               if (size != size_default)
+                       return false;
+       }
 
        return true;
 }