From patchwork Wed Nov 1 12:33:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hao Sun X-Patchwork-Id: 13442805 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B2DB125B8 for ; Wed, 1 Nov 2023 12:34:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jDubYWjf" Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 617A4E4; Wed, 1 Nov 2023 05:34:02 -0700 (PDT) Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2c50d1b9f22so87049791fa.0; Wed, 01 Nov 2023 05:34:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698842040; x=1699446840; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=C/NwfKtoyspxT9DotnbjmoTKFlNWUE7/HmaMh4d/yZM=; b=jDubYWjfISERIunB27vuNZspL9NmWjE1butfVlPShGaRwEctheifwbZSz6O5ge4IMs QKdTE3GtEQky+qJ7hHCopRmkU3dzdnuTD8+k1zXLw6Zi1cVsdYMzPuZnXwV4tRZ03cXc TJK6oe2aYuvXMRGa9rpRN9d1u/LuD+uefoH4a3wbZfcCNZyACRQ7FJjg/3+LxFfXWCXp B7bXWjpvbX0Ag6qui7cgHbG5Lp8PJMKam/Fh7iKa0xN6vuhZEMrQv67f7ToJM/ANQZ6x WxAq15n+ePkiy98vvPt+EDAGQLtQKYpmdxI8+zRMRkjb4VQY1HeIwmqxL8rX7KXacqRQ X0dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698842040; x=1699446840; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C/NwfKtoyspxT9DotnbjmoTKFlNWUE7/HmaMh4d/yZM=; b=Oy+eb3D0iyN2HOcfgBfTygCDjPNMM4j8ZDJUDbcJaviriSiUnCAcP3vH/ox3Eg3Vi9 uWDhihum1KCtXb/6U4wRHl8OSjjs6oOoiI6u967mnfjv5jyuWObkU0K+xFnSR3GQkvAX ORsXRDkHoCqjGTwgfVl8+05JaiC3eTFQ+ItDfjjt3gwgyuPz+t1o1fceXKtV6xbemde4 KyBJgEeMYT29VDZ7mDqnVylj4lTx0Ha3jX3JaUfNhhvjOAE7vprwvui6Xpdm3BLOjjyX ijNO/yPQLPEegXYRMSEPDKSalkyoGlX+jyPFNnF8vtT2vg9oyS017GpQ4uGy0Bg48Ke9 vdpA== X-Gm-Message-State: AOJu0YzNgnZafC6m5em5NA4lUVRYdonQTqen3YezQf3GHFAsLLwN95GA CvmNBw1TjpjCP1m01KHJ+A== X-Google-Smtp-Source: AGHT+IHHyFwufSFlvgaff4yXL+LU1czAmdIqzYLTTRatYKLTMU94nukYoAJIQ3MmMKpSEHTy3KOiaw== X-Received: by 2002:a2e:3e1a:0:b0:2bf:ab17:d48b with SMTP id l26-20020a2e3e1a000000b002bfab17d48bmr12931671lja.34.1698842040205; Wed, 01 Nov 2023 05:34:00 -0700 (PDT) Received: from amdsuplus2.inf.ethz.ch (amdsuplus2.inf.ethz.ch. [129.132.31.88]) by smtp.gmail.com with ESMTPSA id fk15-20020a05600c0ccf00b0040849ce7116sm1453505wmb.43.2023.11.01.05.33.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 05:33:59 -0700 (PDT) From: Hao Sun Date: Wed, 01 Nov 2023 13:33:51 +0100 Subject: [PATCH bpf v3 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20231101-fix-check-stack-write-v3-1-f05c2b1473d5@gmail.com> References: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> In-Reply-To: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , Eduard Zingerman , Shung-Hsi Yu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Hao Sun , stable@vger.kernel.org X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1698842036; l=2139; i=sunhao.th@gmail.com; s=20231009; h=from:subject:message-id; bh=4BtzXLkq4i2wNmdy8ecUMdiwriJ5sawqxpkEKLH1c/8=; b=sBMS/uPQK6NCw+m9NjK4TUB4ZeIxMxZnXuNhGWMxzje1/bQxqOz6YDGyGxVIIjZWFLm30UKJ2 gMS37A4LHYJDI6FE8DLdpAb5ihedoaHU20y5UFPcAWzxZ4Fis0HB235 X-Developer-Key: i=sunhao.th@gmail.com; a=ed25519; pk=AHFxrImGtyqXOuw4f5xTNh4PGReb7hzD86ayyTZCXd4= X-Patchwork-Delegate: bpf@iogearbox.net In check_stack_write_fixed_off(), imm value is cast to u32 before being spilled to the stack. Therefore, the sign information is lost, and the range information is incorrect when load from the stack again. For the following prog: 0: r2 = r10 1: *(u64*)(r2 -40) = -44 2: r0 = *(u64*)(r2 - 40) 3: if r0 s<= 0xa goto +2 4: r0 = 1 5: exit 6: r0 = 0 7: exit The verifier gives: func#0 @0 0: R1=ctx(off=0,imm=0) R10=fp0 0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 1: (7a) *(u64 *)(r2 -40) = -44 ; R2_w=fp0 fp-40_w=4294967252 2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0 fp-40_w=4294967252 3: (c5) if r0 s< 0xa goto pc+2 mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40) 3: R0_w=4294967252 4: (b7) r0 = 1 ; R0_w=1 5: (95) exit verification time 7971 usec stack depth 40 processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 So remove the incorrect cast, since imm field is declared as s32, and __mark_reg_known() takes u64, so imm would be correctly sign extended by compiler. Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST instruction") Cc: stable@vger.kernel.org Signed-off-by: Hao Sun Acked-by: Shung-Hsi Yu Acked-by: Eduard Zingerman --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 857d76694517..44af69ce1301 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4674,7 +4674,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, insn->imm != 0 && env->bpf_capable) { struct bpf_reg_state fake_reg = {}; - __mark_reg_known(&fake_reg, (u32)insn->imm); + __mark_reg_known(&fake_reg, insn->imm); fake_reg.type = SCALAR_VALUE; save_register_state(state, spi, &fake_reg, size); } else if (reg && is_spillable_regtype(reg->type)) { From patchwork Wed Nov 1 12:33:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hao Sun X-Patchwork-Id: 13442806 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F215E1C30 for ; Wed, 1 Nov 2023 12:34:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ltM61i4f" Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42A58102; Wed, 1 Nov 2023 05:34:04 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-50930f126b1so2599142e87.3; Wed, 01 Nov 2023 05:34:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698842042; x=1699446842; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=S9Pg+WxBX7vVh8/93O1aJ08ibN1FlpxRcOHpc2+Gdpw=; b=ltM61i4fimw0ZVsKQFv6OCcJFxHluZEYZLk+Fw4nglPa9ZFnCB4fklag9KxeqLvxu4 0n3WvJUeasDI8VDC1Ecj4XzsQu28uTuMiuGBwDGFihYIkMbHFLckZ2D6O0RC7DeDuXfp PV833CDxdpEQS/QW9XwtU9fQfUFnB/DJuxEbYfPLv9rAjUvbiLEd4+AHbp3CkpLycy/o hO0tQVjgxvJ7KgcOt/p8hEZQPeQWain98xWKkOaX2FPpWPwyNur7+oXNGDkcPiSagnSs IQtSlce1FexN7Ta5Ujt/oJZ1m/py9gs1fZvcOdY8u6ZuaHa6TAxdMMq5O2la0eylEwif 2PEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698842042; x=1699446842; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S9Pg+WxBX7vVh8/93O1aJ08ibN1FlpxRcOHpc2+Gdpw=; b=jzXElyPFLhZwO36G6pjg+yf8T/o8I3YmDwdVQEqpRi1Q2nw4ibZncb7nATjxjCTv6J G0gJgOrxRKZSmfZwvUAYQELjYXkf89ChLBHQjTo7K1ih6vgUvrCrHE8bRpI25fQ85vMM mcSgGxOHfwl8tDyMMGFgfF02cbQYNXh7XEiiPfyROyXnwBeVPHzQnJE5MOcIehuGS2gt FZBlAt71WanmMg70us7GezGt+9VN/5eZk0Jp9kl7aUQuQJhchTBlDPAgDxKqhD/u1LCF Jtl/j5pDKGWMQfS1ko8FiPIrGdZxLEDj2qnh9XszmOaYWt8+JKtPDRazR7x3BCrLO6NT vN3g== X-Gm-Message-State: AOJu0YzACMhzXDM8QWilffGWy2hEokVVTSQhYOaZAWOF1oSRvfKdBz+t QSpdRZh1jCJYvXJVZmftp7vUT1dBzA== X-Google-Smtp-Source: AGHT+IEseOnw9uSRtsItY9jjieq5eLKwN1URM75IvkeXpVfAapzaf8i3jqxYYID0yAtFkhtoNuFfdg== X-Received: by 2002:ac2:5a4c:0:b0:4f9:51ac:41eb with SMTP id r12-20020ac25a4c000000b004f951ac41ebmr11108529lfn.16.1698842042115; Wed, 01 Nov 2023 05:34:02 -0700 (PDT) Received: from amdsuplus2.inf.ethz.ch (amdsuplus2.inf.ethz.ch. [129.132.31.88]) by smtp.gmail.com with ESMTPSA id fk15-20020a05600c0ccf00b0040849ce7116sm1453505wmb.43.2023.11.01.05.34.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 05:34:00 -0700 (PDT) From: Hao Sun Date: Wed, 01 Nov 2023 13:33:52 +0100 Subject: [PATCH bpf v3 2/2] selftests/bpf: Add test for immediate spilled to stack Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20231101-fix-check-stack-write-v3-2-f05c2b1473d5@gmail.com> References: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> In-Reply-To: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , Eduard Zingerman , Shung-Hsi Yu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Hao Sun X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1698842036; l=1559; i=sunhao.th@gmail.com; s=20231009; h=from:subject:message-id; bh=X708/twj4ALP3sH/UCKpd3VcD0BtAnZ51P5Y+lRiPRs=; b=++oeE46PI1J1crf5k1aYBSJFGizoKfdmleJvtvCppmRPIRWoLkWYWOgFnuBuvRm0LbN0LU73p 3GjqBRHyVTzB9WCDwWMoEWvY2xJsO31BC3cO6OBZh0tFUue4GzS0CxR X-Developer-Key: i=sunhao.th@gmail.com; a=ed25519; pk=AHFxrImGtyqXOuw4f5xTNh4PGReb7hzD86ayyTZCXd4= X-Patchwork-Delegate: bpf@iogearbox.net Add a test to check if the verifier correctly reason about the sign of an immediate spilled to stack by BPF_ST instruction. Signed-off-by: Hao Sun --- tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32 +++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c index 3af2501082b2..b616575c3b00 100644 --- a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c +++ b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c @@ -65,3 +65,35 @@ .expected_attach_type = BPF_SK_LOOKUP, .runs = -1, }, +{ + "BPF_ST_MEM stack imm sign", + /* Check if verifier correctly reasons about sign of an + * immediate spilled to stack by BPF_ST instruction. + * + * fp[-8] = -44; + * r0 = fp[-8]; + * if r0 s< 0 goto ret0; + * r0 = -1; + * exit; + * ret0: + * r0 = 0; + * exit; + */ + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, -44), + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), + BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2), + BPF_MOV64_IMM(BPF_REG_0, -1), + BPF_EXIT_INSN(), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + /* Use prog type that requires return value in range [0, 1] */ + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, + .expected_attach_type = BPF_SK_LOOKUP, + .result = VERBOSE_ACCEPT, + .runs = -1, + .errstr = "0: (7a) *(u64 *)(r10 -8) = -44 ; R10=fp0 fp-8_w=-44\ + 2: (c5) if r0 s< 0x0 goto pc+2\ + R0_w=-44", +},