bpf: enhance verifier to understand stack pointer arithmetic

[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ] llvm 4.0 and above generates the code like below: .... 440: (b7) r1 = 15 441: (05) goto pc+73 515: (79) r6 = *(u64 *)(r10 -152) 516: (bf) r7 = r10 517: (07) r7 += -112 518: (bf) r2 = r7 519: (0f) r2 += r1 520: (71) r1 = *(u8 *)(r8 +0) 521: (73) *(u8 *)(r2 +45) = r1 .... and the verifier complains "R2 invalid mem access 'inv'" for insn #521. This is because verifier marks register r2 as unknown value after #519 where r2 is a stack pointer and r1 holds a constant value. Teach verifier to recognize "stack_ptr + imm" and "stack_ptr + reg with const val" as valid stack_ptr with new offset. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Yonghong Song <yhs@fb.com> 2017-04-30 01:52:42 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-14 08:00:20 -0400
commit: 7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (patch)
tree: 0ba7e16e8d344286ab284b4c4e5cc83a3c81e46f /kernel
parent: f3235cbd5be15aa084d5561c2eb8492ed68cd7e5 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7c9f94c53441..64fcab1d8cd9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1749,6 +1749,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                        return 0;
                } else if (opcode == BPF_ADD &&
                           BPF_CLASS(insn->code) == BPF_ALU64 &&
+                           dst_reg->type == PTR_TO_STACK &&
+                           ((BPF_SRC(insn->code) == BPF_X &&
+                             regs[insn->src_reg].type == CONST_IMM) ||
+                            BPF_SRC(insn->code) == BPF_K)) {
+                        if (BPF_SRC(insn->code) == BPF_X)
+                                dst_reg->imm += regs[insn->src_reg].imm;
+                        else
+                                dst_reg->imm += insn->imm;
+                        return 0;
+                } else if (opcode == BPF_ADD &&
+                           BPF_CLASS(insn->code) == BPF_ALU64 &&
                           (dst_reg->type == PTR_TO_PACKET ||
                            (BPF_SRC(insn->code) == BPF_X &&
                             regs[insn->src_reg].type == PTR_TO_PACKET))) {
author	Yonghong Song <yhs@fb.com>	2017-04-30 01:52:42 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-14 08:00:20 -0400
commit	7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (patch)
tree	0ba7e16e8d344286ab284b4c4e5cc83a3c81e46f /kernel
parent	f3235cbd5be15aa084d5561c2eb8492ed68cd7e5 (diff)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 7c9f94c53441..64fcab1d8cd9 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c
@@ -1749,6 +1749,17 @@ static int check_alu_op(struct bpf_verifier_env env, struct bpf_insn insn)
1749	return 0;	1749	return 0;
1750	} else if (opcode == BPF_ADD &&	1750	} else if (opcode == BPF_ADD &&
1751	BPF_CLASS(insn->code) == BPF_ALU64 &&	1751	BPF_CLASS(insn->code) == BPF_ALU64 &&
		1752	dst_reg->type == PTR_TO_STACK &&
		1753	((BPF_SRC(insn->code) == BPF_X &&
		1754	regs[insn->src_reg].type == CONST_IMM) \|\|
		1755	BPF_SRC(insn->code) == BPF_K)) {
		1756	if (BPF_SRC(insn->code) == BPF_X)
		1757	dst_reg->imm += regs[insn->src_reg].imm;
		1758	else
		1759	dst_reg->imm += insn->imm;
		1760	return 0;
		1761	} else if (opcode == BPF_ADD &&
		1762	BPF_CLASS(insn->code) == BPF_ALU64 &&
1752	(dst_reg->type == PTR_TO_PACKET \|\|	1763	(dst_reg->type == PTR_TO_PACKET \|\|
1753	(BPF_SRC(insn->code) == BPF_X &&	1764	(BPF_SRC(insn->code) == BPF_X &&
1754	regs[insn->src_reg].type == PTR_TO_PACKET))) {	1765	regs[insn->src_reg].type == PTR_TO_PACKET))) {