ebpf: Allow dereferences of PTR_TO_STACK registers

mov %rsp, %r1 ; r1 = rsp add $-8, %r1 ; r1 = rsp - 8 store_q $123, -8(%rsp) ; *(u64*)r1 = 123 <- valid store_q $123, (%r1) ; *(u64*)r1 = 123 <- previously invalid mov $0, %r0 exit ; Always need to exit And we'd get the following error: 0: (bf) r1 = r10 1: (07) r1 += -8 2: (7a) *(u64 *)(r10 -8) = 999 3: (7a) *(u64 *)(r1 +0) = 999 R1 invalid mem access 'fp' Unable to load program We already know that a register is a stack address and the appropriate offset, so we should be able to validate those references as well. Signed-off-by: Alex Gartrell <agartrell@fb.com> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alex Gartrell <agartrell@fb.com> 2015-07-23 17:24:40 -0400
committer: David S. Miller <davem@davemloft.net> 2015-07-27 03:54:10 -0400
commit: 24b4d2abd0bd628f396dada3e915d395cbf459eb (patch)
tree: ff4993b4c6f7c86b2f325d93d5c944446e5d5c61 /samples
parent: 6ecfdd28c8a6504349ca8501316b1ed3f639ce44 (diff)
1 files changed, 59 insertions, 0 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index 693605997abc..ee0f110c9c54 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -822,6 +822,65 @@ static struct bpf_test tests[] = {
                .result = ACCEPT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
+        {
+                "PTR_TO_STACK store/load",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+        },
+        {
+                "PTR_TO_STACK store/load - bad alignment on off",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "misaligned access off -6 size 8",
+        },
+        {
+                "PTR_TO_STACK store/load - bad alignment on reg",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "misaligned access off -2 size 8",
+        },
+        {
+                "PTR_TO_STACK store/load - out of bounds low",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off=-79992 size=8",
+        },
+        {
+                "PTR_TO_STACK store/load - out of bounds high",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off=0 size=8",
+        },
 };
 static int probe_filter_length(struct bpf_insn *fp)
author	Alex Gartrell <agartrell@fb.com>	2015-07-23 17:24:40 -0400
committer	David S. Miller <davem@davemloft.net>	2015-07-27 03:54:10 -0400
commit	24b4d2abd0bd628f396dada3e915d395cbf459eb (patch)
tree	ff4993b4c6f7c86b2f325d93d5c944446e5d5c61 /samples
parent	6ecfdd28c8a6504349ca8501316b1ed3f639ce44 (diff)

diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index 693605997abc..ee0f110c9c54 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c
@@ -822,6 +822,65 @@ static struct bpf_test tests[] = {
822	.result = ACCEPT,	822	.result = ACCEPT,
823	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	823	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
824	},	824	},
		825	{
		826	"PTR_TO_STACK store/load",
		827	.insns = {
		828	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
		829	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
		830	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
		831	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
		832	BPF_EXIT_INSN(),
		833	},
		834	.result = ACCEPT,
		835	},
		836	{
		837	"PTR_TO_STACK store/load - bad alignment on off",
		838	.insns = {
		839	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
		840	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
		841	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
		842	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
		843	BPF_EXIT_INSN(),
		844	},
		845	.result = REJECT,
		846	.errstr = "misaligned access off -6 size 8",
		847	},
		848	{
		849	"PTR_TO_STACK store/load - bad alignment on reg",
		850	.insns = {
		851	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
		852	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
		853	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
		854	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
		855	BPF_EXIT_INSN(),
		856	},
		857	.result = REJECT,
		858	.errstr = "misaligned access off -2 size 8",
		859	},
		860	{
		861	"PTR_TO_STACK store/load - out of bounds low",
		862	.insns = {
		863	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
		864	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
		865	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
		866	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
		867	BPF_EXIT_INSN(),
		868	},
		869	.result = REJECT,
		870	.errstr = "invalid stack off=-79992 size=8",
		871	},
		872	{
		873	"PTR_TO_STACK store/load - out of bounds high",
		874	.insns = {
		875	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
		876	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
		877	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
		878	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
		879	BPF_EXIT_INSN(),
		880	},
		881	.result = REJECT,
		882	.errstr = "invalid stack off=0 size=8",
		883	},
825	};	884	};
826		885
827	static int probe_filter_length(struct bpf_insn *fp)	886	static int probe_filter_length(struct bpf_insn *fp)