diff options
| author | Jakub Kicinski <jakub.kicinski@netronome.com> | 2019-03-21 17:34:36 -0400 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2019-03-21 22:57:02 -0400 |
| commit | 83d163124cf1104cca5b668d5fe6325715a60855 (patch) | |
| tree | 0efb88a71d45a495137c28f26eb94575bf28ff2c /tools | |
| parent | 0803278b0b4d8eeb2b461fb698785df65a725d9e (diff) | |
bpf: verifier: propagate liveness on all frames
Commit 7640ead93924 ("bpf: verifier: make sure callees don't prune
with caller differences") connected up parentage chains of all
frames of the stack. It didn't, however, ensure propagate_liveness()
propagates all liveness information along those chains.
This means pruning happening in the callee may generate explored
states with incomplete liveness for the chains in lower frames
of the stack.
The included selftest is similar to the prior one from commit
7640ead93924 ("bpf: verifier: make sure callees don't prune with
caller differences"), where callee would prune regardless of the
difference in r8 state.
Now we also initialize r9 to 0 or 1 based on a result from get_random().
r9 is never read so the walk with r9 = 0 gets pruned (correctly) after
the walk with r9 = 1 completes.
The selftest is so arranged that the pruning will happen in the
callee. Since callee does not propagate read marks of r8, the
explored state at the pruning point prior to the callee will
now ignore r8.
Propagate liveness on all frames of the stack when pruning.
Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/testing/selftests/bpf/verifier/calls.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c index 4004891afa9c..f2ccae39ee66 100644 --- a/tools/testing/selftests/bpf/verifier/calls.c +++ b/tools/testing/selftests/bpf/verifier/calls.c | |||
| @@ -1940,3 +1940,28 @@ | |||
| 1940 | .errstr = "!read_ok", | 1940 | .errstr = "!read_ok", |
| 1941 | .result = REJECT, | 1941 | .result = REJECT, |
| 1942 | }, | 1942 | }, |
| 1943 | { | ||
| 1944 | "calls: cross frame pruning - liveness propagation", | ||
| 1945 | .insns = { | ||
| 1946 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), | ||
| 1947 | BPF_MOV64_IMM(BPF_REG_8, 0), | ||
| 1948 | BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), | ||
| 1949 | BPF_MOV64_IMM(BPF_REG_8, 1), | ||
| 1950 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), | ||
| 1951 | BPF_MOV64_IMM(BPF_REG_9, 0), | ||
| 1952 | BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), | ||
| 1953 | BPF_MOV64_IMM(BPF_REG_9, 1), | ||
| 1954 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | ||
| 1955 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), | ||
| 1956 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1), | ||
| 1957 | BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0), | ||
| 1958 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 1959 | BPF_EXIT_INSN(), | ||
| 1960 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), | ||
| 1961 | BPF_EXIT_INSN(), | ||
| 1962 | }, | ||
| 1963 | .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, | ||
| 1964 | .errstr_unpriv = "function calls to other bpf functions are allowed for root only", | ||
| 1965 | .errstr = "!read_ok", | ||
| 1966 | .result = REJECT, | ||
| 1967 | }, | ||