diff options
Diffstat (limited to 'kernel/bpf')
| -rw-r--r-- | kernel/bpf/verifier.c | 491 |
1 files changed, 259 insertions, 232 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e53458b02249..a352f93cd4b2 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -153,20 +153,16 @@ struct bpf_call_arg_meta { | |||
| 153 | int access_size; | 153 | int access_size; |
| 154 | }; | 154 | }; |
| 155 | 155 | ||
| 156 | /* verbose verifier prints what it's seeing | ||
| 157 | * bpf_check() is called under lock, so no race to access these global vars | ||
| 158 | */ | ||
| 159 | static struct bpf_verifer_log verifier_log; | ||
| 160 | |||
| 161 | static DEFINE_MUTEX(bpf_verifier_lock); | 156 | static DEFINE_MUTEX(bpf_verifier_lock); |
| 162 | 157 | ||
| 163 | /* log_level controls verbosity level of eBPF verifier. | 158 | /* log_level controls verbosity level of eBPF verifier. |
| 164 | * verbose() is used to dump the verification trace to the log, so the user | 159 | * verbose() is used to dump the verification trace to the log, so the user |
| 165 | * can figure out what's wrong with the program | 160 | * can figure out what's wrong with the program |
| 166 | */ | 161 | */ |
| 167 | static __printf(1, 2) void verbose(const char *fmt, ...) | 162 | static __printf(2, 3) void verbose(struct bpf_verifier_env *env, |
| 163 | const char *fmt, ...) | ||
| 168 | { | 164 | { |
| 169 | struct bpf_verifer_log *log = &verifier_log; | 165 | struct bpf_verifer_log *log = &env->log; |
| 170 | va_list args; | 166 | va_list args; |
| 171 | 167 | ||
| 172 | if (!log->level || bpf_verifier_log_full(log)) | 168 | if (!log->level || bpf_verifier_log_full(log)) |
| @@ -214,7 +210,8 @@ static const char *func_id_name(int id) | |||
| 214 | return "unknown"; | 210 | return "unknown"; |
| 215 | } | 211 | } |
| 216 | 212 | ||
| 217 | static void print_verifier_state(struct bpf_verifier_state *state) | 213 | static void print_verifier_state(struct bpf_verifier_env *env, |
| 214 | struct bpf_verifier_state *state) | ||
| 218 | { | 215 | { |
| 219 | struct bpf_reg_state *reg; | 216 | struct bpf_reg_state *reg; |
| 220 | enum bpf_reg_type t; | 217 | enum bpf_reg_type t; |
| @@ -225,21 +222,21 @@ static void print_verifier_state(struct bpf_verifier_state *state) | |||
| 225 | t = reg->type; | 222 | t = reg->type; |
| 226 | if (t == NOT_INIT) | 223 | if (t == NOT_INIT) |
| 227 | continue; | 224 | continue; |
| 228 | verbose(" R%d=%s", i, reg_type_str[t]); | 225 | verbose(env, " R%d=%s", i, reg_type_str[t]); |
| 229 | if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && | 226 | if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && |
| 230 | tnum_is_const(reg->var_off)) { | 227 | tnum_is_const(reg->var_off)) { |
| 231 | /* reg->off should be 0 for SCALAR_VALUE */ | 228 | /* reg->off should be 0 for SCALAR_VALUE */ |
| 232 | verbose("%lld", reg->var_off.value + reg->off); | 229 | verbose(env, "%lld", reg->var_off.value + reg->off); |
| 233 | } else { | 230 | } else { |
| 234 | verbose("(id=%d", reg->id); | 231 | verbose(env, "(id=%d", reg->id); |
| 235 | if (t != SCALAR_VALUE) | 232 | if (t != SCALAR_VALUE) |
| 236 | verbose(",off=%d", reg->off); | 233 | verbose(env, ",off=%d", reg->off); |
| 237 | if (type_is_pkt_pointer(t)) | 234 | if (type_is_pkt_pointer(t)) |
| 238 | verbose(",r=%d", reg->range); | 235 | verbose(env, ",r=%d", reg->range); |
| 239 | else if (t == CONST_PTR_TO_MAP || | 236 | else if (t == CONST_PTR_TO_MAP || |
| 240 | t == PTR_TO_MAP_VALUE || | 237 | t == PTR_TO_MAP_VALUE || |
| 241 | t == PTR_TO_MAP_VALUE_OR_NULL) | 238 | t == PTR_TO_MAP_VALUE_OR_NULL) |
| 242 | verbose(",ks=%d,vs=%d", | 239 | verbose(env, ",ks=%d,vs=%d", |
| 243 | reg->map_ptr->key_size, | 240 | reg->map_ptr->key_size, |
| 244 | reg->map_ptr->value_size); | 241 | reg->map_ptr->value_size); |
| 245 | if (tnum_is_const(reg->var_off)) { | 242 | if (tnum_is_const(reg->var_off)) { |
| @@ -247,38 +244,38 @@ static void print_verifier_state(struct bpf_verifier_state *state) | |||
| 247 | * could be a pointer whose offset is too big | 244 | * could be a pointer whose offset is too big |
| 248 | * for reg->off | 245 | * for reg->off |
| 249 | */ | 246 | */ |
| 250 | verbose(",imm=%llx", reg->var_off.value); | 247 | verbose(env, ",imm=%llx", reg->var_off.value); |
| 251 | } else { | 248 | } else { |
| 252 | if (reg->smin_value != reg->umin_value && | 249 | if (reg->smin_value != reg->umin_value && |
| 253 | reg->smin_value != S64_MIN) | 250 | reg->smin_value != S64_MIN) |
| 254 | verbose(",smin_value=%lld", | 251 | verbose(env, ",smin_value=%lld", |
| 255 | (long long)reg->smin_value); | 252 | (long long)reg->smin_value); |
| 256 | if (reg->smax_value != reg->umax_value && | 253 | if (reg->smax_value != reg->umax_value && |
| 257 | reg->smax_value != S64_MAX) | 254 | reg->smax_value != S64_MAX) |
| 258 | verbose(",smax_value=%lld", | 255 | verbose(env, ",smax_value=%lld", |
| 259 | (long long)reg->smax_value); | 256 | (long long)reg->smax_value); |
| 260 | if (reg->umin_value != 0) | 257 | if (reg->umin_value != 0) |
| 261 | verbose(",umin_value=%llu", | 258 | verbose(env, ",umin_value=%llu", |
| 262 | (unsigned long long)reg->umin_value); | 259 | (unsigned long long)reg->umin_value); |
| 263 | if (reg->umax_value != U64_MAX) | 260 | if (reg->umax_value != U64_MAX) |
| 264 | verbose(",umax_value=%llu", | 261 | verbose(env, ",umax_value=%llu", |
| 265 | (unsigned long long)reg->umax_value); | 262 | (unsigned long long)reg->umax_value); |
| 266 | if (!tnum_is_unknown(reg->var_off)) { | 263 | if (!tnum_is_unknown(reg->var_off)) { |
| 267 | char tn_buf[48]; | 264 | char tn_buf[48]; |
| 268 | 265 | ||
| 269 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 266 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 270 | verbose(",var_off=%s", tn_buf); | 267 | verbose(env, ",var_off=%s", tn_buf); |
| 271 | } | 268 | } |
| 272 | } | 269 | } |
| 273 | verbose(")"); | 270 | verbose(env, ")"); |
| 274 | } | 271 | } |
| 275 | } | 272 | } |
| 276 | for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { | 273 | for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| 277 | if (state->stack_slot_type[i] == STACK_SPILL) | 274 | if (state->stack_slot_type[i] == STACK_SPILL) |
| 278 | verbose(" fp%d=%s", -MAX_BPF_STACK + i, | 275 | verbose(env, " fp%d=%s", -MAX_BPF_STACK + i, |
| 279 | reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]); | 276 | reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]); |
| 280 | } | 277 | } |
| 281 | verbose("\n"); | 278 | verbose(env, "\n"); |
| 282 | } | 279 | } |
| 283 | 280 | ||
| 284 | static const char *const bpf_class_string[] = { | 281 | static const char *const bpf_class_string[] = { |
| @@ -333,15 +330,15 @@ static const char *const bpf_jmp_string[16] = { | |||
| 333 | [BPF_EXIT >> 4] = "exit", | 330 | [BPF_EXIT >> 4] = "exit", |
| 334 | }; | 331 | }; |
| 335 | 332 | ||
| 336 | static void print_bpf_end_insn(const struct bpf_verifier_env *env, | 333 | static void print_bpf_end_insn(struct bpf_verifier_env *env, |
| 337 | const struct bpf_insn *insn) | 334 | const struct bpf_insn *insn) |
| 338 | { | 335 | { |
| 339 | verbose("(%02x) r%d = %s%d r%d\n", insn->code, insn->dst_reg, | 336 | verbose(env, "(%02x) r%d = %s%d r%d\n", insn->code, insn->dst_reg, |
| 340 | BPF_SRC(insn->code) == BPF_TO_BE ? "be" : "le", | 337 | BPF_SRC(insn->code) == BPF_TO_BE ? "be" : "le", |
| 341 | insn->imm, insn->dst_reg); | 338 | insn->imm, insn->dst_reg); |
| 342 | } | 339 | } |
| 343 | 340 | ||
| 344 | static void print_bpf_insn(const struct bpf_verifier_env *env, | 341 | static void print_bpf_insn(struct bpf_verifier_env *env, |
| 345 | const struct bpf_insn *insn) | 342 | const struct bpf_insn *insn) |
| 346 | { | 343 | { |
| 347 | u8 class = BPF_CLASS(insn->code); | 344 | u8 class = BPF_CLASS(insn->code); |
| @@ -349,23 +346,23 @@ static void print_bpf_insn(const struct bpf_verifier_env *env, | |||
| 349 | if (class == BPF_ALU || class == BPF_ALU64) { | 346 | if (class == BPF_ALU || class == BPF_ALU64) { |
| 350 | if (BPF_OP(insn->code) == BPF_END) { | 347 | if (BPF_OP(insn->code) == BPF_END) { |
| 351 | if (class == BPF_ALU64) | 348 | if (class == BPF_ALU64) |
| 352 | verbose("BUG_alu64_%02x\n", insn->code); | 349 | verbose(env, "BUG_alu64_%02x\n", insn->code); |
| 353 | else | 350 | else |
| 354 | print_bpf_end_insn(env, insn); | 351 | print_bpf_end_insn(env, insn); |
| 355 | } else if (BPF_OP(insn->code) == BPF_NEG) { | 352 | } else if (BPF_OP(insn->code) == BPF_NEG) { |
| 356 | verbose("(%02x) r%d = %s-r%d\n", | 353 | verbose(env, "(%02x) r%d = %s-r%d\n", |
| 357 | insn->code, insn->dst_reg, | 354 | insn->code, insn->dst_reg, |
| 358 | class == BPF_ALU ? "(u32) " : "", | 355 | class == BPF_ALU ? "(u32) " : "", |
| 359 | insn->dst_reg); | 356 | insn->dst_reg); |
| 360 | } else if (BPF_SRC(insn->code) == BPF_X) { | 357 | } else if (BPF_SRC(insn->code) == BPF_X) { |
| 361 | verbose("(%02x) %sr%d %s %sr%d\n", | 358 | verbose(env, "(%02x) %sr%d %s %sr%d\n", |
| 362 | insn->code, class == BPF_ALU ? "(u32) " : "", | 359 | insn->code, class == BPF_ALU ? "(u32) " : "", |
| 363 | insn->dst_reg, | 360 | insn->dst_reg, |
| 364 | bpf_alu_string[BPF_OP(insn->code) >> 4], | 361 | bpf_alu_string[BPF_OP(insn->code) >> 4], |
| 365 | class == BPF_ALU ? "(u32) " : "", | 362 | class == BPF_ALU ? "(u32) " : "", |
| 366 | insn->src_reg); | 363 | insn->src_reg); |
| 367 | } else { | 364 | } else { |
| 368 | verbose("(%02x) %sr%d %s %s%d\n", | 365 | verbose(env, "(%02x) %sr%d %s %s%d\n", |
| 369 | insn->code, class == BPF_ALU ? "(u32) " : "", | 366 | insn->code, class == BPF_ALU ? "(u32) " : "", |
| 370 | insn->dst_reg, | 367 | insn->dst_reg, |
| 371 | bpf_alu_string[BPF_OP(insn->code) >> 4], | 368 | bpf_alu_string[BPF_OP(insn->code) >> 4], |
| @@ -374,46 +371,46 @@ static void print_bpf_insn(const struct bpf_verifier_env *env, | |||
| 374 | } | 371 | } |
| 375 | } else if (class == BPF_STX) { | 372 | } else if (class == BPF_STX) { |
| 376 | if (BPF_MODE(insn->code) == BPF_MEM) | 373 | if (BPF_MODE(insn->code) == BPF_MEM) |
| 377 | verbose("(%02x) *(%s *)(r%d %+d) = r%d\n", | 374 | verbose(env, "(%02x) *(%s *)(r%d %+d) = r%d\n", |
| 378 | insn->code, | 375 | insn->code, |
| 379 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 376 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 380 | insn->dst_reg, | 377 | insn->dst_reg, |
| 381 | insn->off, insn->src_reg); | 378 | insn->off, insn->src_reg); |
| 382 | else if (BPF_MODE(insn->code) == BPF_XADD) | 379 | else if (BPF_MODE(insn->code) == BPF_XADD) |
| 383 | verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n", | 380 | verbose(env, "(%02x) lock *(%s *)(r%d %+d) += r%d\n", |
| 384 | insn->code, | 381 | insn->code, |
| 385 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 382 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 386 | insn->dst_reg, insn->off, | 383 | insn->dst_reg, insn->off, |
| 387 | insn->src_reg); | 384 | insn->src_reg); |
| 388 | else | 385 | else |
| 389 | verbose("BUG_%02x\n", insn->code); | 386 | verbose(env, "BUG_%02x\n", insn->code); |
| 390 | } else if (class == BPF_ST) { | 387 | } else if (class == BPF_ST) { |
| 391 | if (BPF_MODE(insn->code) != BPF_MEM) { | 388 | if (BPF_MODE(insn->code) != BPF_MEM) { |
| 392 | verbose("BUG_st_%02x\n", insn->code); | 389 | verbose(env, "BUG_st_%02x\n", insn->code); |
| 393 | return; | 390 | return; |
| 394 | } | 391 | } |
| 395 | verbose("(%02x) *(%s *)(r%d %+d) = %d\n", | 392 | verbose(env, "(%02x) *(%s *)(r%d %+d) = %d\n", |
| 396 | insn->code, | 393 | insn->code, |
| 397 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 394 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 398 | insn->dst_reg, | 395 | insn->dst_reg, |
| 399 | insn->off, insn->imm); | 396 | insn->off, insn->imm); |
| 400 | } else if (class == BPF_LDX) { | 397 | } else if (class == BPF_LDX) { |
| 401 | if (BPF_MODE(insn->code) != BPF_MEM) { | 398 | if (BPF_MODE(insn->code) != BPF_MEM) { |
| 402 | verbose("BUG_ldx_%02x\n", insn->code); | 399 | verbose(env, "BUG_ldx_%02x\n", insn->code); |
| 403 | return; | 400 | return; |
| 404 | } | 401 | } |
| 405 | verbose("(%02x) r%d = *(%s *)(r%d %+d)\n", | 402 | verbose(env, "(%02x) r%d = *(%s *)(r%d %+d)\n", |
| 406 | insn->code, insn->dst_reg, | 403 | insn->code, insn->dst_reg, |
| 407 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 404 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 408 | insn->src_reg, insn->off); | 405 | insn->src_reg, insn->off); |
| 409 | } else if (class == BPF_LD) { | 406 | } else if (class == BPF_LD) { |
| 410 | if (BPF_MODE(insn->code) == BPF_ABS) { | 407 | if (BPF_MODE(insn->code) == BPF_ABS) { |
| 411 | verbose("(%02x) r0 = *(%s *)skb[%d]\n", | 408 | verbose(env, "(%02x) r0 = *(%s *)skb[%d]\n", |
| 412 | insn->code, | 409 | insn->code, |
| 413 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 410 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 414 | insn->imm); | 411 | insn->imm); |
| 415 | } else if (BPF_MODE(insn->code) == BPF_IND) { | 412 | } else if (BPF_MODE(insn->code) == BPF_IND) { |
| 416 | verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n", | 413 | verbose(env, "(%02x) r0 = *(%s *)skb[r%d + %d]\n", |
| 417 | insn->code, | 414 | insn->code, |
| 418 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], | 415 | bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| 419 | insn->src_reg, insn->imm); | 416 | insn->src_reg, insn->imm); |
| @@ -428,36 +425,37 @@ static void print_bpf_insn(const struct bpf_verifier_env *env, | |||
| 428 | if (map_ptr && !env->allow_ptr_leaks) | 425 | if (map_ptr && !env->allow_ptr_leaks) |
| 429 | imm = 0; | 426 | imm = 0; |
| 430 | 427 | ||
| 431 | verbose("(%02x) r%d = 0x%llx\n", insn->code, | 428 | verbose(env, "(%02x) r%d = 0x%llx\n", insn->code, |
| 432 | insn->dst_reg, (unsigned long long)imm); | 429 | insn->dst_reg, (unsigned long long)imm); |
| 433 | } else { | 430 | } else { |
| 434 | verbose("BUG_ld_%02x\n", insn->code); | 431 | verbose(env, "BUG_ld_%02x\n", insn->code); |
| 435 | return; | 432 | return; |
| 436 | } | 433 | } |
| 437 | } else if (class == BPF_JMP) { | 434 | } else if (class == BPF_JMP) { |
| 438 | u8 opcode = BPF_OP(insn->code); | 435 | u8 opcode = BPF_OP(insn->code); |
| 439 | 436 | ||
| 440 | if (opcode == BPF_CALL) { | 437 | if (opcode == BPF_CALL) { |
| 441 | verbose("(%02x) call %s#%d\n", insn->code, | 438 | verbose(env, "(%02x) call %s#%d\n", insn->code, |
| 442 | func_id_name(insn->imm), insn->imm); | 439 | func_id_name(insn->imm), insn->imm); |
| 443 | } else if (insn->code == (BPF_JMP | BPF_JA)) { | 440 | } else if (insn->code == (BPF_JMP | BPF_JA)) { |
| 444 | verbose("(%02x) goto pc%+d\n", | 441 | verbose(env, "(%02x) goto pc%+d\n", |
| 445 | insn->code, insn->off); | 442 | insn->code, insn->off); |
| 446 | } else if (insn->code == (BPF_JMP | BPF_EXIT)) { | 443 | } else if (insn->code == (BPF_JMP | BPF_EXIT)) { |
| 447 | verbose("(%02x) exit\n", insn->code); | 444 | verbose(env, "(%02x) exit\n", insn->code); |
| 448 | } else if (BPF_SRC(insn->code) == BPF_X) { | 445 | } else if (BPF_SRC(insn->code) == BPF_X) { |
| 449 | verbose("(%02x) if r%d %s r%d goto pc%+d\n", | 446 | verbose(env, "(%02x) if r%d %s r%d goto pc%+d\n", |
| 450 | insn->code, insn->dst_reg, | 447 | insn->code, insn->dst_reg, |
| 451 | bpf_jmp_string[BPF_OP(insn->code) >> 4], | 448 | bpf_jmp_string[BPF_OP(insn->code) >> 4], |
| 452 | insn->src_reg, insn->off); | 449 | insn->src_reg, insn->off); |
| 453 | } else { | 450 | } else { |
| 454 | verbose("(%02x) if r%d %s 0x%x goto pc%+d\n", | 451 | verbose(env, "(%02x) if r%d %s 0x%x goto pc%+d\n", |
| 455 | insn->code, insn->dst_reg, | 452 | insn->code, insn->dst_reg, |
| 456 | bpf_jmp_string[BPF_OP(insn->code) >> 4], | 453 | bpf_jmp_string[BPF_OP(insn->code) >> 4], |
| 457 | insn->imm, insn->off); | 454 | insn->imm, insn->off); |
| 458 | } | 455 | } |
| 459 | } else { | 456 | } else { |
| 460 | verbose("(%02x) %s\n", insn->code, bpf_class_string[class]); | 457 | verbose(env, "(%02x) %s\n", |
| 458 | insn->code, bpf_class_string[class]); | ||
| 461 | } | 459 | } |
| 462 | } | 460 | } |
| 463 | 461 | ||
| @@ -496,7 +494,7 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, | |||
| 496 | env->head = elem; | 494 | env->head = elem; |
| 497 | env->stack_size++; | 495 | env->stack_size++; |
| 498 | if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { | 496 | if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
| 499 | verbose("BPF program is too complex\n"); | 497 | verbose(env, "BPF program is too complex\n"); |
| 500 | goto err; | 498 | goto err; |
| 501 | } | 499 | } |
| 502 | return &elem->st; | 500 | return &elem->st; |
| @@ -534,10 +532,11 @@ static void __mark_reg_known_zero(struct bpf_reg_state *reg) | |||
| 534 | __mark_reg_known(reg, 0); | 532 | __mark_reg_known(reg, 0); |
| 535 | } | 533 | } |
| 536 | 534 | ||
| 537 | static void mark_reg_known_zero(struct bpf_reg_state *regs, u32 regno) | 535 | static void mark_reg_known_zero(struct bpf_verifier_env *env, |
| 536 | struct bpf_reg_state *regs, u32 regno) | ||
| 538 | { | 537 | { |
| 539 | if (WARN_ON(regno >= MAX_BPF_REG)) { | 538 | if (WARN_ON(regno >= MAX_BPF_REG)) { |
| 540 | verbose("mark_reg_known_zero(regs, %u)\n", regno); | 539 | verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); |
| 541 | /* Something bad happened, let's kill all regs */ | 540 | /* Something bad happened, let's kill all regs */ |
| 542 | for (regno = 0; regno < MAX_BPF_REG; regno++) | 541 | for (regno = 0; regno < MAX_BPF_REG; regno++) |
| 543 | __mark_reg_not_init(regs + regno); | 542 | __mark_reg_not_init(regs + regno); |
| @@ -647,10 +646,11 @@ static void __mark_reg_unknown(struct bpf_reg_state *reg) | |||
| 647 | __mark_reg_unbounded(reg); | 646 | __mark_reg_unbounded(reg); |
| 648 | } | 647 | } |
| 649 | 648 | ||
| 650 | static void mark_reg_unknown(struct bpf_reg_state *regs, u32 regno) | 649 | static void mark_reg_unknown(struct bpf_verifier_env *env, |
| 650 | struct bpf_reg_state *regs, u32 regno) | ||
| 651 | { | 651 | { |
| 652 | if (WARN_ON(regno >= MAX_BPF_REG)) { | 652 | if (WARN_ON(regno >= MAX_BPF_REG)) { |
| 653 | verbose("mark_reg_unknown(regs, %u)\n", regno); | 653 | verbose(env, "mark_reg_unknown(regs, %u)\n", regno); |
| 654 | /* Something bad happened, let's kill all regs */ | 654 | /* Something bad happened, let's kill all regs */ |
| 655 | for (regno = 0; regno < MAX_BPF_REG; regno++) | 655 | for (regno = 0; regno < MAX_BPF_REG; regno++) |
| 656 | __mark_reg_not_init(regs + regno); | 656 | __mark_reg_not_init(regs + regno); |
| @@ -665,10 +665,11 @@ static void __mark_reg_not_init(struct bpf_reg_state *reg) | |||
| 665 | reg->type = NOT_INIT; | 665 | reg->type = NOT_INIT; |
| 666 | } | 666 | } |
| 667 | 667 | ||
| 668 | static void mark_reg_not_init(struct bpf_reg_state *regs, u32 regno) | 668 | static void mark_reg_not_init(struct bpf_verifier_env *env, |
| 669 | struct bpf_reg_state *regs, u32 regno) | ||
| 669 | { | 670 | { |
| 670 | if (WARN_ON(regno >= MAX_BPF_REG)) { | 671 | if (WARN_ON(regno >= MAX_BPF_REG)) { |
| 671 | verbose("mark_reg_not_init(regs, %u)\n", regno); | 672 | verbose(env, "mark_reg_not_init(regs, %u)\n", regno); |
| 672 | /* Something bad happened, let's kill all regs */ | 673 | /* Something bad happened, let's kill all regs */ |
| 673 | for (regno = 0; regno < MAX_BPF_REG; regno++) | 674 | for (regno = 0; regno < MAX_BPF_REG; regno++) |
| 674 | __mark_reg_not_init(regs + regno); | 675 | __mark_reg_not_init(regs + regno); |
| @@ -677,22 +678,23 @@ static void mark_reg_not_init(struct bpf_reg_state *regs, u32 regno) | |||
| 677 | __mark_reg_not_init(regs + regno); | 678 | __mark_reg_not_init(regs + regno); |
| 678 | } | 679 | } |
| 679 | 680 | ||
| 680 | static void init_reg_state(struct bpf_reg_state *regs) | 681 | static void init_reg_state(struct bpf_verifier_env *env, |
| 682 | struct bpf_reg_state *regs) | ||
| 681 | { | 683 | { |
| 682 | int i; | 684 | int i; |
| 683 | 685 | ||
| 684 | for (i = 0; i < MAX_BPF_REG; i++) { | 686 | for (i = 0; i < MAX_BPF_REG; i++) { |
| 685 | mark_reg_not_init(regs, i); | 687 | mark_reg_not_init(env, regs, i); |
| 686 | regs[i].live = REG_LIVE_NONE; | 688 | regs[i].live = REG_LIVE_NONE; |
| 687 | } | 689 | } |
| 688 | 690 | ||
| 689 | /* frame pointer */ | 691 | /* frame pointer */ |
| 690 | regs[BPF_REG_FP].type = PTR_TO_STACK; | 692 | regs[BPF_REG_FP].type = PTR_TO_STACK; |
| 691 | mark_reg_known_zero(regs, BPF_REG_FP); | 693 | mark_reg_known_zero(env, regs, BPF_REG_FP); |
| 692 | 694 | ||
| 693 | /* 1st arg to a function */ | 695 | /* 1st arg to a function */ |
| 694 | regs[BPF_REG_1].type = PTR_TO_CTX; | 696 | regs[BPF_REG_1].type = PTR_TO_CTX; |
| 695 | mark_reg_known_zero(regs, BPF_REG_1); | 697 | mark_reg_known_zero(env, regs, BPF_REG_1); |
| 696 | } | 698 | } |
| 697 | 699 | ||
| 698 | enum reg_arg_type { | 700 | enum reg_arg_type { |
| @@ -726,26 +728,26 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 726 | struct bpf_reg_state *regs = env->cur_state.regs; | 728 | struct bpf_reg_state *regs = env->cur_state.regs; |
| 727 | 729 | ||
| 728 | if (regno >= MAX_BPF_REG) { | 730 | if (regno >= MAX_BPF_REG) { |
| 729 | verbose("R%d is invalid\n", regno); | 731 | verbose(env, "R%d is invalid\n", regno); |
| 730 | return -EINVAL; | 732 | return -EINVAL; |
| 731 | } | 733 | } |
| 732 | 734 | ||
| 733 | if (t == SRC_OP) { | 735 | if (t == SRC_OP) { |
| 734 | /* check whether register used as source operand can be read */ | 736 | /* check whether register used as source operand can be read */ |
| 735 | if (regs[regno].type == NOT_INIT) { | 737 | if (regs[regno].type == NOT_INIT) { |
| 736 | verbose("R%d !read_ok\n", regno); | 738 | verbose(env, "R%d !read_ok\n", regno); |
| 737 | return -EACCES; | 739 | return -EACCES; |
| 738 | } | 740 | } |
| 739 | mark_reg_read(&env->cur_state, regno); | 741 | mark_reg_read(&env->cur_state, regno); |
| 740 | } else { | 742 | } else { |
| 741 | /* check whether register used as dest operand can be written to */ | 743 | /* check whether register used as dest operand can be written to */ |
| 742 | if (regno == BPF_REG_FP) { | 744 | if (regno == BPF_REG_FP) { |
| 743 | verbose("frame pointer is read only\n"); | 745 | verbose(env, "frame pointer is read only\n"); |
| 744 | return -EACCES; | 746 | return -EACCES; |
| 745 | } | 747 | } |
| 746 | regs[regno].live |= REG_LIVE_WRITTEN; | 748 | regs[regno].live |= REG_LIVE_WRITTEN; |
| 747 | if (t == DST_OP) | 749 | if (t == DST_OP) |
| 748 | mark_reg_unknown(regs, regno); | 750 | mark_reg_unknown(env, regs, regno); |
| 749 | } | 751 | } |
| 750 | return 0; | 752 | return 0; |
| 751 | } | 753 | } |
| @@ -770,7 +772,8 @@ static bool is_spillable_regtype(enum bpf_reg_type type) | |||
| 770 | /* check_stack_read/write functions track spill/fill of registers, | 772 | /* check_stack_read/write functions track spill/fill of registers, |
| 771 | * stack boundary and alignment are checked in check_mem_access() | 773 | * stack boundary and alignment are checked in check_mem_access() |
| 772 | */ | 774 | */ |
| 773 | static int check_stack_write(struct bpf_verifier_state *state, int off, | 775 | static int check_stack_write(struct bpf_verifier_env *env, |
| 776 | struct bpf_verifier_state *state, int off, | ||
| 774 | int size, int value_regno) | 777 | int size, int value_regno) |
| 775 | { | 778 | { |
| 776 | int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; | 779 | int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; |
| @@ -783,7 +786,7 @@ static int check_stack_write(struct bpf_verifier_state *state, int off, | |||
| 783 | 786 | ||
| 784 | /* register containing pointer is being spilled into stack */ | 787 | /* register containing pointer is being spilled into stack */ |
| 785 | if (size != BPF_REG_SIZE) { | 788 | if (size != BPF_REG_SIZE) { |
| 786 | verbose("invalid size of register spill\n"); | 789 | verbose(env, "invalid size of register spill\n"); |
| 787 | return -EACCES; | 790 | return -EACCES; |
| 788 | } | 791 | } |
| 789 | 792 | ||
| @@ -818,7 +821,8 @@ static void mark_stack_slot_read(const struct bpf_verifier_state *state, int slo | |||
| 818 | } | 821 | } |
| 819 | } | 822 | } |
| 820 | 823 | ||
| 821 | static int check_stack_read(struct bpf_verifier_state *state, int off, int size, | 824 | static int check_stack_read(struct bpf_verifier_env *env, |
| 825 | struct bpf_verifier_state *state, int off, int size, | ||
| 822 | int value_regno) | 826 | int value_regno) |
| 823 | { | 827 | { |
| 824 | u8 *slot_type; | 828 | u8 *slot_type; |
| @@ -828,12 +832,12 @@ static int check_stack_read(struct bpf_verifier_state *state, int off, int size, | |||
| 828 | 832 | ||
| 829 | if (slot_type[0] == STACK_SPILL) { | 833 | if (slot_type[0] == STACK_SPILL) { |
| 830 | if (size != BPF_REG_SIZE) { | 834 | if (size != BPF_REG_SIZE) { |
| 831 | verbose("invalid size of register spill\n"); | 835 | verbose(env, "invalid size of register spill\n"); |
| 832 | return -EACCES; | 836 | return -EACCES; |
| 833 | } | 837 | } |
| 834 | for (i = 1; i < BPF_REG_SIZE; i++) { | 838 | for (i = 1; i < BPF_REG_SIZE; i++) { |
| 835 | if (slot_type[i] != STACK_SPILL) { | 839 | if (slot_type[i] != STACK_SPILL) { |
| 836 | verbose("corrupted spill memory\n"); | 840 | verbose(env, "corrupted spill memory\n"); |
| 837 | return -EACCES; | 841 | return -EACCES; |
| 838 | } | 842 | } |
| 839 | } | 843 | } |
| @@ -849,14 +853,14 @@ static int check_stack_read(struct bpf_verifier_state *state, int off, int size, | |||
| 849 | } else { | 853 | } else { |
| 850 | for (i = 0; i < size; i++) { | 854 | for (i = 0; i < size; i++) { |
| 851 | if (slot_type[i] != STACK_MISC) { | 855 | if (slot_type[i] != STACK_MISC) { |
| 852 | verbose("invalid read from stack off %d+%d size %d\n", | 856 | verbose(env, "invalid read from stack off %d+%d size %d\n", |
| 853 | off, i, size); | 857 | off, i, size); |
| 854 | return -EACCES; | 858 | return -EACCES; |
| 855 | } | 859 | } |
| 856 | } | 860 | } |
| 857 | if (value_regno >= 0) | 861 | if (value_regno >= 0) |
| 858 | /* have read misc data from the stack */ | 862 | /* have read misc data from the stack */ |
| 859 | mark_reg_unknown(state->regs, value_regno); | 863 | mark_reg_unknown(env, state->regs, value_regno); |
| 860 | return 0; | 864 | return 0; |
| 861 | } | 865 | } |
| 862 | } | 866 | } |
| @@ -868,7 +872,7 @@ static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off, | |||
| 868 | struct bpf_map *map = env->cur_state.regs[regno].map_ptr; | 872 | struct bpf_map *map = env->cur_state.regs[regno].map_ptr; |
| 869 | 873 | ||
| 870 | if (off < 0 || size <= 0 || off + size > map->value_size) { | 874 | if (off < 0 || size <= 0 || off + size > map->value_size) { |
| 871 | verbose("invalid access to map value, value_size=%d off=%d size=%d\n", | 875 | verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n", |
| 872 | map->value_size, off, size); | 876 | map->value_size, off, size); |
| 873 | return -EACCES; | 877 | return -EACCES; |
| 874 | } | 878 | } |
| @@ -887,8 +891,8 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, | |||
| 887 | * need to try adding each of min_value and max_value to off | 891 | * need to try adding each of min_value and max_value to off |
| 888 | * to make sure our theoretical access will be safe. | 892 | * to make sure our theoretical access will be safe. |
| 889 | */ | 893 | */ |
| 890 | if (verifier_log.level) | 894 | if (env->log.level) |
| 891 | print_verifier_state(state); | 895 | print_verifier_state(env, state); |
| 892 | /* The minimum value is only important with signed | 896 | /* The minimum value is only important with signed |
| 893 | * comparisons where we can't assume the floor of a | 897 | * comparisons where we can't assume the floor of a |
| 894 | * value is 0. If we are using signed variables for our | 898 | * value is 0. If we are using signed variables for our |
| @@ -896,13 +900,14 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, | |||
| 896 | * will have a set floor within our range. | 900 | * will have a set floor within our range. |
| 897 | */ | 901 | */ |
| 898 | if (reg->smin_value < 0) { | 902 | if (reg->smin_value < 0) { |
| 899 | verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", | 903 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| 900 | regno); | 904 | regno); |
| 901 | return -EACCES; | 905 | return -EACCES; |
| 902 | } | 906 | } |
| 903 | err = __check_map_access(env, regno, reg->smin_value + off, size); | 907 | err = __check_map_access(env, regno, reg->smin_value + off, size); |
| 904 | if (err) { | 908 | if (err) { |
| 905 | verbose("R%d min value is outside of the array range\n", regno); | 909 | verbose(env, "R%d min value is outside of the array range\n", |
| 910 | regno); | ||
| 906 | return err; | 911 | return err; |
| 907 | } | 912 | } |
| 908 | 913 | ||
| @@ -911,13 +916,14 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, | |||
| 911 | * If reg->umax_value + off could overflow, treat that as unbounded too. | 916 | * If reg->umax_value + off could overflow, treat that as unbounded too. |
| 912 | */ | 917 | */ |
| 913 | if (reg->umax_value >= BPF_MAX_VAR_OFF) { | 918 | if (reg->umax_value >= BPF_MAX_VAR_OFF) { |
| 914 | verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n", | 919 | verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n", |
| 915 | regno); | 920 | regno); |
| 916 | return -EACCES; | 921 | return -EACCES; |
| 917 | } | 922 | } |
| 918 | err = __check_map_access(env, regno, reg->umax_value + off, size); | 923 | err = __check_map_access(env, regno, reg->umax_value + off, size); |
| 919 | if (err) | 924 | if (err) |
| 920 | verbose("R%d max value is outside of the array range\n", regno); | 925 | verbose(env, "R%d max value is outside of the array range\n", |
| 926 | regno); | ||
| 921 | return err; | 927 | return err; |
| 922 | } | 928 | } |
| 923 | 929 | ||
| @@ -956,7 +962,7 @@ static int __check_packet_access(struct bpf_verifier_env *env, u32 regno, | |||
| 956 | struct bpf_reg_state *reg = ®s[regno]; | 962 | struct bpf_reg_state *reg = ®s[regno]; |
| 957 | 963 | ||
| 958 | if (off < 0 || size <= 0 || (u64)off + size > reg->range) { | 964 | if (off < 0 || size <= 0 || (u64)off + size > reg->range) { |
| 959 | verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", | 965 | verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", |
| 960 | off, size, regno, reg->id, reg->off, reg->range); | 966 | off, size, regno, reg->id, reg->off, reg->range); |
| 961 | return -EACCES; | 967 | return -EACCES; |
| 962 | } | 968 | } |
| @@ -979,13 +985,13 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, | |||
| 979 | * detail to prove they're safe. | 985 | * detail to prove they're safe. |
| 980 | */ | 986 | */ |
| 981 | if (reg->smin_value < 0) { | 987 | if (reg->smin_value < 0) { |
| 982 | verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", | 988 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| 983 | regno); | 989 | regno); |
| 984 | return -EACCES; | 990 | return -EACCES; |
| 985 | } | 991 | } |
| 986 | err = __check_packet_access(env, regno, off, size); | 992 | err = __check_packet_access(env, regno, off, size); |
| 987 | if (err) { | 993 | if (err) { |
| 988 | verbose("R%d offset is outside of the packet\n", regno); | 994 | verbose(env, "R%d offset is outside of the packet\n", regno); |
| 989 | return err; | 995 | return err; |
| 990 | } | 996 | } |
| 991 | return err; | 997 | return err; |
| @@ -1021,7 +1027,7 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, | |||
| 1021 | return 0; | 1027 | return 0; |
| 1022 | } | 1028 | } |
| 1023 | 1029 | ||
| 1024 | verbose("invalid bpf_context access off=%d size=%d\n", off, size); | 1030 | verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size); |
| 1025 | return -EACCES; | 1031 | return -EACCES; |
| 1026 | } | 1032 | } |
| 1027 | 1033 | ||
| @@ -1039,7 +1045,8 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno) | |||
| 1039 | return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); | 1045 | return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); |
| 1040 | } | 1046 | } |
| 1041 | 1047 | ||
| 1042 | static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg, | 1048 | static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, |
| 1049 | const struct bpf_reg_state *reg, | ||
| 1043 | int off, int size, bool strict) | 1050 | int off, int size, bool strict) |
| 1044 | { | 1051 | { |
| 1045 | struct tnum reg_off; | 1052 | struct tnum reg_off; |
| @@ -1064,7 +1071,8 @@ static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg, | |||
| 1064 | char tn_buf[48]; | 1071 | char tn_buf[48]; |
| 1065 | 1072 | ||
| 1066 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 1073 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 1067 | verbose("misaligned packet access off %d+%s+%d+%d size %d\n", | 1074 | verbose(env, |
| 1075 | "misaligned packet access off %d+%s+%d+%d size %d\n", | ||
| 1068 | ip_align, tn_buf, reg->off, off, size); | 1076 | ip_align, tn_buf, reg->off, off, size); |
| 1069 | return -EACCES; | 1077 | return -EACCES; |
| 1070 | } | 1078 | } |
| @@ -1072,7 +1080,8 @@ static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg, | |||
| 1072 | return 0; | 1080 | return 0; |
| 1073 | } | 1081 | } |
| 1074 | 1082 | ||
| 1075 | static int check_generic_ptr_alignment(const struct bpf_reg_state *reg, | 1083 | static int check_generic_ptr_alignment(struct bpf_verifier_env *env, |
| 1084 | const struct bpf_reg_state *reg, | ||
| 1076 | const char *pointer_desc, | 1085 | const char *pointer_desc, |
| 1077 | int off, int size, bool strict) | 1086 | int off, int size, bool strict) |
| 1078 | { | 1087 | { |
| @@ -1087,7 +1096,7 @@ static int check_generic_ptr_alignment(const struct bpf_reg_state *reg, | |||
| 1087 | char tn_buf[48]; | 1096 | char tn_buf[48]; |
| 1088 | 1097 | ||
| 1089 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 1098 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 1090 | verbose("misaligned %saccess off %s+%d+%d size %d\n", | 1099 | verbose(env, "misaligned %saccess off %s+%d+%d size %d\n", |
| 1091 | pointer_desc, tn_buf, reg->off, off, size); | 1100 | pointer_desc, tn_buf, reg->off, off, size); |
| 1092 | return -EACCES; | 1101 | return -EACCES; |
| 1093 | } | 1102 | } |
| @@ -1108,7 +1117,7 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, | |||
| 1108 | /* Special case, because of NET_IP_ALIGN. Given metadata sits | 1117 | /* Special case, because of NET_IP_ALIGN. Given metadata sits |
| 1109 | * right in front, treat it the very same way. | 1118 | * right in front, treat it the very same way. |
| 1110 | */ | 1119 | */ |
| 1111 | return check_pkt_ptr_alignment(reg, off, size, strict); | 1120 | return check_pkt_ptr_alignment(env, reg, off, size, strict); |
| 1112 | case PTR_TO_MAP_VALUE: | 1121 | case PTR_TO_MAP_VALUE: |
| 1113 | pointer_desc = "value "; | 1122 | pointer_desc = "value "; |
| 1114 | break; | 1123 | break; |
| @@ -1121,7 +1130,8 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, | |||
| 1121 | default: | 1130 | default: |
| 1122 | break; | 1131 | break; |
| 1123 | } | 1132 | } |
| 1124 | return check_generic_ptr_alignment(reg, pointer_desc, off, size, strict); | 1133 | return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, |
| 1134 | strict); | ||
| 1125 | } | 1135 | } |
| 1126 | 1136 | ||
| 1127 | /* check whether memory at (regno + off) is accessible for t = (read | write) | 1137 | /* check whether memory at (regno + off) is accessible for t = (read | write) |
| @@ -1153,20 +1163,20 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn | |||
| 1153 | if (reg->type == PTR_TO_MAP_VALUE) { | 1163 | if (reg->type == PTR_TO_MAP_VALUE) { |
| 1154 | if (t == BPF_WRITE && value_regno >= 0 && | 1164 | if (t == BPF_WRITE && value_regno >= 0 && |
| 1155 | is_pointer_value(env, value_regno)) { | 1165 | is_pointer_value(env, value_regno)) { |
| 1156 | verbose("R%d leaks addr into map\n", value_regno); | 1166 | verbose(env, "R%d leaks addr into map\n", value_regno); |
| 1157 | return -EACCES; | 1167 | return -EACCES; |
| 1158 | } | 1168 | } |
| 1159 | 1169 | ||
| 1160 | err = check_map_access(env, regno, off, size); | 1170 | err = check_map_access(env, regno, off, size); |
| 1161 | if (!err && t == BPF_READ && value_regno >= 0) | 1171 | if (!err && t == BPF_READ && value_regno >= 0) |
| 1162 | mark_reg_unknown(state->regs, value_regno); | 1172 | mark_reg_unknown(env, state->regs, value_regno); |
| 1163 | 1173 | ||
| 1164 | } else if (reg->type == PTR_TO_CTX) { | 1174 | } else if (reg->type == PTR_TO_CTX) { |
| 1165 | enum bpf_reg_type reg_type = SCALAR_VALUE; | 1175 | enum bpf_reg_type reg_type = SCALAR_VALUE; |
| 1166 | 1176 | ||
| 1167 | if (t == BPF_WRITE && value_regno >= 0 && | 1177 | if (t == BPF_WRITE && value_regno >= 0 && |
| 1168 | is_pointer_value(env, value_regno)) { | 1178 | is_pointer_value(env, value_regno)) { |
| 1169 | verbose("R%d leaks addr into ctx\n", value_regno); | 1179 | verbose(env, "R%d leaks addr into ctx\n", value_regno); |
| 1170 | return -EACCES; | 1180 | return -EACCES; |
| 1171 | } | 1181 | } |
| 1172 | /* ctx accesses must be at a fixed offset, so that we can | 1182 | /* ctx accesses must be at a fixed offset, so that we can |
| @@ -1176,7 +1186,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn | |||
| 1176 | char tn_buf[48]; | 1186 | char tn_buf[48]; |
| 1177 | 1187 | ||
| 1178 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 1188 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 1179 | verbose("variable ctx access var_off=%s off=%d size=%d", | 1189 | verbose(env, |
| 1190 | "variable ctx access var_off=%s off=%d size=%d", | ||
| 1180 | tn_buf, off, size); | 1191 | tn_buf, off, size); |
| 1181 | return -EACCES; | 1192 | return -EACCES; |
| 1182 | } | 1193 | } |
| @@ -1188,9 +1199,10 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn | |||
| 1188 | * case, we know the offset is zero. | 1199 | * case, we know the offset is zero. |
| 1189 | */ | 1200 | */ |
| 1190 | if (reg_type == SCALAR_VALUE) | 1201 | if (reg_type == SCALAR_VALUE) |
| 1191 | mark_reg_unknown(state->regs, value_regno); | 1202 | mark_reg_unknown(env, state->regs, value_regno); |
| 1192 | else | 1203 | else |
| 1193 | mark_reg_known_zero(state->regs, value_regno); | 1204 | mark_reg_known_zero(env, state->regs, |
| 1205 | value_regno); | ||
| 1194 | state->regs[value_regno].id = 0; | 1206 | state->regs[value_regno].id = 0; |
| 1195 | state->regs[value_regno].off = 0; | 1207 | state->regs[value_regno].off = 0; |
| 1196 | state->regs[value_regno].range = 0; | 1208 | state->regs[value_regno].range = 0; |
| @@ -1206,13 +1218,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn | |||
| 1206 | char tn_buf[48]; | 1218 | char tn_buf[48]; |
| 1207 | 1219 | ||
| 1208 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 1220 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 1209 | verbose("variable stack access var_off=%s off=%d size=%d", | 1221 | verbose(env, "variable stack access var_off=%s off=%d size=%d", |
| 1210 | tn_buf, off, size); | 1222 | tn_buf, off, size); |
| 1211 | return -EACCES; | 1223 | return -EACCES; |
| 1212 | } | 1224 | } |
| 1213 | off += reg->var_off.value; | 1225 | off += reg->var_off.value; |
| 1214 | if (off >= 0 || off < -MAX_BPF_STACK) { | 1226 | if (off >= 0 || off < -MAX_BPF_STACK) { |
| 1215 | verbose("invalid stack off=%d size=%d\n", off, size); | 1227 | verbose(env, "invalid stack off=%d size=%d\n", off, |
| 1228 | size); | ||
| 1216 | return -EACCES; | 1229 | return -EACCES; |
| 1217 | } | 1230 | } |
| 1218 | 1231 | ||
| @@ -1223,29 +1236,32 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn | |||
| 1223 | if (!env->allow_ptr_leaks && | 1236 | if (!env->allow_ptr_leaks && |
| 1224 | state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL && | 1237 | state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL && |
| 1225 | size != BPF_REG_SIZE) { | 1238 | size != BPF_REG_SIZE) { |
| 1226 | verbose("attempt to corrupt spilled pointer on stack\n"); | 1239 | verbose(env, "attempt to corrupt spilled pointer on stack\n"); |
| 1227 | return -EACCES; | 1240 | return -EACCES; |
| 1228 | } | 1241 | } |
| 1229 | err = check_stack_write(state, off, size, value_regno); | 1242 | err = check_stack_write(env, state, off, size, |
| 1243 | value_regno); | ||
| 1230 | } else { | 1244 | } else { |
| 1231 | err = check_stack_read(state, off, size, value_regno); | 1245 | err = check_stack_read(env, state, off, size, |
| 1246 | value_regno); | ||
| 1232 | } | 1247 | } |
| 1233 | } else if (reg_is_pkt_pointer(reg)) { | 1248 | } else if (reg_is_pkt_pointer(reg)) { |
| 1234 | if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { | 1249 | if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { |
| 1235 | verbose("cannot write into packet\n"); | 1250 | verbose(env, "cannot write into packet\n"); |
| 1236 | return -EACCES; | 1251 | return -EACCES; |
| 1237 | } | 1252 | } |
| 1238 | if (t == BPF_WRITE && value_regno >= 0 && | 1253 | if (t == BPF_WRITE && value_regno >= 0 && |
| 1239 | is_pointer_value(env, value_regno)) { | 1254 | is_pointer_value(env, value_regno)) { |
| 1240 | verbose("R%d leaks addr into packet\n", value_regno); | 1255 | verbose(env, "R%d leaks addr into packet\n", |
| 1256 | value_regno); | ||
| 1241 | return -EACCES; | 1257 | return -EACCES; |
| 1242 | } | 1258 | } |
| 1243 | err = check_packet_access(env, regno, off, size); | 1259 | err = check_packet_access(env, regno, off, size); |
| 1244 | if (!err && t == BPF_READ && value_regno >= 0) | 1260 | if (!err && t == BPF_READ && value_regno >= 0) |
| 1245 | mark_reg_unknown(state->regs, value_regno); | 1261 | mark_reg_unknown(env, state->regs, value_regno); |
| 1246 | } else { | 1262 | } else { |
| 1247 | verbose("R%d invalid mem access '%s'\n", | 1263 | verbose(env, "R%d invalid mem access '%s'\n", regno, |
| 1248 | regno, reg_type_str[reg->type]); | 1264 | reg_type_str[reg->type]); |
| 1249 | return -EACCES; | 1265 | return -EACCES; |
| 1250 | } | 1266 | } |
| 1251 | 1267 | ||
| @@ -1265,7 +1281,7 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins | |||
| 1265 | 1281 | ||
| 1266 | if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || | 1282 | if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || |
| 1267 | insn->imm != 0) { | 1283 | insn->imm != 0) { |
| 1268 | verbose("BPF_XADD uses reserved fields\n"); | 1284 | verbose(env, "BPF_XADD uses reserved fields\n"); |
| 1269 | return -EINVAL; | 1285 | return -EINVAL; |
| 1270 | } | 1286 | } |
| 1271 | 1287 | ||
| @@ -1280,7 +1296,7 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins | |||
| 1280 | return err; | 1296 | return err; |
| 1281 | 1297 | ||
| 1282 | if (is_pointer_value(env, insn->src_reg)) { | 1298 | if (is_pointer_value(env, insn->src_reg)) { |
| 1283 | verbose("R%d leaks addr into mem\n", insn->src_reg); | 1299 | verbose(env, "R%d leaks addr into mem\n", insn->src_reg); |
| 1284 | return -EACCES; | 1300 | return -EACCES; |
| 1285 | } | 1301 | } |
| 1286 | 1302 | ||
| @@ -1321,7 +1337,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, | |||
| 1321 | register_is_null(regs[regno])) | 1337 | register_is_null(regs[regno])) |
| 1322 | return 0; | 1338 | return 0; |
| 1323 | 1339 | ||
| 1324 | verbose("R%d type=%s expected=%s\n", regno, | 1340 | verbose(env, "R%d type=%s expected=%s\n", regno, |
| 1325 | reg_type_str[regs[regno].type], | 1341 | reg_type_str[regs[regno].type], |
| 1326 | reg_type_str[PTR_TO_STACK]); | 1342 | reg_type_str[PTR_TO_STACK]); |
| 1327 | return -EACCES; | 1343 | return -EACCES; |
| @@ -1332,13 +1348,13 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, | |||
| 1332 | char tn_buf[48]; | 1348 | char tn_buf[48]; |
| 1333 | 1349 | ||
| 1334 | tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); | 1350 | tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); |
| 1335 | verbose("invalid variable stack read R%d var_off=%s\n", | 1351 | verbose(env, "invalid variable stack read R%d var_off=%s\n", |
| 1336 | regno, tn_buf); | 1352 | regno, tn_buf); |
| 1337 | } | 1353 | } |
| 1338 | off = regs[regno].off + regs[regno].var_off.value; | 1354 | off = regs[regno].off + regs[regno].var_off.value; |
| 1339 | if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || | 1355 | if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |
| 1340 | access_size <= 0) { | 1356 | access_size <= 0) { |
| 1341 | verbose("invalid stack type R%d off=%d access_size=%d\n", | 1357 | verbose(env, "invalid stack type R%d off=%d access_size=%d\n", |
| 1342 | regno, off, access_size); | 1358 | regno, off, access_size); |
| 1343 | return -EACCES; | 1359 | return -EACCES; |
| 1344 | } | 1360 | } |
| @@ -1354,7 +1370,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, | |||
| 1354 | 1370 | ||
| 1355 | for (i = 0; i < access_size; i++) { | 1371 | for (i = 0; i < access_size; i++) { |
| 1356 | if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { | 1372 | if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { |
| 1357 | verbose("invalid indirect read from stack off %d+%d size %d\n", | 1373 | verbose(env, "invalid indirect read from stack off %d+%d size %d\n", |
| 1358 | off, i, access_size); | 1374 | off, i, access_size); |
| 1359 | return -EACCES; | 1375 | return -EACCES; |
| 1360 | } | 1376 | } |
| @@ -1397,7 +1413,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1397 | 1413 | ||
| 1398 | if (arg_type == ARG_ANYTHING) { | 1414 | if (arg_type == ARG_ANYTHING) { |
| 1399 | if (is_pointer_value(env, regno)) { | 1415 | if (is_pointer_value(env, regno)) { |
| 1400 | verbose("R%d leaks addr into helper function\n", regno); | 1416 | verbose(env, "R%d leaks addr into helper function\n", |
| 1417 | regno); | ||
| 1401 | return -EACCES; | 1418 | return -EACCES; |
| 1402 | } | 1419 | } |
| 1403 | return 0; | 1420 | return 0; |
| @@ -1405,7 +1422,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1405 | 1422 | ||
| 1406 | if (type_is_pkt_pointer(type) && | 1423 | if (type_is_pkt_pointer(type) && |
| 1407 | !may_access_direct_pkt_data(env, meta, BPF_READ)) { | 1424 | !may_access_direct_pkt_data(env, meta, BPF_READ)) { |
| 1408 | verbose("helper access to the packet is not allowed\n"); | 1425 | verbose(env, "helper access to the packet is not allowed\n"); |
| 1409 | return -EACCES; | 1426 | return -EACCES; |
| 1410 | } | 1427 | } |
| 1411 | 1428 | ||
| @@ -1443,7 +1460,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1443 | goto err_type; | 1460 | goto err_type; |
| 1444 | meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; | 1461 | meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; |
| 1445 | } else { | 1462 | } else { |
| 1446 | verbose("unsupported arg_type %d\n", arg_type); | 1463 | verbose(env, "unsupported arg_type %d\n", arg_type); |
| 1447 | return -EFAULT; | 1464 | return -EFAULT; |
| 1448 | } | 1465 | } |
| 1449 | 1466 | ||
| @@ -1461,7 +1478,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1461 | * we have to check map_key here. Otherwise it means | 1478 | * we have to check map_key here. Otherwise it means |
| 1462 | * that kernel subsystem misconfigured verifier | 1479 | * that kernel subsystem misconfigured verifier |
| 1463 | */ | 1480 | */ |
| 1464 | verbose("invalid map_ptr to access map->key\n"); | 1481 | verbose(env, "invalid map_ptr to access map->key\n"); |
| 1465 | return -EACCES; | 1482 | return -EACCES; |
| 1466 | } | 1483 | } |
| 1467 | if (type_is_pkt_pointer(type)) | 1484 | if (type_is_pkt_pointer(type)) |
| @@ -1477,7 +1494,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1477 | */ | 1494 | */ |
| 1478 | if (!meta->map_ptr) { | 1495 | if (!meta->map_ptr) { |
| 1479 | /* kernel subsystem misconfigured verifier */ | 1496 | /* kernel subsystem misconfigured verifier */ |
| 1480 | verbose("invalid map_ptr to access map->value\n"); | 1497 | verbose(env, "invalid map_ptr to access map->value\n"); |
| 1481 | return -EACCES; | 1498 | return -EACCES; |
| 1482 | } | 1499 | } |
| 1483 | if (type_is_pkt_pointer(type)) | 1500 | if (type_is_pkt_pointer(type)) |
| @@ -1497,7 +1514,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1497 | */ | 1514 | */ |
| 1498 | if (regno == 0) { | 1515 | if (regno == 0) { |
| 1499 | /* kernel subsystem misconfigured verifier */ | 1516 | /* kernel subsystem misconfigured verifier */ |
| 1500 | verbose("ARG_CONST_SIZE cannot be first argument\n"); | 1517 | verbose(env, |
| 1518 | "ARG_CONST_SIZE cannot be first argument\n"); | ||
| 1501 | return -EACCES; | 1519 | return -EACCES; |
| 1502 | } | 1520 | } |
| 1503 | 1521 | ||
| @@ -1514,7 +1532,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1514 | meta = NULL; | 1532 | meta = NULL; |
| 1515 | 1533 | ||
| 1516 | if (reg->smin_value < 0) { | 1534 | if (reg->smin_value < 0) { |
| 1517 | verbose("R%d min value is negative, either use unsigned or 'var &= const'\n", | 1535 | verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", |
| 1518 | regno); | 1536 | regno); |
| 1519 | return -EACCES; | 1537 | return -EACCES; |
| 1520 | } | 1538 | } |
| @@ -1528,7 +1546,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1528 | } | 1546 | } |
| 1529 | 1547 | ||
| 1530 | if (reg->umax_value >= BPF_MAX_VAR_SIZ) { | 1548 | if (reg->umax_value >= BPF_MAX_VAR_SIZ) { |
| 1531 | verbose("R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", | 1549 | verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", |
| 1532 | regno); | 1550 | regno); |
| 1533 | return -EACCES; | 1551 | return -EACCES; |
| 1534 | } | 1552 | } |
| @@ -1539,12 +1557,13 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 1539 | 1557 | ||
| 1540 | return err; | 1558 | return err; |
| 1541 | err_type: | 1559 | err_type: |
| 1542 | verbose("R%d type=%s expected=%s\n", regno, | 1560 | verbose(env, "R%d type=%s expected=%s\n", regno, |
| 1543 | reg_type_str[type], reg_type_str[expected_type]); | 1561 | reg_type_str[type], reg_type_str[expected_type]); |
| 1544 | return -EACCES; | 1562 | return -EACCES; |
| 1545 | } | 1563 | } |
| 1546 | 1564 | ||
| 1547 | static int check_map_func_compatibility(struct bpf_map *map, int func_id) | 1565 | static int check_map_func_compatibility(struct bpf_verifier_env *env, |
| 1566 | struct bpf_map *map, int func_id) | ||
| 1548 | { | 1567 | { |
| 1549 | if (!map) | 1568 | if (!map) |
| 1550 | return 0; | 1569 | return 0; |
| @@ -1632,7 +1651,7 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id) | |||
| 1632 | 1651 | ||
| 1633 | return 0; | 1652 | return 0; |
| 1634 | error: | 1653 | error: |
| 1635 | verbose("cannot pass map_type %d into func %s#%d\n", | 1654 | verbose(env, "cannot pass map_type %d into func %s#%d\n", |
| 1636 | map->map_type, func_id_name(func_id), func_id); | 1655 | map->map_type, func_id_name(func_id), func_id); |
| 1637 | return -EINVAL; | 1656 | return -EINVAL; |
| 1638 | } | 1657 | } |
| @@ -1666,7 +1685,7 @@ static void clear_all_pkt_pointers(struct bpf_verifier_env *env) | |||
| 1666 | 1685 | ||
| 1667 | for (i = 0; i < MAX_BPF_REG; i++) | 1686 | for (i = 0; i < MAX_BPF_REG; i++) |
| 1668 | if (reg_is_pkt_pointer_any(®s[i])) | 1687 | if (reg_is_pkt_pointer_any(®s[i])) |
| 1669 | mark_reg_unknown(regs, i); | 1688 | mark_reg_unknown(env, regs, i); |
| 1670 | 1689 | ||
| 1671 | for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { | 1690 | for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| 1672 | if (state->stack_slot_type[i] != STACK_SPILL) | 1691 | if (state->stack_slot_type[i] != STACK_SPILL) |
| @@ -1688,7 +1707,8 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1688 | 1707 | ||
| 1689 | /* find function prototype */ | 1708 | /* find function prototype */ |
| 1690 | if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { | 1709 | if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { |
| 1691 | verbose("invalid func %s#%d\n", func_id_name(func_id), func_id); | 1710 | verbose(env, "invalid func %s#%d\n", func_id_name(func_id), |
| 1711 | func_id); | ||
| 1692 | return -EINVAL; | 1712 | return -EINVAL; |
| 1693 | } | 1713 | } |
| 1694 | 1714 | ||
| @@ -1696,13 +1716,14 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1696 | fn = env->prog->aux->ops->get_func_proto(func_id); | 1716 | fn = env->prog->aux->ops->get_func_proto(func_id); |
| 1697 | 1717 | ||
| 1698 | if (!fn) { | 1718 | if (!fn) { |
| 1699 | verbose("unknown func %s#%d\n", func_id_name(func_id), func_id); | 1719 | verbose(env, "unknown func %s#%d\n", func_id_name(func_id), |
| 1720 | func_id); | ||
| 1700 | return -EINVAL; | 1721 | return -EINVAL; |
| 1701 | } | 1722 | } |
| 1702 | 1723 | ||
| 1703 | /* eBPF programs must be GPL compatible to use GPL-ed functions */ | 1724 | /* eBPF programs must be GPL compatible to use GPL-ed functions */ |
| 1704 | if (!env->prog->gpl_compatible && fn->gpl_only) { | 1725 | if (!env->prog->gpl_compatible && fn->gpl_only) { |
| 1705 | verbose("cannot call GPL only function from proprietary program\n"); | 1726 | verbose(env, "cannot call GPL only function from proprietary program\n"); |
| 1706 | return -EINVAL; | 1727 | return -EINVAL; |
| 1707 | } | 1728 | } |
| 1708 | 1729 | ||
| @@ -1716,7 +1737,7 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1716 | */ | 1737 | */ |
| 1717 | err = check_raw_mode(fn); | 1738 | err = check_raw_mode(fn); |
| 1718 | if (err) { | 1739 | if (err) { |
| 1719 | verbose("kernel subsystem misconfigured func %s#%d\n", | 1740 | verbose(env, "kernel subsystem misconfigured func %s#%d\n", |
| 1720 | func_id_name(func_id), func_id); | 1741 | func_id_name(func_id), func_id); |
| 1721 | return err; | 1742 | return err; |
| 1722 | } | 1743 | } |
| @@ -1749,14 +1770,14 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1749 | 1770 | ||
| 1750 | /* reset caller saved regs */ | 1771 | /* reset caller saved regs */ |
| 1751 | for (i = 0; i < CALLER_SAVED_REGS; i++) { | 1772 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| 1752 | mark_reg_not_init(regs, caller_saved[i]); | 1773 | mark_reg_not_init(env, regs, caller_saved[i]); |
| 1753 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); | 1774 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
| 1754 | } | 1775 | } |
| 1755 | 1776 | ||
| 1756 | /* update return register (already marked as written above) */ | 1777 | /* update return register (already marked as written above) */ |
| 1757 | if (fn->ret_type == RET_INTEGER) { | 1778 | if (fn->ret_type == RET_INTEGER) { |
| 1758 | /* sets type to SCALAR_VALUE */ | 1779 | /* sets type to SCALAR_VALUE */ |
| 1759 | mark_reg_unknown(regs, BPF_REG_0); | 1780 | mark_reg_unknown(env, regs, BPF_REG_0); |
| 1760 | } else if (fn->ret_type == RET_VOID) { | 1781 | } else if (fn->ret_type == RET_VOID) { |
| 1761 | regs[BPF_REG_0].type = NOT_INIT; | 1782 | regs[BPF_REG_0].type = NOT_INIT; |
| 1762 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { | 1783 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { |
| @@ -1764,14 +1785,15 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1764 | 1785 | ||
| 1765 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; | 1786 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; |
| 1766 | /* There is no offset yet applied, variable or fixed */ | 1787 | /* There is no offset yet applied, variable or fixed */ |
| 1767 | mark_reg_known_zero(regs, BPF_REG_0); | 1788 | mark_reg_known_zero(env, regs, BPF_REG_0); |
| 1768 | regs[BPF_REG_0].off = 0; | 1789 | regs[BPF_REG_0].off = 0; |
| 1769 | /* remember map_ptr, so that check_map_access() | 1790 | /* remember map_ptr, so that check_map_access() |
| 1770 | * can check 'value_size' boundary of memory access | 1791 | * can check 'value_size' boundary of memory access |
| 1771 | * to map element returned from bpf_map_lookup_elem() | 1792 | * to map element returned from bpf_map_lookup_elem() |
| 1772 | */ | 1793 | */ |
| 1773 | if (meta.map_ptr == NULL) { | 1794 | if (meta.map_ptr == NULL) { |
| 1774 | verbose("kernel subsystem misconfigured verifier\n"); | 1795 | verbose(env, |
| 1796 | "kernel subsystem misconfigured verifier\n"); | ||
| 1775 | return -EINVAL; | 1797 | return -EINVAL; |
| 1776 | } | 1798 | } |
| 1777 | regs[BPF_REG_0].map_ptr = meta.map_ptr; | 1799 | regs[BPF_REG_0].map_ptr = meta.map_ptr; |
| @@ -1782,12 +1804,12 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) | |||
| 1782 | else if (insn_aux->map_ptr != meta.map_ptr) | 1804 | else if (insn_aux->map_ptr != meta.map_ptr) |
| 1783 | insn_aux->map_ptr = BPF_MAP_PTR_POISON; | 1805 | insn_aux->map_ptr = BPF_MAP_PTR_POISON; |
| 1784 | } else { | 1806 | } else { |
| 1785 | verbose("unknown return type %d of func %s#%d\n", | 1807 | verbose(env, "unknown return type %d of func %s#%d\n", |
| 1786 | fn->ret_type, func_id_name(func_id), func_id); | 1808 | fn->ret_type, func_id_name(func_id), func_id); |
| 1787 | return -EINVAL; | 1809 | return -EINVAL; |
| 1788 | } | 1810 | } |
| 1789 | 1811 | ||
| 1790 | err = check_map_func_compatibility(meta.map_ptr, func_id); | 1812 | err = check_map_func_compatibility(env, meta.map_ptr, func_id); |
| 1791 | if (err) | 1813 | if (err) |
| 1792 | return err; | 1814 | return err; |
| 1793 | 1815 | ||
| @@ -1846,39 +1868,42 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |||
| 1846 | dst_reg = ®s[dst]; | 1868 | dst_reg = ®s[dst]; |
| 1847 | 1869 | ||
| 1848 | if (WARN_ON_ONCE(known && (smin_val != smax_val))) { | 1870 | if (WARN_ON_ONCE(known && (smin_val != smax_val))) { |
| 1849 | print_verifier_state(&env->cur_state); | 1871 | print_verifier_state(env, &env->cur_state); |
| 1850 | verbose("verifier internal error: known but bad sbounds\n"); | 1872 | verbose(env, |
| 1873 | "verifier internal error: known but bad sbounds\n"); | ||
| 1851 | return -EINVAL; | 1874 | return -EINVAL; |
| 1852 | } | 1875 | } |
| 1853 | if (WARN_ON_ONCE(known && (umin_val != umax_val))) { | 1876 | if (WARN_ON_ONCE(known && (umin_val != umax_val))) { |
| 1854 | print_verifier_state(&env->cur_state); | 1877 | print_verifier_state(env, &env->cur_state); |
| 1855 | verbose("verifier internal error: known but bad ubounds\n"); | 1878 | verbose(env, |
| 1879 | "verifier internal error: known but bad ubounds\n"); | ||
| 1856 | return -EINVAL; | 1880 | return -EINVAL; |
| 1857 | } | 1881 | } |
| 1858 | 1882 | ||
| 1859 | if (BPF_CLASS(insn->code) != BPF_ALU64) { | 1883 | if (BPF_CLASS(insn->code) != BPF_ALU64) { |
| 1860 | /* 32-bit ALU ops on pointers produce (meaningless) scalars */ | 1884 | /* 32-bit ALU ops on pointers produce (meaningless) scalars */ |
| 1861 | if (!env->allow_ptr_leaks) | 1885 | if (!env->allow_ptr_leaks) |
| 1862 | verbose("R%d 32-bit pointer arithmetic prohibited\n", | 1886 | verbose(env, |
| 1887 | "R%d 32-bit pointer arithmetic prohibited\n", | ||
| 1863 | dst); | 1888 | dst); |
| 1864 | return -EACCES; | 1889 | return -EACCES; |
| 1865 | } | 1890 | } |
| 1866 | 1891 | ||
| 1867 | if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { | 1892 | if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
| 1868 | if (!env->allow_ptr_leaks) | 1893 | if (!env->allow_ptr_leaks) |
| 1869 | verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", | 1894 | verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", |
| 1870 | dst); | 1895 | dst); |
| 1871 | return -EACCES; | 1896 | return -EACCES; |
| 1872 | } | 1897 | } |
| 1873 | if (ptr_reg->type == CONST_PTR_TO_MAP) { | 1898 | if (ptr_reg->type == CONST_PTR_TO_MAP) { |
| 1874 | if (!env->allow_ptr_leaks) | 1899 | if (!env->allow_ptr_leaks) |
| 1875 | verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", | 1900 | verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", |
| 1876 | dst); | 1901 | dst); |
| 1877 | return -EACCES; | 1902 | return -EACCES; |
| 1878 | } | 1903 | } |
| 1879 | if (ptr_reg->type == PTR_TO_PACKET_END) { | 1904 | if (ptr_reg->type == PTR_TO_PACKET_END) { |
| 1880 | if (!env->allow_ptr_leaks) | 1905 | if (!env->allow_ptr_leaks) |
| 1881 | verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", | 1906 | verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", |
| 1882 | dst); | 1907 | dst); |
| 1883 | return -EACCES; | 1908 | return -EACCES; |
| 1884 | } | 1909 | } |
| @@ -1943,7 +1968,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |||
| 1943 | if (dst_reg == off_reg) { | 1968 | if (dst_reg == off_reg) { |
| 1944 | /* scalar -= pointer. Creates an unknown scalar */ | 1969 | /* scalar -= pointer. Creates an unknown scalar */ |
| 1945 | if (!env->allow_ptr_leaks) | 1970 | if (!env->allow_ptr_leaks) |
| 1946 | verbose("R%d tried to subtract pointer from scalar\n", | 1971 | verbose(env, "R%d tried to subtract pointer from scalar\n", |
| 1947 | dst); | 1972 | dst); |
| 1948 | return -EACCES; | 1973 | return -EACCES; |
| 1949 | } | 1974 | } |
| @@ -1953,7 +1978,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |||
| 1953 | */ | 1978 | */ |
| 1954 | if (ptr_reg->type == PTR_TO_STACK) { | 1979 | if (ptr_reg->type == PTR_TO_STACK) { |
| 1955 | if (!env->allow_ptr_leaks) | 1980 | if (!env->allow_ptr_leaks) |
| 1956 | verbose("R%d subtraction from stack pointer prohibited\n", | 1981 | verbose(env, "R%d subtraction from stack pointer prohibited\n", |
| 1957 | dst); | 1982 | dst); |
| 1958 | return -EACCES; | 1983 | return -EACCES; |
| 1959 | } | 1984 | } |
| @@ -2008,13 +2033,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |||
| 2008 | * ptr &= ~3 which would reduce min_value by 3.) | 2033 | * ptr &= ~3 which would reduce min_value by 3.) |
| 2009 | */ | 2034 | */ |
| 2010 | if (!env->allow_ptr_leaks) | 2035 | if (!env->allow_ptr_leaks) |
| 2011 | verbose("R%d bitwise operator %s on pointer prohibited\n", | 2036 | verbose(env, "R%d bitwise operator %s on pointer prohibited\n", |
| 2012 | dst, bpf_alu_string[opcode >> 4]); | 2037 | dst, bpf_alu_string[opcode >> 4]); |
| 2013 | return -EACCES; | 2038 | return -EACCES; |
| 2014 | default: | 2039 | default: |
| 2015 | /* other operators (e.g. MUL,LSH) produce non-pointer results */ | 2040 | /* other operators (e.g. MUL,LSH) produce non-pointer results */ |
| 2016 | if (!env->allow_ptr_leaks) | 2041 | if (!env->allow_ptr_leaks) |
| 2017 | verbose("R%d pointer arithmetic with %s operator prohibited\n", | 2042 | verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", |
| 2018 | dst, bpf_alu_string[opcode >> 4]); | 2043 | dst, bpf_alu_string[opcode >> 4]); |
| 2019 | return -EACCES; | 2044 | return -EACCES; |
| 2020 | } | 2045 | } |
| @@ -2180,7 +2205,7 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | |||
| 2180 | /* Shifts greater than 63 are undefined. This includes | 2205 | /* Shifts greater than 63 are undefined. This includes |
| 2181 | * shifts by a negative number. | 2206 | * shifts by a negative number. |
| 2182 | */ | 2207 | */ |
| 2183 | mark_reg_unknown(regs, insn->dst_reg); | 2208 | mark_reg_unknown(env, regs, insn->dst_reg); |
| 2184 | break; | 2209 | break; |
| 2185 | } | 2210 | } |
| 2186 | /* We lose all sign bit information (except what we can pick | 2211 | /* We lose all sign bit information (except what we can pick |
| @@ -2208,7 +2233,7 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | |||
| 2208 | /* Shifts greater than 63 are undefined. This includes | 2233 | /* Shifts greater than 63 are undefined. This includes |
| 2209 | * shifts by a negative number. | 2234 | * shifts by a negative number. |
| 2210 | */ | 2235 | */ |
| 2211 | mark_reg_unknown(regs, insn->dst_reg); | 2236 | mark_reg_unknown(env, regs, insn->dst_reg); |
| 2212 | break; | 2237 | break; |
| 2213 | } | 2238 | } |
| 2214 | /* BPF_RSH is an unsigned shift, so make the appropriate casts */ | 2239 | /* BPF_RSH is an unsigned shift, so make the appropriate casts */ |
| @@ -2236,7 +2261,7 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | |||
| 2236 | __update_reg_bounds(dst_reg); | 2261 | __update_reg_bounds(dst_reg); |
| 2237 | break; | 2262 | break; |
| 2238 | default: | 2263 | default: |
| 2239 | mark_reg_unknown(regs, insn->dst_reg); | 2264 | mark_reg_unknown(env, regs, insn->dst_reg); |
| 2240 | break; | 2265 | break; |
| 2241 | } | 2266 | } |
| 2242 | 2267 | ||
| @@ -2268,12 +2293,12 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, | |||
| 2268 | * an arbitrary scalar. | 2293 | * an arbitrary scalar. |
| 2269 | */ | 2294 | */ |
| 2270 | if (!env->allow_ptr_leaks) { | 2295 | if (!env->allow_ptr_leaks) { |
| 2271 | verbose("R%d pointer %s pointer prohibited\n", | 2296 | verbose(env, "R%d pointer %s pointer prohibited\n", |
| 2272 | insn->dst_reg, | 2297 | insn->dst_reg, |
| 2273 | bpf_alu_string[opcode >> 4]); | 2298 | bpf_alu_string[opcode >> 4]); |
| 2274 | return -EACCES; | 2299 | return -EACCES; |
| 2275 | } | 2300 | } |
| 2276 | mark_reg_unknown(regs, insn->dst_reg); | 2301 | mark_reg_unknown(env, regs, insn->dst_reg); |
| 2277 | return 0; | 2302 | return 0; |
| 2278 | } else { | 2303 | } else { |
| 2279 | /* scalar += pointer | 2304 | /* scalar += pointer |
| @@ -2325,13 +2350,13 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, | |||
| 2325 | 2350 | ||
| 2326 | /* Got here implies adding two SCALAR_VALUEs */ | 2351 | /* Got here implies adding two SCALAR_VALUEs */ |
| 2327 | if (WARN_ON_ONCE(ptr_reg)) { | 2352 | if (WARN_ON_ONCE(ptr_reg)) { |
| 2328 | print_verifier_state(&env->cur_state); | 2353 | print_verifier_state(env, &env->cur_state); |
| 2329 | verbose("verifier internal error: unexpected ptr_reg\n"); | 2354 | verbose(env, "verifier internal error: unexpected ptr_reg\n"); |
| 2330 | return -EINVAL; | 2355 | return -EINVAL; |
| 2331 | } | 2356 | } |
| 2332 | if (WARN_ON(!src_reg)) { | 2357 | if (WARN_ON(!src_reg)) { |
| 2333 | print_verifier_state(&env->cur_state); | 2358 | print_verifier_state(env, &env->cur_state); |
| 2334 | verbose("verifier internal error: no src_reg\n"); | 2359 | verbose(env, "verifier internal error: no src_reg\n"); |
| 2335 | return -EINVAL; | 2360 | return -EINVAL; |
| 2336 | } | 2361 | } |
| 2337 | return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); | 2362 | return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); |
| @@ -2349,14 +2374,14 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2349 | if (BPF_SRC(insn->code) != 0 || | 2374 | if (BPF_SRC(insn->code) != 0 || |
| 2350 | insn->src_reg != BPF_REG_0 || | 2375 | insn->src_reg != BPF_REG_0 || |
| 2351 | insn->off != 0 || insn->imm != 0) { | 2376 | insn->off != 0 || insn->imm != 0) { |
| 2352 | verbose("BPF_NEG uses reserved fields\n"); | 2377 | verbose(env, "BPF_NEG uses reserved fields\n"); |
| 2353 | return -EINVAL; | 2378 | return -EINVAL; |
| 2354 | } | 2379 | } |
| 2355 | } else { | 2380 | } else { |
| 2356 | if (insn->src_reg != BPF_REG_0 || insn->off != 0 || | 2381 | if (insn->src_reg != BPF_REG_0 || insn->off != 0 || |
| 2357 | (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || | 2382 | (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || |
| 2358 | BPF_CLASS(insn->code) == BPF_ALU64) { | 2383 | BPF_CLASS(insn->code) == BPF_ALU64) { |
| 2359 | verbose("BPF_END uses reserved fields\n"); | 2384 | verbose(env, "BPF_END uses reserved fields\n"); |
| 2360 | return -EINVAL; | 2385 | return -EINVAL; |
| 2361 | } | 2386 | } |
| 2362 | } | 2387 | } |
| @@ -2367,7 +2392,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2367 | return err; | 2392 | return err; |
| 2368 | 2393 | ||
| 2369 | if (is_pointer_value(env, insn->dst_reg)) { | 2394 | if (is_pointer_value(env, insn->dst_reg)) { |
| 2370 | verbose("R%d pointer arithmetic prohibited\n", | 2395 | verbose(env, "R%d pointer arithmetic prohibited\n", |
| 2371 | insn->dst_reg); | 2396 | insn->dst_reg); |
| 2372 | return -EACCES; | 2397 | return -EACCES; |
| 2373 | } | 2398 | } |
| @@ -2381,7 +2406,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2381 | 2406 | ||
| 2382 | if (BPF_SRC(insn->code) == BPF_X) { | 2407 | if (BPF_SRC(insn->code) == BPF_X) { |
| 2383 | if (insn->imm != 0 || insn->off != 0) { | 2408 | if (insn->imm != 0 || insn->off != 0) { |
| 2384 | verbose("BPF_MOV uses reserved fields\n"); | 2409 | verbose(env, "BPF_MOV uses reserved fields\n"); |
| 2385 | return -EINVAL; | 2410 | return -EINVAL; |
| 2386 | } | 2411 | } |
| 2387 | 2412 | ||
| @@ -2391,7 +2416,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2391 | return err; | 2416 | return err; |
| 2392 | } else { | 2417 | } else { |
| 2393 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | 2418 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { |
| 2394 | verbose("BPF_MOV uses reserved fields\n"); | 2419 | verbose(env, "BPF_MOV uses reserved fields\n"); |
| 2395 | return -EINVAL; | 2420 | return -EINVAL; |
| 2396 | } | 2421 | } |
| 2397 | } | 2422 | } |
| @@ -2411,11 +2436,12 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2411 | } else { | 2436 | } else { |
| 2412 | /* R1 = (u32) R2 */ | 2437 | /* R1 = (u32) R2 */ |
| 2413 | if (is_pointer_value(env, insn->src_reg)) { | 2438 | if (is_pointer_value(env, insn->src_reg)) { |
| 2414 | verbose("R%d partial copy of pointer\n", | 2439 | verbose(env, |
| 2440 | "R%d partial copy of pointer\n", | ||
| 2415 | insn->src_reg); | 2441 | insn->src_reg); |
| 2416 | return -EACCES; | 2442 | return -EACCES; |
| 2417 | } | 2443 | } |
| 2418 | mark_reg_unknown(regs, insn->dst_reg); | 2444 | mark_reg_unknown(env, regs, insn->dst_reg); |
| 2419 | /* high 32 bits are known zero. */ | 2445 | /* high 32 bits are known zero. */ |
| 2420 | regs[insn->dst_reg].var_off = tnum_cast( | 2446 | regs[insn->dst_reg].var_off = tnum_cast( |
| 2421 | regs[insn->dst_reg].var_off, 4); | 2447 | regs[insn->dst_reg].var_off, 4); |
| @@ -2430,14 +2456,14 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2430 | } | 2456 | } |
| 2431 | 2457 | ||
| 2432 | } else if (opcode > BPF_END) { | 2458 | } else if (opcode > BPF_END) { |
| 2433 | verbose("invalid BPF_ALU opcode %x\n", opcode); | 2459 | verbose(env, "invalid BPF_ALU opcode %x\n", opcode); |
| 2434 | return -EINVAL; | 2460 | return -EINVAL; |
| 2435 | 2461 | ||
| 2436 | } else { /* all other ALU ops: and, sub, xor, add, ... */ | 2462 | } else { /* all other ALU ops: and, sub, xor, add, ... */ |
| 2437 | 2463 | ||
| 2438 | if (BPF_SRC(insn->code) == BPF_X) { | 2464 | if (BPF_SRC(insn->code) == BPF_X) { |
| 2439 | if (insn->imm != 0 || insn->off != 0) { | 2465 | if (insn->imm != 0 || insn->off != 0) { |
| 2440 | verbose("BPF_ALU uses reserved fields\n"); | 2466 | verbose(env, "BPF_ALU uses reserved fields\n"); |
| 2441 | return -EINVAL; | 2467 | return -EINVAL; |
| 2442 | } | 2468 | } |
| 2443 | /* check src1 operand */ | 2469 | /* check src1 operand */ |
| @@ -2446,7 +2472,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2446 | return err; | 2472 | return err; |
| 2447 | } else { | 2473 | } else { |
| 2448 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | 2474 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { |
| 2449 | verbose("BPF_ALU uses reserved fields\n"); | 2475 | verbose(env, "BPF_ALU uses reserved fields\n"); |
| 2450 | return -EINVAL; | 2476 | return -EINVAL; |
| 2451 | } | 2477 | } |
| 2452 | } | 2478 | } |
| @@ -2458,7 +2484,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2458 | 2484 | ||
| 2459 | if ((opcode == BPF_MOD || opcode == BPF_DIV) && | 2485 | if ((opcode == BPF_MOD || opcode == BPF_DIV) && |
| 2460 | BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { | 2486 | BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { |
| 2461 | verbose("div by zero\n"); | 2487 | verbose(env, "div by zero\n"); |
| 2462 | return -EINVAL; | 2488 | return -EINVAL; |
| 2463 | } | 2489 | } |
| 2464 | 2490 | ||
| @@ -2467,7 +2493,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2467 | int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; | 2493 | int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; |
| 2468 | 2494 | ||
| 2469 | if (insn->imm < 0 || insn->imm >= size) { | 2495 | if (insn->imm < 0 || insn->imm >= size) { |
| 2470 | verbose("invalid shift %d\n", insn->imm); | 2496 | verbose(env, "invalid shift %d\n", insn->imm); |
| 2471 | return -EINVAL; | 2497 | return -EINVAL; |
| 2472 | } | 2498 | } |
| 2473 | } | 2499 | } |
| @@ -2820,13 +2846,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, | |||
| 2820 | int err; | 2846 | int err; |
| 2821 | 2847 | ||
| 2822 | if (opcode > BPF_JSLE) { | 2848 | if (opcode > BPF_JSLE) { |
| 2823 | verbose("invalid BPF_JMP opcode %x\n", opcode); | 2849 | verbose(env, "invalid BPF_JMP opcode %x\n", opcode); |
| 2824 | return -EINVAL; | 2850 | return -EINVAL; |
| 2825 | } | 2851 | } |
| 2826 | 2852 | ||
| 2827 | if (BPF_SRC(insn->code) == BPF_X) { | 2853 | if (BPF_SRC(insn->code) == BPF_X) { |
| 2828 | if (insn->imm != 0) { | 2854 | if (insn->imm != 0) { |
| 2829 | verbose("BPF_JMP uses reserved fields\n"); | 2855 | verbose(env, "BPF_JMP uses reserved fields\n"); |
| 2830 | return -EINVAL; | 2856 | return -EINVAL; |
| 2831 | } | 2857 | } |
| 2832 | 2858 | ||
| @@ -2836,13 +2862,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, | |||
| 2836 | return err; | 2862 | return err; |
| 2837 | 2863 | ||
| 2838 | if (is_pointer_value(env, insn->src_reg)) { | 2864 | if (is_pointer_value(env, insn->src_reg)) { |
| 2839 | verbose("R%d pointer comparison prohibited\n", | 2865 | verbose(env, "R%d pointer comparison prohibited\n", |
| 2840 | insn->src_reg); | 2866 | insn->src_reg); |
| 2841 | return -EACCES; | 2867 | return -EACCES; |
| 2842 | } | 2868 | } |
| 2843 | } else { | 2869 | } else { |
| 2844 | if (insn->src_reg != BPF_REG_0) { | 2870 | if (insn->src_reg != BPF_REG_0) { |
| 2845 | verbose("BPF_JMP uses reserved fields\n"); | 2871 | verbose(env, "BPF_JMP uses reserved fields\n"); |
| 2846 | return -EINVAL; | 2872 | return -EINVAL; |
| 2847 | } | 2873 | } |
| 2848 | } | 2874 | } |
| @@ -2954,11 +2980,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, | |||
| 2954 | find_good_pkt_pointers(this_branch, ®s[insn->src_reg], | 2980 | find_good_pkt_pointers(this_branch, ®s[insn->src_reg], |
| 2955 | PTR_TO_PACKET_META); | 2981 | PTR_TO_PACKET_META); |
| 2956 | } else if (is_pointer_value(env, insn->dst_reg)) { | 2982 | } else if (is_pointer_value(env, insn->dst_reg)) { |
| 2957 | verbose("R%d pointer comparison prohibited\n", insn->dst_reg); | 2983 | verbose(env, "R%d pointer comparison prohibited\n", |
| 2984 | insn->dst_reg); | ||
| 2958 | return -EACCES; | 2985 | return -EACCES; |
| 2959 | } | 2986 | } |
| 2960 | if (verifier_log.level) | 2987 | if (env->log.level) |
| 2961 | print_verifier_state(this_branch); | 2988 | print_verifier_state(env, this_branch); |
| 2962 | return 0; | 2989 | return 0; |
| 2963 | } | 2990 | } |
| 2964 | 2991 | ||
| @@ -2977,11 +3004,11 @@ static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 2977 | int err; | 3004 | int err; |
| 2978 | 3005 | ||
| 2979 | if (BPF_SIZE(insn->code) != BPF_DW) { | 3006 | if (BPF_SIZE(insn->code) != BPF_DW) { |
| 2980 | verbose("invalid BPF_LD_IMM insn\n"); | 3007 | verbose(env, "invalid BPF_LD_IMM insn\n"); |
| 2981 | return -EINVAL; | 3008 | return -EINVAL; |
| 2982 | } | 3009 | } |
| 2983 | if (insn->off != 0) { | 3010 | if (insn->off != 0) { |
| 2984 | verbose("BPF_LD_IMM64 uses reserved fields\n"); | 3011 | verbose(env, "BPF_LD_IMM64 uses reserved fields\n"); |
| 2985 | return -EINVAL; | 3012 | return -EINVAL; |
| 2986 | } | 3013 | } |
| 2987 | 3014 | ||
| @@ -3039,14 +3066,14 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 3039 | int i, err; | 3066 | int i, err; |
| 3040 | 3067 | ||
| 3041 | if (!may_access_skb(env->prog->type)) { | 3068 | if (!may_access_skb(env->prog->type)) { |
| 3042 | verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); | 3069 | verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); |
| 3043 | return -EINVAL; | 3070 | return -EINVAL; |
| 3044 | } | 3071 | } |
| 3045 | 3072 | ||
| 3046 | if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || | 3073 | if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || |
| 3047 | BPF_SIZE(insn->code) == BPF_DW || | 3074 | BPF_SIZE(insn->code) == BPF_DW || |
| 3048 | (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { | 3075 | (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { |
| 3049 | verbose("BPF_LD_[ABS|IND] uses reserved fields\n"); | 3076 | verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n"); |
| 3050 | return -EINVAL; | 3077 | return -EINVAL; |
| 3051 | } | 3078 | } |
| 3052 | 3079 | ||
| @@ -3056,7 +3083,8 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 3056 | return err; | 3083 | return err; |
| 3057 | 3084 | ||
| 3058 | if (regs[BPF_REG_6].type != PTR_TO_CTX) { | 3085 | if (regs[BPF_REG_6].type != PTR_TO_CTX) { |
| 3059 | verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); | 3086 | verbose(env, |
| 3087 | "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); | ||
| 3060 | return -EINVAL; | 3088 | return -EINVAL; |
| 3061 | } | 3089 | } |
| 3062 | 3090 | ||
| @@ -3069,7 +3097,7 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 3069 | 3097 | ||
| 3070 | /* reset caller saved regs to unreadable */ | 3098 | /* reset caller saved regs to unreadable */ |
| 3071 | for (i = 0; i < CALLER_SAVED_REGS; i++) { | 3099 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| 3072 | mark_reg_not_init(regs, caller_saved[i]); | 3100 | mark_reg_not_init(env, regs, caller_saved[i]); |
| 3073 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); | 3101 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
| 3074 | } | 3102 | } |
| 3075 | 3103 | ||
| @@ -3077,7 +3105,7 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) | |||
| 3077 | * the value fetched from the packet. | 3105 | * the value fetched from the packet. |
| 3078 | * Already marked as written above. | 3106 | * Already marked as written above. |
| 3079 | */ | 3107 | */ |
| 3080 | mark_reg_unknown(regs, BPF_REG_0); | 3108 | mark_reg_unknown(env, regs, BPF_REG_0); |
| 3081 | return 0; | 3109 | return 0; |
| 3082 | } | 3110 | } |
| 3083 | 3111 | ||
| @@ -3097,22 +3125,22 @@ static int check_return_code(struct bpf_verifier_env *env) | |||
| 3097 | 3125 | ||
| 3098 | reg = &env->cur_state.regs[BPF_REG_0]; | 3126 | reg = &env->cur_state.regs[BPF_REG_0]; |
| 3099 | if (reg->type != SCALAR_VALUE) { | 3127 | if (reg->type != SCALAR_VALUE) { |
| 3100 | verbose("At program exit the register R0 is not a known value (%s)\n", | 3128 | verbose(env, "At program exit the register R0 is not a known value (%s)\n", |
| 3101 | reg_type_str[reg->type]); | 3129 | reg_type_str[reg->type]); |
| 3102 | return -EINVAL; | 3130 | return -EINVAL; |
| 3103 | } | 3131 | } |
| 3104 | 3132 | ||
| 3105 | if (!tnum_in(range, reg->var_off)) { | 3133 | if (!tnum_in(range, reg->var_off)) { |
| 3106 | verbose("At program exit the register R0 "); | 3134 | verbose(env, "At program exit the register R0 "); |
| 3107 | if (!tnum_is_unknown(reg->var_off)) { | 3135 | if (!tnum_is_unknown(reg->var_off)) { |
| 3108 | char tn_buf[48]; | 3136 | char tn_buf[48]; |
| 3109 | 3137 | ||
| 3110 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | 3138 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| 3111 | verbose("has value %s", tn_buf); | 3139 | verbose(env, "has value %s", tn_buf); |
| 3112 | } else { | 3140 | } else { |
| 3113 | verbose("has unknown scalar value"); | 3141 | verbose(env, "has unknown scalar value"); |
| 3114 | } | 3142 | } |
| 3115 | verbose(" should have been 0 or 1\n"); | 3143 | verbose(env, " should have been 0 or 1\n"); |
| 3116 | return -EINVAL; | 3144 | return -EINVAL; |
| 3117 | } | 3145 | } |
| 3118 | return 0; | 3146 | return 0; |
| @@ -3178,7 +3206,7 @@ static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) | |||
| 3178 | return 0; | 3206 | return 0; |
| 3179 | 3207 | ||
| 3180 | if (w < 0 || w >= env->prog->len) { | 3208 | if (w < 0 || w >= env->prog->len) { |
| 3181 | verbose("jump out of range from insn %d to %d\n", t, w); | 3209 | verbose(env, "jump out of range from insn %d to %d\n", t, w); |
| 3182 | return -EINVAL; | 3210 | return -EINVAL; |
| 3183 | } | 3211 | } |
| 3184 | 3212 | ||
| @@ -3195,13 +3223,13 @@ static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) | |||
| 3195 | insn_stack[cur_stack++] = w; | 3223 | insn_stack[cur_stack++] = w; |
| 3196 | return 1; | 3224 | return 1; |
| 3197 | } else if ((insn_state[w] & 0xF0) == DISCOVERED) { | 3225 | } else if ((insn_state[w] & 0xF0) == DISCOVERED) { |
| 3198 | verbose("back-edge from insn %d to %d\n", t, w); | 3226 | verbose(env, "back-edge from insn %d to %d\n", t, w); |
| 3199 | return -EINVAL; | 3227 | return -EINVAL; |
| 3200 | } else if (insn_state[w] == EXPLORED) { | 3228 | } else if (insn_state[w] == EXPLORED) { |
| 3201 | /* forward- or cross-edge */ | 3229 | /* forward- or cross-edge */ |
| 3202 | insn_state[t] = DISCOVERED | e; | 3230 | insn_state[t] = DISCOVERED | e; |
| 3203 | } else { | 3231 | } else { |
| 3204 | verbose("insn state internal bug\n"); | 3232 | verbose(env, "insn state internal bug\n"); |
| 3205 | return -EFAULT; | 3233 | return -EFAULT; |
| 3206 | } | 3234 | } |
| 3207 | return 0; | 3235 | return 0; |
| @@ -3295,7 +3323,7 @@ peek_stack: | |||
| 3295 | mark_explored: | 3323 | mark_explored: |
| 3296 | insn_state[t] = EXPLORED; | 3324 | insn_state[t] = EXPLORED; |
| 3297 | if (cur_stack-- <= 0) { | 3325 | if (cur_stack-- <= 0) { |
| 3298 | verbose("pop stack internal bug\n"); | 3326 | verbose(env, "pop stack internal bug\n"); |
| 3299 | ret = -EFAULT; | 3327 | ret = -EFAULT; |
| 3300 | goto err_free; | 3328 | goto err_free; |
| 3301 | } | 3329 | } |
| @@ -3304,7 +3332,7 @@ mark_explored: | |||
| 3304 | check_state: | 3332 | check_state: |
| 3305 | for (i = 0; i < insn_cnt; i++) { | 3333 | for (i = 0; i < insn_cnt; i++) { |
| 3306 | if (insn_state[i] != EXPLORED) { | 3334 | if (insn_state[i] != EXPLORED) { |
| 3307 | verbose("unreachable insn %d\n", i); | 3335 | verbose(env, "unreachable insn %d\n", i); |
| 3308 | ret = -EINVAL; | 3336 | ret = -EINVAL; |
| 3309 | goto err_free; | 3337 | goto err_free; |
| 3310 | } | 3338 | } |
| @@ -3685,7 +3713,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3685 | int insn_processed = 0; | 3713 | int insn_processed = 0; |
| 3686 | bool do_print_state = false; | 3714 | bool do_print_state = false; |
| 3687 | 3715 | ||
| 3688 | init_reg_state(regs); | 3716 | init_reg_state(env, regs); |
| 3689 | state->parent = NULL; | 3717 | state->parent = NULL; |
| 3690 | insn_idx = 0; | 3718 | insn_idx = 0; |
| 3691 | for (;;) { | 3719 | for (;;) { |
| @@ -3694,7 +3722,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3694 | int err; | 3722 | int err; |
| 3695 | 3723 | ||
| 3696 | if (insn_idx >= insn_cnt) { | 3724 | if (insn_idx >= insn_cnt) { |
| 3697 | verbose("invalid insn idx %d insn_cnt %d\n", | 3725 | verbose(env, "invalid insn idx %d insn_cnt %d\n", |
| 3698 | insn_idx, insn_cnt); | 3726 | insn_idx, insn_cnt); |
| 3699 | return -EFAULT; | 3727 | return -EFAULT; |
| 3700 | } | 3728 | } |
| @@ -3703,7 +3731,8 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3703 | class = BPF_CLASS(insn->code); | 3731 | class = BPF_CLASS(insn->code); |
| 3704 | 3732 | ||
| 3705 | if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { | 3733 | if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { |
| 3706 | verbose("BPF program is too large. Processed %d insn\n", | 3734 | verbose(env, |
| 3735 | "BPF program is too large. Processed %d insn\n", | ||
| 3707 | insn_processed); | 3736 | insn_processed); |
| 3708 | return -E2BIG; | 3737 | return -E2BIG; |
| 3709 | } | 3738 | } |
| @@ -3713,12 +3742,12 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3713 | return err; | 3742 | return err; |
| 3714 | if (err == 1) { | 3743 | if (err == 1) { |
| 3715 | /* found equivalent state, can prune the search */ | 3744 | /* found equivalent state, can prune the search */ |
| 3716 | if (verifier_log.level) { | 3745 | if (env->log.level) { |
| 3717 | if (do_print_state) | 3746 | if (do_print_state) |
| 3718 | verbose("\nfrom %d to %d: safe\n", | 3747 | verbose(env, "\nfrom %d to %d: safe\n", |
| 3719 | prev_insn_idx, insn_idx); | 3748 | prev_insn_idx, insn_idx); |
| 3720 | else | 3749 | else |
| 3721 | verbose("%d: safe\n", insn_idx); | 3750 | verbose(env, "%d: safe\n", insn_idx); |
| 3722 | } | 3751 | } |
| 3723 | goto process_bpf_exit; | 3752 | goto process_bpf_exit; |
| 3724 | } | 3753 | } |
| @@ -3726,19 +3755,18 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3726 | if (need_resched()) | 3755 | if (need_resched()) |
| 3727 | cond_resched(); | 3756 | cond_resched(); |
| 3728 | 3757 | ||
| 3729 | if (verifier_log.level > 1 || | 3758 | if (env->log.level > 1 || (env->log.level && do_print_state)) { |
| 3730 | (verifier_log.level && do_print_state)) { | 3759 | if (env->log.level > 1) |
| 3731 | if (verifier_log.level > 1) | 3760 | verbose(env, "%d:", insn_idx); |
| 3732 | verbose("%d:", insn_idx); | ||
| 3733 | else | 3761 | else |
| 3734 | verbose("\nfrom %d to %d:", | 3762 | verbose(env, "\nfrom %d to %d:", |
| 3735 | prev_insn_idx, insn_idx); | 3763 | prev_insn_idx, insn_idx); |
| 3736 | print_verifier_state(&env->cur_state); | 3764 | print_verifier_state(env, &env->cur_state); |
| 3737 | do_print_state = false; | 3765 | do_print_state = false; |
| 3738 | } | 3766 | } |
| 3739 | 3767 | ||
| 3740 | if (verifier_log.level) { | 3768 | if (env->log.level) { |
| 3741 | verbose("%d: ", insn_idx); | 3769 | verbose(env, "%d: ", insn_idx); |
| 3742 | print_bpf_insn(env, insn); | 3770 | print_bpf_insn(env, insn); |
| 3743 | } | 3771 | } |
| 3744 | 3772 | ||
| @@ -3795,7 +3823,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3795 | * src_reg == stack|map in some other branch. | 3823 | * src_reg == stack|map in some other branch. |
| 3796 | * Reject it. | 3824 | * Reject it. |
| 3797 | */ | 3825 | */ |
| 3798 | verbose("same insn cannot be used with different pointers\n"); | 3826 | verbose(env, "same insn cannot be used with different pointers\n"); |
| 3799 | return -EINVAL; | 3827 | return -EINVAL; |
| 3800 | } | 3828 | } |
| 3801 | 3829 | ||
| @@ -3835,14 +3863,14 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3835 | } else if (dst_reg_type != *prev_dst_type && | 3863 | } else if (dst_reg_type != *prev_dst_type && |
| 3836 | (dst_reg_type == PTR_TO_CTX || | 3864 | (dst_reg_type == PTR_TO_CTX || |
| 3837 | *prev_dst_type == PTR_TO_CTX)) { | 3865 | *prev_dst_type == PTR_TO_CTX)) { |
| 3838 | verbose("same insn cannot be used with different pointers\n"); | 3866 | verbose(env, "same insn cannot be used with different pointers\n"); |
| 3839 | return -EINVAL; | 3867 | return -EINVAL; |
| 3840 | } | 3868 | } |
| 3841 | 3869 | ||
| 3842 | } else if (class == BPF_ST) { | 3870 | } else if (class == BPF_ST) { |
| 3843 | if (BPF_MODE(insn->code) != BPF_MEM || | 3871 | if (BPF_MODE(insn->code) != BPF_MEM || |
| 3844 | insn->src_reg != BPF_REG_0) { | 3872 | insn->src_reg != BPF_REG_0) { |
| 3845 | verbose("BPF_ST uses reserved fields\n"); | 3873 | verbose(env, "BPF_ST uses reserved fields\n"); |
| 3846 | return -EINVAL; | 3874 | return -EINVAL; |
| 3847 | } | 3875 | } |
| 3848 | /* check src operand */ | 3876 | /* check src operand */ |
| @@ -3865,7 +3893,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3865 | insn->off != 0 || | 3893 | insn->off != 0 || |
| 3866 | insn->src_reg != BPF_REG_0 || | 3894 | insn->src_reg != BPF_REG_0 || |
| 3867 | insn->dst_reg != BPF_REG_0) { | 3895 | insn->dst_reg != BPF_REG_0) { |
| 3868 | verbose("BPF_CALL uses reserved fields\n"); | 3896 | verbose(env, "BPF_CALL uses reserved fields\n"); |
| 3869 | return -EINVAL; | 3897 | return -EINVAL; |
| 3870 | } | 3898 | } |
| 3871 | 3899 | ||
| @@ -3878,7 +3906,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3878 | insn->imm != 0 || | 3906 | insn->imm != 0 || |
| 3879 | insn->src_reg != BPF_REG_0 || | 3907 | insn->src_reg != BPF_REG_0 || |
| 3880 | insn->dst_reg != BPF_REG_0) { | 3908 | insn->dst_reg != BPF_REG_0) { |
| 3881 | verbose("BPF_JA uses reserved fields\n"); | 3909 | verbose(env, "BPF_JA uses reserved fields\n"); |
| 3882 | return -EINVAL; | 3910 | return -EINVAL; |
| 3883 | } | 3911 | } |
| 3884 | 3912 | ||
| @@ -3890,7 +3918,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3890 | insn->imm != 0 || | 3918 | insn->imm != 0 || |
| 3891 | insn->src_reg != BPF_REG_0 || | 3919 | insn->src_reg != BPF_REG_0 || |
| 3892 | insn->dst_reg != BPF_REG_0) { | 3920 | insn->dst_reg != BPF_REG_0) { |
| 3893 | verbose("BPF_EXIT uses reserved fields\n"); | 3921 | verbose(env, "BPF_EXIT uses reserved fields\n"); |
| 3894 | return -EINVAL; | 3922 | return -EINVAL; |
| 3895 | } | 3923 | } |
| 3896 | 3924 | ||
| @@ -3905,7 +3933,7 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 3905 | return err; | 3933 | return err; |
| 3906 | 3934 | ||
| 3907 | if (is_pointer_value(env, BPF_REG_0)) { | 3935 | if (is_pointer_value(env, BPF_REG_0)) { |
| 3908 | verbose("R0 leaks addr as return value\n"); | 3936 | verbose(env, "R0 leaks addr as return value\n"); |
| 3909 | return -EACCES; | 3937 | return -EACCES; |
| 3910 | } | 3938 | } |
| 3911 | 3939 | ||
| @@ -3940,19 +3968,19 @@ process_bpf_exit: | |||
| 3940 | 3968 | ||
| 3941 | insn_idx++; | 3969 | insn_idx++; |
| 3942 | } else { | 3970 | } else { |
| 3943 | verbose("invalid BPF_LD mode\n"); | 3971 | verbose(env, "invalid BPF_LD mode\n"); |
| 3944 | return -EINVAL; | 3972 | return -EINVAL; |
| 3945 | } | 3973 | } |
| 3946 | } else { | 3974 | } else { |
| 3947 | verbose("unknown insn class %d\n", class); | 3975 | verbose(env, "unknown insn class %d\n", class); |
| 3948 | return -EINVAL; | 3976 | return -EINVAL; |
| 3949 | } | 3977 | } |
| 3950 | 3978 | ||
| 3951 | insn_idx++; | 3979 | insn_idx++; |
| 3952 | } | 3980 | } |
| 3953 | 3981 | ||
| 3954 | verbose("processed %d insns, stack depth %d\n", | 3982 | verbose(env, "processed %d insns, stack depth %d\n", insn_processed, |
| 3955 | insn_processed, env->prog->aux->stack_depth); | 3983 | env->prog->aux->stack_depth); |
| 3956 | return 0; | 3984 | return 0; |
| 3957 | } | 3985 | } |
| 3958 | 3986 | ||
| @@ -3964,7 +3992,8 @@ static int check_map_prealloc(struct bpf_map *map) | |||
| 3964 | !(map->map_flags & BPF_F_NO_PREALLOC); | 3992 | !(map->map_flags & BPF_F_NO_PREALLOC); |
| 3965 | } | 3993 | } |
| 3966 | 3994 | ||
| 3967 | static int check_map_prog_compatibility(struct bpf_map *map, | 3995 | static int check_map_prog_compatibility(struct bpf_verifier_env *env, |
| 3996 | struct bpf_map *map, | ||
| 3968 | struct bpf_prog *prog) | 3997 | struct bpf_prog *prog) |
| 3969 | 3998 | ||
| 3970 | { | 3999 | { |
| @@ -3975,12 +4004,12 @@ static int check_map_prog_compatibility(struct bpf_map *map, | |||
| 3975 | */ | 4004 | */ |
| 3976 | if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { | 4005 | if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { |
| 3977 | if (!check_map_prealloc(map)) { | 4006 | if (!check_map_prealloc(map)) { |
| 3978 | verbose("perf_event programs can only use preallocated hash map\n"); | 4007 | verbose(env, "perf_event programs can only use preallocated hash map\n"); |
| 3979 | return -EINVAL; | 4008 | return -EINVAL; |
| 3980 | } | 4009 | } |
| 3981 | if (map->inner_map_meta && | 4010 | if (map->inner_map_meta && |
| 3982 | !check_map_prealloc(map->inner_map_meta)) { | 4011 | !check_map_prealloc(map->inner_map_meta)) { |
| 3983 | verbose("perf_event programs can only use preallocated inner hash map\n"); | 4012 | verbose(env, "perf_event programs can only use preallocated inner hash map\n"); |
| 3984 | return -EINVAL; | 4013 | return -EINVAL; |
| 3985 | } | 4014 | } |
| 3986 | } | 4015 | } |
| @@ -4003,14 +4032,14 @@ static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) | |||
| 4003 | for (i = 0; i < insn_cnt; i++, insn++) { | 4032 | for (i = 0; i < insn_cnt; i++, insn++) { |
| 4004 | if (BPF_CLASS(insn->code) == BPF_LDX && | 4033 | if (BPF_CLASS(insn->code) == BPF_LDX && |
| 4005 | (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { | 4034 | (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { |
| 4006 | verbose("BPF_LDX uses reserved fields\n"); | 4035 | verbose(env, "BPF_LDX uses reserved fields\n"); |
| 4007 | return -EINVAL; | 4036 | return -EINVAL; |
| 4008 | } | 4037 | } |
| 4009 | 4038 | ||
| 4010 | if (BPF_CLASS(insn->code) == BPF_STX && | 4039 | if (BPF_CLASS(insn->code) == BPF_STX && |
| 4011 | ((BPF_MODE(insn->code) != BPF_MEM && | 4040 | ((BPF_MODE(insn->code) != BPF_MEM && |
| 4012 | BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { | 4041 | BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { |
| 4013 | verbose("BPF_STX uses reserved fields\n"); | 4042 | verbose(env, "BPF_STX uses reserved fields\n"); |
| 4014 | return -EINVAL; | 4043 | return -EINVAL; |
| 4015 | } | 4044 | } |
| 4016 | 4045 | ||
| @@ -4021,7 +4050,7 @@ static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) | |||
| 4021 | if (i == insn_cnt - 1 || insn[1].code != 0 || | 4050 | if (i == insn_cnt - 1 || insn[1].code != 0 || |
| 4022 | insn[1].dst_reg != 0 || insn[1].src_reg != 0 || | 4051 | insn[1].dst_reg != 0 || insn[1].src_reg != 0 || |
| 4023 | insn[1].off != 0) { | 4052 | insn[1].off != 0) { |
| 4024 | verbose("invalid bpf_ld_imm64 insn\n"); | 4053 | verbose(env, "invalid bpf_ld_imm64 insn\n"); |
| 4025 | return -EINVAL; | 4054 | return -EINVAL; |
| 4026 | } | 4055 | } |
| 4027 | 4056 | ||
| @@ -4030,19 +4059,20 @@ static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) | |||
| 4030 | goto next_insn; | 4059 | goto next_insn; |
| 4031 | 4060 | ||
| 4032 | if (insn->src_reg != BPF_PSEUDO_MAP_FD) { | 4061 | if (insn->src_reg != BPF_PSEUDO_MAP_FD) { |
| 4033 | verbose("unrecognized bpf_ld_imm64 insn\n"); | 4062 | verbose(env, |
| 4063 | "unrecognized bpf_ld_imm64 insn\n"); | ||
| 4034 | return -EINVAL; | 4064 | return -EINVAL; |
| 4035 | } | 4065 | } |
| 4036 | 4066 | ||
| 4037 | f = fdget(insn->imm); | 4067 | f = fdget(insn->imm); |
| 4038 | map = __bpf_map_get(f); | 4068 | map = __bpf_map_get(f); |
| 4039 | if (IS_ERR(map)) { | 4069 | if (IS_ERR(map)) { |
| 4040 | verbose("fd %d is not pointing to valid bpf_map\n", | 4070 | verbose(env, "fd %d is not pointing to valid bpf_map\n", |
| 4041 | insn->imm); | 4071 | insn->imm); |
| 4042 | return PTR_ERR(map); | 4072 | return PTR_ERR(map); |
| 4043 | } | 4073 | } |
| 4044 | 4074 | ||
| 4045 | err = check_map_prog_compatibility(map, env->prog); | 4075 | err = check_map_prog_compatibility(env, map, env->prog); |
| 4046 | if (err) { | 4076 | if (err) { |
| 4047 | fdput(f); | 4077 | fdput(f); |
| 4048 | return err; | 4078 | return err; |
| @@ -4164,7 +4194,7 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) | |||
| 4164 | cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, | 4194 | cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, |
| 4165 | env->prog); | 4195 | env->prog); |
| 4166 | if (cnt >= ARRAY_SIZE(insn_buf)) { | 4196 | if (cnt >= ARRAY_SIZE(insn_buf)) { |
| 4167 | verbose("bpf verifier is misconfigured\n"); | 4197 | verbose(env, "bpf verifier is misconfigured\n"); |
| 4168 | return -EINVAL; | 4198 | return -EINVAL; |
| 4169 | } else if (cnt) { | 4199 | } else if (cnt) { |
| 4170 | new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); | 4200 | new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); |
| @@ -4212,7 +4242,7 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) | |||
| 4212 | u8 size_code; | 4242 | u8 size_code; |
| 4213 | 4243 | ||
| 4214 | if (type == BPF_WRITE) { | 4244 | if (type == BPF_WRITE) { |
| 4215 | verbose("bpf verifier narrow ctx access misconfigured\n"); | 4245 | verbose(env, "bpf verifier narrow ctx access misconfigured\n"); |
| 4216 | return -EINVAL; | 4246 | return -EINVAL; |
| 4217 | } | 4247 | } |
| 4218 | 4248 | ||
| @@ -4231,7 +4261,7 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) | |||
| 4231 | &target_size); | 4261 | &target_size); |
| 4232 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || | 4262 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || |
| 4233 | (ctx_field_size && !target_size)) { | 4263 | (ctx_field_size && !target_size)) { |
| 4234 | verbose("bpf verifier is misconfigured\n"); | 4264 | verbose(env, "bpf verifier is misconfigured\n"); |
| 4235 | return -EINVAL; | 4265 | return -EINVAL; |
| 4236 | } | 4266 | } |
| 4237 | 4267 | ||
| @@ -4313,7 +4343,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) | |||
| 4313 | 4343 | ||
| 4314 | cnt = map_ptr->ops->map_gen_lookup(map_ptr, insn_buf); | 4344 | cnt = map_ptr->ops->map_gen_lookup(map_ptr, insn_buf); |
| 4315 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { | 4345 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { |
| 4316 | verbose("bpf verifier is misconfigured\n"); | 4346 | verbose(env, "bpf verifier is misconfigured\n"); |
| 4317 | return -EINVAL; | 4347 | return -EINVAL; |
| 4318 | } | 4348 | } |
| 4319 | 4349 | ||
| @@ -4357,7 +4387,8 @@ patch_call_imm: | |||
| 4357 | * programs to call them, must be real in-kernel functions | 4387 | * programs to call them, must be real in-kernel functions |
| 4358 | */ | 4388 | */ |
| 4359 | if (!fn->func) { | 4389 | if (!fn->func) { |
| 4360 | verbose("kernel subsystem misconfigured func %s#%d\n", | 4390 | verbose(env, |
| 4391 | "kernel subsystem misconfigured func %s#%d\n", | ||
| 4361 | func_id_name(insn->imm), insn->imm); | 4392 | func_id_name(insn->imm), insn->imm); |
| 4362 | return -EFAULT; | 4393 | return -EFAULT; |
| 4363 | } | 4394 | } |
| @@ -4391,8 +4422,8 @@ static void free_states(struct bpf_verifier_env *env) | |||
| 4391 | 4422 | ||
| 4392 | int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) | 4423 | int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) |
| 4393 | { | 4424 | { |
| 4394 | struct bpf_verifer_log *log = &verifier_log; | ||
| 4395 | struct bpf_verifier_env *env; | 4425 | struct bpf_verifier_env *env; |
| 4426 | struct bpf_verifer_log *log; | ||
| 4396 | int ret = -EINVAL; | 4427 | int ret = -EINVAL; |
| 4397 | 4428 | ||
| 4398 | /* 'struct bpf_verifier_env' can be global, but since it's not small, | 4429 | /* 'struct bpf_verifier_env' can be global, but since it's not small, |
| @@ -4401,6 +4432,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) | |||
| 4401 | env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); | 4432 | env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
| 4402 | if (!env) | 4433 | if (!env) |
| 4403 | return -ENOMEM; | 4434 | return -ENOMEM; |
| 4435 | log = &env->log; | ||
| 4404 | 4436 | ||
| 4405 | env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * | 4437 | env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * |
| 4406 | (*prog)->len); | 4438 | (*prog)->len); |
| @@ -4419,7 +4451,6 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) | |||
| 4419 | log->level = attr->log_level; | 4451 | log->level = attr->log_level; |
| 4420 | log->ubuf = (char __user *) (unsigned long) attr->log_buf; | 4452 | log->ubuf = (char __user *) (unsigned long) attr->log_buf; |
| 4421 | log->len_total = attr->log_size; | 4453 | log->len_total = attr->log_size; |
| 4422 | log->len_used = 0; | ||
| 4423 | 4454 | ||
| 4424 | ret = -EINVAL; | 4455 | ret = -EINVAL; |
| 4425 | /* log attributes have to be sane */ | 4456 | /* log attributes have to be sane */ |
| @@ -4431,8 +4462,6 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) | |||
| 4431 | log->kbuf = vmalloc(log->len_total); | 4462 | log->kbuf = vmalloc(log->len_total); |
| 4432 | if (!log->kbuf) | 4463 | if (!log->kbuf) |
| 4433 | goto err_unlock; | 4464 | goto err_unlock; |
| 4434 | } else { | ||
| 4435 | log->level = 0; | ||
| 4436 | } | 4465 | } |
| 4437 | 4466 | ||
| 4438 | env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); | 4467 | env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); |
| @@ -4543,8 +4572,6 @@ int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops, | |||
| 4543 | /* grab the mutex to protect few globals used by verifier */ | 4572 | /* grab the mutex to protect few globals used by verifier */ |
| 4544 | mutex_lock(&bpf_verifier_lock); | 4573 | mutex_lock(&bpf_verifier_lock); |
| 4545 | 4574 | ||
| 4546 | verifier_log.level = 0; | ||
| 4547 | |||
| 4548 | env->strict_alignment = false; | 4575 | env->strict_alignment = false; |
| 4549 | if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) | 4576 | if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) |
| 4550 | env->strict_alignment = true; | 4577 | env->strict_alignment = true; |