diff options
| author | Yonghong Song <yhs@fb.com> | 2017-04-30 01:52:42 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-05-14 08:00:20 -0400 |
| commit | 7bca0a9702edfc8d0e7e46f984ca422ffdbe0498 (patch) | |
| tree | 0ba7e16e8d344286ab284b4c4e5cc83a3c81e46f /samples/bpf | |
| parent | f3235cbd5be15aa084d5561c2eb8492ed68cd7e5 (diff) | |
bpf: enhance verifier to understand stack pointer arithmetic
[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ]
llvm 4.0 and above generates the code like below:
....
440: (b7) r1 = 15
441: (05) goto pc+73
515: (79) r6 = *(u64 *)(r10 -152)
516: (bf) r7 = r10
517: (07) r7 += -112
518: (bf) r2 = r7
519: (0f) r2 += r1
520: (71) r1 = *(u8 *)(r8 +0)
521: (73) *(u8 *)(r2 +45) = r1
....
and the verifier complains "R2 invalid mem access 'inv'" for insn #521.
This is because verifier marks register r2 as unknown value after #519
where r2 is a stack pointer and r1 holds a constant value.
Teach verifier to recognize "stack_ptr + imm" and
"stack_ptr + reg with const val" as valid stack_ptr with new offset.
Signed-off-by: Yonghong Song <yhs@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'samples/bpf')
| -rw-r--r-- | samples/bpf/test_verifier.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index 369ffaad3799..dc7dec9e64ba 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c | |||
| @@ -1218,16 +1218,22 @@ static struct bpf_test tests[] = { | |||
| 1218 | .result = ACCEPT, | 1218 | .result = ACCEPT, |
| 1219 | }, | 1219 | }, |
| 1220 | { | 1220 | { |
| 1221 | "unpriv: obfuscate stack pointer", | 1221 | "stack pointer arithmetic", |
| 1222 | .insns = { | 1222 | .insns = { |
| 1223 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | 1223 | BPF_MOV64_IMM(BPF_REG_1, 4), |
| 1224 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | 1224 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), |
| 1225 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | 1225 | BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), |
| 1226 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), | ||
| 1227 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), | ||
| 1228 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), | ||
| 1229 | BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), | ||
| 1230 | BPF_ST_MEM(0, BPF_REG_2, 4, 0), | ||
| 1231 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), | ||
| 1232 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), | ||
| 1233 | BPF_ST_MEM(0, BPF_REG_2, 4, 0), | ||
| 1226 | BPF_MOV64_IMM(BPF_REG_0, 0), | 1234 | BPF_MOV64_IMM(BPF_REG_0, 0), |
| 1227 | BPF_EXIT_INSN(), | 1235 | BPF_EXIT_INSN(), |
| 1228 | }, | 1236 | }, |
| 1229 | .errstr_unpriv = "R2 pointer arithmetic", | ||
| 1230 | .result_unpriv = REJECT, | ||
| 1231 | .result = ACCEPT, | 1237 | .result = ACCEPT, |
| 1232 | }, | 1238 | }, |
| 1233 | { | 1239 | { |