mbox series

[bpf-next,v3,0/3] bpf: Detect jumping to reserved code of ld_imm64

Message ID 20231011-jmp-into-reserved-fields-v3-0-97d2aa979788@gmail.com (mailing list archive)
Headers show
Series bpf: Detect jumping to reserved code of ld_imm64 | expand

Message

Hao Sun Oct. 11, 2023, 9 a.m. UTC
Currently, the verifier rejects a program jumping to reserved code with
the log "invalid BPF_LD_IMM" in check_ld_imm(), which in not accurate,
because the program does not contain any invalid insns. The root cause
is that the verifier does not detect such jump, thus the reserved code
is passed to check_ld_imm().

The first patch makes the verifier detect jump to reserved code during
check_cfg(). Because jump to reserved code is just like jump out bound,
both break the CFG integrity immediately. The second makes the verifier
report internal error if it sees an invlid ld_imm64 in check_ld_imm(),
because we already have bpf_opcode_in_insntable() to check the validity
of insn code. The third patch adapts existing tests to make them pass,
and add a new case to test backward jump to reserved code.

Signed-off-by: Hao Sun <sunhao.th@gmail.com>

---
Changes in v3:
- Separate changes to different commits, change verifier log
- Link to v2: https://lore.kernel.org/r/20231010-jmp-into-reserved-fields-v2-1-3dd5a94d1e21@gmail.com

Changes in v2:
- Adjust existing test cases
- Link to v1: https://lore.kernel.org/bpf/20231009-jmp-into-reserved-fields-v1-1-d8006e2ac1f6@gmail.com/

---
Hao Sun (3):
      bpf: Detect jumping to reserved code during check_cfg()
      bpf: Report internal error on incorrect ld_imm64 in check_ld_imm()
      bpf: Adapt and add tests for detecting jump to reserved code

 kernel/bpf/verifier.c                           | 11 +++++++++--
 tools/testing/selftests/bpf/verifier/ld_imm64.c | 16 ++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)
---
base-commit: 3157b7ce14bbf468b0ca8613322a05c37b5ae25d
change-id: 20231009-jmp-into-reserved-fields-fc1a98a8e7dc

Best regards,