aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYonghong Song <yhs@fb.com>2017-04-30 01:52:42 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-05-14 08:00:20 -0400
commit7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (patch)
tree0ba7e16e8d344286ab284b4c4e5cc83a3c81e46f
parentf3235cbd5be15aa084d5561c2eb8492ed68cd7e5 (diff)
bpf: enhance verifier to understand stack pointer arithmetic
[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ] llvm 4.0 and above generates the code like below: .... 440: (b7) r1 = 15 441: (05) goto pc+73 515: (79) r6 = *(u64 *)(r10 -152) 516: (bf) r7 = r10 517: (07) r7 += -112 518: (bf) r2 = r7 519: (0f) r2 += r1 520: (71) r1 = *(u8 *)(r8 +0) 521: (73) *(u8 *)(r2 +45) = r1 .... and the verifier complains "R2 invalid mem access 'inv'" for insn #521. This is because verifier marks register r2 as unknown value after #519 where r2 is a stack pointer and r1 holds a constant value. Teach verifier to recognize "stack_ptr + imm" and "stack_ptr + reg with const val" as valid stack_ptr with new offset. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--kernel/bpf/verifier.c11
-rw-r--r--samples/bpf/test_verifier.c18
2 files changed, 23 insertions, 6 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7c9f94c53441..64fcab1d8cd9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1749,6 +1749,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1749 return 0; 1749 return 0;
1750 } else if (opcode == BPF_ADD && 1750 } else if (opcode == BPF_ADD &&
1751 BPF_CLASS(insn->code) == BPF_ALU64 && 1751 BPF_CLASS(insn->code) == BPF_ALU64 &&
1752 dst_reg->type == PTR_TO_STACK &&
1753 ((BPF_SRC(insn->code) == BPF_X &&
1754 regs[insn->src_reg].type == CONST_IMM) ||
1755 BPF_SRC(insn->code) == BPF_K)) {
1756 if (BPF_SRC(insn->code) == BPF_X)
1757 dst_reg->imm += regs[insn->src_reg].imm;
1758 else
1759 dst_reg->imm += insn->imm;
1760 return 0;
1761 } else if (opcode == BPF_ADD &&
1762 BPF_CLASS(insn->code) == BPF_ALU64 &&
1752 (dst_reg->type == PTR_TO_PACKET || 1763 (dst_reg->type == PTR_TO_PACKET ||
1753 (BPF_SRC(insn->code) == BPF_X && 1764 (BPF_SRC(insn->code) == BPF_X &&
1754 regs[insn->src_reg].type == PTR_TO_PACKET))) { 1765 regs[insn->src_reg].type == PTR_TO_PACKET))) {
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index 369ffaad3799..dc7dec9e64ba 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -1218,16 +1218,22 @@ static struct bpf_test tests[] = {
1218 .result = ACCEPT, 1218 .result = ACCEPT,
1219 }, 1219 },
1220 { 1220 {
1221 "unpriv: obfuscate stack pointer", 1221 "stack pointer arithmetic",
1222 .insns = { 1222 .insns = {
1223 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1223 BPF_MOV64_IMM(BPF_REG_1, 4),
1224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1224 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1225 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
1226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1229 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
1230 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
1233 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1226 BPF_MOV64_IMM(BPF_REG_0, 0), 1234 BPF_MOV64_IMM(BPF_REG_0, 0),
1227 BPF_EXIT_INSN(), 1235 BPF_EXIT_INSN(),
1228 }, 1236 },
1229 .errstr_unpriv = "R2 pointer arithmetic",
1230 .result_unpriv = REJECT,
1231 .result = ACCEPT, 1237 .result = ACCEPT,
1232 }, 1238 },
1233 { 1239 {
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-31 09:21:27 -0400