Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing #4819

Closed
wants to merge 1 commit into from
Closed

bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing #4819

wants to merge 1 commit into from

Conversation

kernel-patches-daemon-bpf-rc[bot]
Copy link

Pull request for series with
subject: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 9468f39
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 654a338
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dfa94ce
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022
version: 1

bpf: Reject struct_ops registration that uses module ptr and the modu…
5d54c42 
…le btf_id is missing

There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.
In particular, the report is on tcp_congestion_ops that has
a "struct module *owner" member.

For struct_ops that has a "struct module *owner" member,
it can be extended either by the regular kernel module or
by the bpf_struct_ops. bpf_try_module_get() will be used
to do the refcounting and different refcount is done
based on the owner pointer. When CONFIG_MODULES=n,
the btf_id of the "struct module" is missing:

WARN: resolve_btfids: unresolved symbol module

Thus, the bpf_try_module_get() cannot do the correct refcounting.

Not all subsystem's struct_ops requires the "struct module *owner" member.
e.g. the recent sched_ext_ops.

This patch is to disable bpf_struct_ops registration if
the struct_ops has the "struct module *" member and the
"struct module" btf_id is missing. The btf_type_is_fwd() helper
is moved to the btf.h header file for this test.

This has happened since the beginning of bpf_struct_ops which has gone
through many changes. The Fixes tag is set to a recent commit that this
patch can apply cleanly. Considering CONFIG_MODULES=n is not
common and the age of the issue, targeting for bpf-next also.

Fixes: 1611603 ("bpf: Create argument information for nullable arguments.")
Reported-by: Robert Morris <[email protected]>
Closes: https://lore.kernel.org/bpf/74665.1733669976@localhost/
Signed-off-by: Martin KaFai Lau <[email protected]>
Tested-by: Eduard Zingerman <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dfa94ce
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=920022
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=920022 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/920022=>bpf-next branch January 3, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
accepted bpf-next V1-ci-pass V1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants