search

ClangBuiltLinux / linux

Linux kernel source tree
Other
242 stars 14 forks source link

CFI: BPF type mismatches #1727

Open samitolvanen opened 2 years ago

samitolvanen commented 2 years ago

CFI is currently disabled for the BPF dispatcher functions, as they may call JIT compiled code that's missing CFI type hashes. In addition, BPF trampolines can be indirect call targets as they're passed as callbacks to various functions, and also need type hashes.

My kcfi-bpf tree has a couple of patches that fix the most immediate issues with bpf_prog_run. This bug tracks the remaining BPF self-test failures.

cc @kees

1. Non-trampoline self-test failures

These are calls to JIT compiled code where we copied the type hash expected by the dispatcher functions (0xd9421881), but end up calling the code through a different function pointer type. All of these have the same expected type, so we either need to update the function pointer type to match the compiled code, or copy the correct expected hash for this use case.

bloom_filter_map

CFI failure at bpf_for_each_array_elem+0xb9/0x120 (target: bpf_prog_117fc3673c13bad9_check_elem+0x0/0x3a (ffffffffc03e5724); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_for_each_array_elem+0xb9/0x120 (target: bpf_prog_117fc3673c13bad9_check_elem+0x0/0x3a (ffffffffc03e581c); actual type: 0xd9421881 expected type: 0x9e4709a9)

bpf_loop

CFI failure at bpf_loop+0x52/0x80 (target: bpf_prog_5e5179f730b5b795_callback_set_0f+0x0/0x21 (ffffffffc02a7398); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_loop+0x52/0x80 (target: bpf_prog_a66ccf9f4d757605_callback_set_f0+0x0/0x21 (ffffffffc02a73d4); actual type: 0xd9421881 expected type: 0x9e4709a9)

for_each

CFI failure at bpf_for_each_array_elem+0xb9/0x120 (target: bpf_prog_676d914d1bb26241_check_percpu_elem+0x0/0x38 (ffffffffc01207bc); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_for_each_array_elem+0xb9/0x120 (target: bpf_prog_b2202cd0b4973039_check_array_elem+0x0/0x28 (ffffffffc0120734); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_for_each_hash_elem+0x115/0x230 (target: bpf_prog_50a1b9059cbc9496_check_percpu_elem+0x0/0xab (ffffffffc0120798); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_for_each_hash_elem+0x115/0x230 (target: bpf_prog_7fc2e973e2bf5c7b_check_hash_elem+0x0/0x52 (ffffffffc0120714); actual type: 0xd9421881 expected type: 0x9e4709a9)

find_vma

CFI failure at bpf_find_vma+0x12e/0x1c0 (target: bpf_prog_fff9894aa718cb1b_check_vma+0x0/0xe2 (ffffffffc032f758); actual type: 0xd9421881 expected type: 0x9e4709a9)

timer

CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_2744b55e5d8ffdf0_timer_cb2+0x0/0x8a (ffffffffc00f888c); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_5c0ddeacf037bc85_timer_cb1+0x0/0xac (ffffffffc00f8798); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_6f60a99ff081f8e8_timer_cb2+0x0/0x200 (ffffffffc00f9538); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_90270e7bdfaa42fe_timer_cb1+0x0/0x19c (ffffffffc00f8814); actual type: 0xd9421881 expected type: 0x9e4709a9)

timer_mim

CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_7dfac633df9affbf_timer_cb2+0x0/0x8a (ffffffffc03478a0); actual type: 0xd9421881 expected type: 0x9e4709a9)
CFI failure at bpf_timer_cb+0xb0/0x130 (target: bpf_prog_b0a62d3f5b61b298_timer_cb1+0x0/0xac (ffffffffc03477b8); actual type: 0xd9421881 expected type: 0x9e4709a9)

2. Trampoline self-test failures

These are BPF trampolines passed as callbacks to the TCP code. They currently don't have a type hash, or even space for a type hash in the trampoline buffer, which results in a mix of CFI failures and kernel panics when running the tests.

bpf_iter

CFI failure at tcp_ack+0x122f/0x14b0 (target: 0xffffffffc04cc061 (ffffffffc04cc061); actual type: 0xc3c95bf8 expected type: 0x512ae4fe)
CFI failure at tcp_ack+0x622/0x14b0 (target: 0xffffffffc04cc179 (ffffffffc04cc179); actual type: 0xc3c95bf8 expected type: 0x6442487a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc04c8237 (ffffffffc04c8237); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc04cc236 (ffffffffc04cc236); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_set_ca_state+0x67/0x120 (target: 0xffffffffc04c80c0 (ffffffffc04c80c0); actual type: 0xc3c95bf8 expected type: 0xd08a1102)

(Kernel panic before completes.)

bpf_iter_setsockopt

CFI failure at tcp_ack+0x122f/0x14b0 (target: 0xffffffffc04af061 (ffffffffc04af061); actual type: 0xc3c95bf8 expected type: 0x512ae4fe)
CFI failure at tcp_ack+0x622/0x14b0 (target: 0xffffffffc04af179 (ffffffffc04af179); actual type: 0xc3c95be3 expected type: 0x6442487a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc04ab237 (ffffffffc04ab237); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc04af236 (ffffffffc04af236); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_set_ca_state+0x67/0x120 (target: 0xffffffffc04ab0c0 (ffffffffc04ab0c0); actual type: 0xc3c95be3 expected type: 0xd08a1102)

bpf_tcp_ca

CFI failure at tcp_ack+0x122f/0x14b0 (target: 0xffffffffc02db061 (ffffffffc02db061); actual type: 0xc3c95bf8 expected type: 0x512ae4fe)
CFI failure at tcp_ack+0x122f/0x14b0 (target: 0xffffffffc02dd061 (ffffffffc02dd061); actual type: 0xc3c95bf8 expected type: 0x512ae4fe)
CFI failure at tcp_ack+0x3b2/0x14b0 (target: 0xffffffffc02dd179 (ffffffffc02dd179); actual type: 0xc3c95be3 expected type: 0x6442487a)
CFI failure at tcp_ack+0x622/0x14b0 (target: 0xffffffffc02dd179 (ffffffffc02dd179); actual type: 0xc3c95be3 expected type: 0x6442487a)
CFI failure at tcp_ack+0xfb4/0x14b0 (target: 0xffffffffc02db179 (ffffffffc02db179); actual type: 0xc3c95be3 expected type: 0xe7224ec2)
CFI failure at tcp_ecn_check_ce+0x140/0x160 (target: 0xffffffffc02dd11d (ffffffffc02dd11d); actual type: 0xc3c95be3 expected type: 0xac6e76cf)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc02db237 (ffffffffc02db237); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc02dd236 (ffffffffc02dd236); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_set_ca_state+0x67/0x120 (target: 0xffffffffc02db0c0 (ffffffffc02db0c0); actual type: 0xc3c95be3 expected type: 0xd08a1102)
CFI failure at tcp_set_ca_state+0x67/0x120 (target: 0xffffffffc02dd0c0 (ffffffffc02dd0c0); actual type: 0xc3c95be3 expected type: 0xd08a1102)
CFI failure at __tcp_transmit_skb+0x6e9/0xbd0 (target: 0xffffffffc02db11d (ffffffffc02db11d); actual type: 0xc3c95be3 expected type: 0xac6e76cf)
CFI failure at __tcp_transmit_skb+0x6e9/0xbd0 (target: 0xffffffffc02dd11d (ffffffffc02dd11d); actual type: 0xc3c95be3 expected type: 0xac6e76cf)

dummy_st_ops (Kernel panic.)

sockopt

CFI failure at tcp_ack+0x122f/0x14b0 (target: 0xffffffffc039d061 (ffffffffc039d061); actual type: 0xc3c95bf8 expected type: 0x512ae4fe)
CFI failure at tcp_ack+0x622/0x14b0 (target: 0xffffffffc039d179 (ffffffffc039d179); actual type: 0xc3c95bee expected type: 0x6442487a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc0399237 (ffffffffc0399237); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_init_congestion_control+0x35/0xe0 (target: 0xffffffffc039d236 (ffffffffc039d236); actual type: 0xc3c95bf8 expected type: 0x72ab2a2a)
CFI failure at tcp_set_ca_state+0x67/0x120 (target: 0xffffffffc03990c0 (ffffffffc03990c0); actual type: 0xc3c95bee expected type: 0xd08a1102)
samitolvanen commented 6 months ago

KCFI+BPF fixes for x86_64 and riscv were merged a while ago. arm64 is currently at v4.