From patchwork Mon Jan 8 13:28:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13513474 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BA6145946 for ; Mon, 8 Jan 2024 13:28:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ccOaIgJc" Received: by mail-lj1-f169.google.com with SMTP id 38308e7fff4ca-2ccbded5aa4so19644361fa.1 for ; Mon, 08 Jan 2024 05:28:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704720515; x=1705325315; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=40cXEfsT3AQZRZjpinyQmxm4bk5f/1kPx03yy0k5fSs=; b=ccOaIgJckE6PvI+rAsIA0JK8wZ+e4Ao+RdnKK9k+a9QYjwNZO3NoD95keLnthXgjKZ Bt59gUYwieiz3ZiUpLc1AXd+HEeNjcrFGxupGBYxYkIyVeM6eylhuiDIcSRfKckkip+D TGhLAKGqBemKCFzFrFSbWHDJeJVDiaks91frWhScu9E3bwwB57iRLOP3RT293GsPG8Sr XZKrt6fXMhvdjgjApqFZ3mwlOtK1727dZ897MA8DPF2/CsX7fXTPahyDZOwUlFoQb2Lx +p2mgVSeXtxNIASqZNOxpZNXGorUJiQfj7I517OTOPddanYSTqA+q9NqlZm1VIhkkyTo 5Lmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704720515; x=1705325315; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=40cXEfsT3AQZRZjpinyQmxm4bk5f/1kPx03yy0k5fSs=; b=DzanLJFocWmd2l3wEydzbh4IaXhMFA1FLZvuQ2+2P1nBlFWnGQFL8gqhvji7fvH35Q /8O1CV2x3djv3p8dtFQvg9k5PSMvgF5P9USTa2kZX2VhH74xaeFT03Ox6TcKRkcIBYOu riyc3eIQXZ1BOz/y+yzCh3ynyyKT2cLkP8NUH8OuPGziFWo0jH5YoiE2nf1GBZeJn/V6 0xvBMgkekQbIxMikTsEbk4qUA34J4ya5yi4hysVlFOpKYtXl2Txn+HpksLo4je1UKlDt OQfB0e2CO99tvOAD0KPFHwnWppV8B1kzA/BEagxHV5oYzUvfIm8/BfSYomgi6JXFcGOe F5gA== X-Gm-Message-State: AOJu0YzKTBJH/fGoxfJqTq2UwBoybVu0PEbj1Yp/h7L56DZJ3X1G4wIe 2+D7b2gPqHaDDz8wtbzfnc7Br4zDou8= X-Google-Smtp-Source: AGHT+IEkejAEIFcD4bD2WxXUfgo1CKUvQgGfGRJavVHXZqlx2TDzNmusE31cBIauJItMfVJ29NwbDQ== X-Received: by 2002:a2e:a37a:0:b0:2cc:e85b:7075 with SMTP id i26-20020a2ea37a000000b002cce85b7075mr1669306ljn.4.1704720514646; Mon, 08 Jan 2024 05:28:34 -0800 (PST) Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id z3-20020a2ebe03000000b002cd3e2fc054sm1171458ljq.57.2024.01.08.05.28.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 05:28:34 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, zenczykowski@gmail.com, Eduard Zingerman , Andrii Nakryiko Subject: [PATCH bpf-next 1/3] bpf: simplify try_match_pkt_pointers() Date: Mon, 8 Jan 2024 15:28:00 +0200 Message-ID: <20240108132802.6103-2-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240108132802.6103-1-eddyz87@gmail.com> References: <20240108132802.6103-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Reduce number of cases handled in try_match_pkt_pointers() to or by flipping opcode. Suggested-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman --- kernel/bpf/verifier.c | 104 ++++++++++-------------------------------- 1 file changed, 24 insertions(+), 80 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index adbf330d364b..918e6a7912e2 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -14677,6 +14677,9 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, struct bpf_verifier_state *this_branch, struct bpf_verifier_state *other_branch) { + int opcode = BPF_OP(insn->code); + int dst_regno = insn->dst_reg; + if (BPF_SRC(insn->code) != BPF_X) return false; @@ -14684,90 +14687,31 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, if (BPF_CLASS(insn->code) == BPF_JMP32) return false; - switch (BPF_OP(insn->code)) { + if (dst_reg->type == PTR_TO_PACKET_END || + src_reg->type == PTR_TO_PACKET_META) { + swap(src_reg, dst_reg); + dst_regno = insn->src_reg; + opcode = flip_opcode(opcode); + } + + if ((dst_reg->type != PTR_TO_PACKET || + src_reg->type != PTR_TO_PACKET_END) && + (dst_reg->type != PTR_TO_PACKET_META || + !reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) + return false; + + switch (opcode) { case BPF_JGT: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || - (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { - /* pkt_data' > pkt_end, pkt_meta' > pkt_data */ - find_good_pkt_pointers(this_branch, dst_reg, - dst_reg->type, false); - mark_pkt_end(other_branch, insn->dst_reg, true); - } else if ((dst_reg->type == PTR_TO_PACKET_END && - src_reg->type == PTR_TO_PACKET) || - (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { - /* pkt_end > pkt_data', pkt_data > pkt_meta' */ - find_good_pkt_pointers(other_branch, src_reg, - src_reg->type, true); - mark_pkt_end(this_branch, insn->src_reg, false); - } else { - return false; - } - break; - case BPF_JLT: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || - (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { - /* pkt_data' < pkt_end, pkt_meta' < pkt_data */ - find_good_pkt_pointers(other_branch, dst_reg, - dst_reg->type, true); - mark_pkt_end(this_branch, insn->dst_reg, false); - } else if ((dst_reg->type == PTR_TO_PACKET_END && - src_reg->type == PTR_TO_PACKET) || - (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { - /* pkt_end < pkt_data', pkt_data > pkt_meta' */ - find_good_pkt_pointers(this_branch, src_reg, - src_reg->type, false); - mark_pkt_end(other_branch, insn->src_reg, true); - } else { - return false; - } - break; case BPF_JGE: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || - (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { - /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */ - find_good_pkt_pointers(this_branch, dst_reg, - dst_reg->type, true); - mark_pkt_end(other_branch, insn->dst_reg, false); - } else if ((dst_reg->type == PTR_TO_PACKET_END && - src_reg->type == PTR_TO_PACKET) || - (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { - /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */ - find_good_pkt_pointers(other_branch, src_reg, - src_reg->type, false); - mark_pkt_end(this_branch, insn->src_reg, true); - } else { - return false; - } + /* pkt_data >/>= pkt_end, pkt_meta >/>= pkt_data */ + find_good_pkt_pointers(this_branch, dst_reg, dst_reg->type, opcode == BPF_JGE); + mark_pkt_end(other_branch, dst_regno, opcode == BPF_JGT); break; + case BPF_JLT: case BPF_JLE: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || - (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { - /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */ - find_good_pkt_pointers(other_branch, dst_reg, - dst_reg->type, false); - mark_pkt_end(this_branch, insn->dst_reg, true); - } else if ((dst_reg->type == PTR_TO_PACKET_END && - src_reg->type == PTR_TO_PACKET) || - (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { - /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */ - find_good_pkt_pointers(this_branch, src_reg, - src_reg->type, true); - mark_pkt_end(other_branch, insn->src_reg, false); - } else { - return false; - } + /* pkt_data type, opcode == BPF_JLT); + mark_pkt_end(this_branch, dst_regno, opcode == BPF_JLE); break; default: return false; From patchwork Mon Jan 8 13:28:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13513475 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63AB94438E for ; Mon, 8 Jan 2024 13:28:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Aw+FdnZs" Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-2cd33336b32so22536391fa.0 for ; Mon, 08 Jan 2024 05:28:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704720516; x=1705325316; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=svOhLEBQw6ySn+JyuvVFhHT4ff1lI5RHm+bZAAT+5+M=; b=Aw+FdnZsna9+eBjktc7BDolowIVVyVA6bjn7CC5x2GlTxq9ipQqeVbcp34+Fhxrd93 WDiwpqe9BThQVdCqumnhAtAQzztNJhwdtPi3mSdHROmSwvhCB9lJiavGsjuArIXSUsWK ApGGemDtNRo7ZruUYFKgMYroxMoUBiFArdWjOCHHD+Rp+TG3x26OGQ3UsPrln6KFLh/k Nj52E1zDeuuzM1MbXeRtID//7zMHAckm0Qb9gCN95HLoyE0z5oOR1vOHq1XqZeZFHjNe R3MKvyohQRJ5mk3Ax/XTsnh0PbSj2qmXE9aYGBcmcgvjWvNys90MImLZh3uYVc4wt2Ms cwSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704720516; x=1705325316; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=svOhLEBQw6ySn+JyuvVFhHT4ff1lI5RHm+bZAAT+5+M=; b=J5yefNQo7FVCmAMOxpRjnT9JdpGjKbMy+kQhKre8clOuxjBn/GFJtcKVT2RTdy69u6 mSjydmElmmKfqIXPhxssTAO2RuNWz8Nl3tRC6MfZwpzJN00M9gAaaDnB5krTZYT2l8yn qB4KLpOvNAifh1/f8HvsSGWPfW1L1T4Kb+++4ctm5NE36JUZK+9+aRLIsyqbvXRoUXsl pV+TGxOvFWymWGeKL0Oq5pgYpfPRuFJa9ugTGMYCFPriAQ3srHfSip6iHWIhTD3sLsKj /InWnl8i2rSVTTChKL0vlqxR5c78KeNrsKJl7S2Z4laG2LxKqVcYWJwFNt+AYObWGFag jB5A== X-Gm-Message-State: AOJu0Yz4RgiKfKcDfiy9JwHoQ6U4oruZ323/AdCsI3EowcAOIXFicWa7 cLmj7NKH/8oEFpqBca3xovdUDgTElzs= X-Google-Smtp-Source: AGHT+IE7DvlBwND6leoOmmU9j678tYl60HqN6p5fd8a5bP92o8c95aMZbffUE4CtBcdxzF/mkhTpqA== X-Received: by 2002:a2e:9e46:0:b0:2cd:304f:8959 with SMTP id g6-20020a2e9e46000000b002cd304f8959mr1474114ljk.29.1704720516067; Mon, 08 Jan 2024 05:28:36 -0800 (PST) Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id z3-20020a2ebe03000000b002cd3e2fc054sm1171458ljq.57.2024.01.08.05.28.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 05:28:35 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, zenczykowski@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 2/3] bpf: infer packet range for 'if pkt ==/!= pkt_end' comparisons Date: Mon, 8 Jan 2024 15:28:01 +0200 Message-ID: <20240108132802.6103-3-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240108132802.6103-1-eddyz87@gmail.com> References: <20240108132802.6103-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Extend try_match_pkt_pointers() to handle == and != operations. For instruction: .--------------- pointer to packet with some range R | .--------- pointer to packet end v v if rA == rB goto ... It is valid to infer that R bytes are available in packet. This change should allow verification of BPF generated for C code like below: if (data + 42 != data_end) { ... } Suggested-by: Maciej Żenczykowski Link: https://lore.kernel.org/bpf/CAHo-Oow5V2u4ZYvzuR8NmJmFDPNYp0pQDJX66rZqUjFHvhx82A@mail.gmail.com/ Signed-off-by: Eduard Zingerman --- kernel/bpf/verifier.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 918e6a7912e2..b229ba0ad114 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -14677,6 +14677,7 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, struct bpf_verifier_state *this_branch, struct bpf_verifier_state *other_branch) { + struct bpf_verifier_state *eq_branch; int opcode = BPF_OP(insn->code); int dst_regno = insn->dst_reg; @@ -14713,6 +14714,13 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, find_good_pkt_pointers(other_branch, dst_reg, dst_reg->type, opcode == BPF_JLT); mark_pkt_end(this_branch, dst_regno, opcode == BPF_JLE); break; + case BPF_JEQ: + case BPF_JNE: + /* pkt_data ==/!= pkt_end, pkt_meta ==/!= pkt_data */ + eq_branch = opcode == BPF_JEQ ? other_branch : this_branch; + find_good_pkt_pointers(eq_branch, dst_reg, dst_reg->type, true); + mark_pkt_end(eq_branch, dst_regno, false); + break; default: return false; } From patchwork Mon Jan 8 13:28:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13513476 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE9DB45946 for ; Mon, 8 Jan 2024 13:28:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Un8bV9K6" Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-2ccabf5a4beso17967611fa.2 for ; Mon, 08 Jan 2024 05:28:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704720517; x=1705325317; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FgGScrJzuXyxQIjYSGhKX/9ivogWO1hoRNp5I/CGjrk=; b=Un8bV9K65oS7SShcF/xmdda/fH6PJpE9dCRZfS36iiIA7/a/NEYwDJ6IjVihcBSaH3 vdUOVtWLll+OPgfCqiqG4F2CfHwtzC6zvETktLPkR6mCxMwHnIOm/vXErwx6+m6bhgAY qmtlIXS1jgSF4HQgG+Paf868DViDwqgYOOpyIERz+I6/uPwb1E4XLZwvmGKwVWFaR7V+ Fj8+i+z320U/c1Al0BujBL6bD1LcISKrP7muDt4ODzARuIgSeNaZnb2kxRPg9pf/Ee6g tHrdUSbKxKuw/r8/dc9DHGQBJEXvQr3LRDfg788gS6K1oNHHq7IQiYuj0HYeNMkub4Af IwwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704720517; x=1705325317; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FgGScrJzuXyxQIjYSGhKX/9ivogWO1hoRNp5I/CGjrk=; b=KmxAt6Hg6JpDTdDV/9Gh3b6c4cj3T+9ZRwaH79IEN144Za/zdwbvgFgRTLAv/rRNNM uJpJ061LMwbr355METn//GmYHADWEcQrtEgA8wSL27oBCE0D0cm4pdkqjqNrrDrQrWlv HolUG/D5dHj+1u2Krbhp+PsPlXUo5C7fdAQlMPpjHdiQV3p8Ch1ioQw3auLeJQVtQ0fK ePaZrLVmqSxFdd07tok5B1qd/DMO7tIstMNuZmyR+qRI/NlzF2OmJDFbKaN/O5JFFzbO VmS7lNeagOoRcgucz572r+8qcjQ5BWNQqkJqxDLPGiBaxYLYbO2yDugbWoG3xxJfZJMU QfEw== X-Gm-Message-State: AOJu0YzUTGNZS72PRApxClmP2srxoydipe/EumTLSN8L+WANcLqEqY52 +/dpRaAKaQ42iHAbtHt7mwseLyDgDJM= X-Google-Smtp-Source: AGHT+IHQm1GCsVVQPcj7x/Jec+7T8Ww98U4CWa79PjfCrL1NacXEDW9yBrNue9vRpqw6sy44pEnXPg== X-Received: by 2002:a2e:6e16:0:b0:2cd:2376:140c with SMTP id j22-20020a2e6e16000000b002cd2376140cmr651922ljc.57.1704720517318; Mon, 08 Jan 2024 05:28:37 -0800 (PST) Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id z3-20020a2ebe03000000b002cd3e2fc054sm1171458ljq.57.2024.01.08.05.28.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 05:28:36 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, zenczykowski@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 3/3] selftests/bpf: test packet range inference for 'if pkt ==/!= pkt_end' Date: Mon, 8 Jan 2024 15:28:02 +0200 Message-ID: <20240108132802.6103-4-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240108132802.6103-1-eddyz87@gmail.com> References: <20240108132802.6103-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Check that the following cases are handled by verifier: - packet access after 'if pkt_data + const != pkt_end' (positive and negative cases); - packet access after 'if pkt_data + const == pkt_end' (positive and negative cases); - packet metadata access after 'if pkt_meta + const != pkt_data'; - packet metadata access after 'if pkt_data != pkt_meta + const'; Signed-off-by: Eduard Zingerman --- .../bpf/progs/verifier_direct_packet_access.c | 138 ++++++++++++++++++ 1 file changed, 138 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_direct_packet_access.c b/tools/testing/selftests/bpf/progs/verifier_direct_packet_access.c index be95570ab382..0ee99d7bc846 100644 --- a/tools/testing/selftests/bpf/progs/verifier_direct_packet_access.c +++ b/tools/testing/selftests/bpf/progs/verifier_direct_packet_access.c @@ -800,4 +800,142 @@ l0_%=: /* exit(0) */ \ : __clobber_all); } +SEC("tc") +__success __log_level(2) +__msg("if r3 != r2 goto pc+1 ; R2_w=pkt_end() R3_w=pkt(off=8,r=0xffffffffffffffff)") +__naked void data_plus_const_neq_pkt_end(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data_end]); \ + r3 = r1; \ + r3 += 8; \ + if r3 != r2 goto 1f; \ + r1 = *(u64 *)(r1 + 0); \ +1: \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) + : __clobber_all); +} + +SEC("tc") +__failure __log_level(2) +__msg("8: R1=pkt(r=0) R2=pkt_end() R3=pkt(off=8,r=0)") +__msg("invalid access to packet, off=0 size=8, R1(id=0,off=0,r=0)") +__naked void data_plus_const_neq_pkt_end_negative(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data_end]); \ + r3 = r1; \ + r3 += 8; \ + if r3 != r2 goto 1f; \ + r0 = 0; \ + exit; \ +1: \ + r1 = *(u64 *)(r1 + 0); \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) + : __clobber_all); +} + +SEC("tc") +__success __log_level(2) +__msg("8: R1=pkt(r=9) R2=pkt_end() R3=pkt(off=8,r=0xffffffffffffffff)") +__naked void data_plus_const_eq_pkt_end(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data_end]); \ + r3 = r1; \ + r3 += 8; \ + if r3 == r2 goto 1f; \ + r0 = 0; \ + exit; \ +1: \ + r1 = *(u64 *)(r1 + 0); \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) + : __clobber_all); +} + +SEC("tc") +__failure __log_level(2) +__msg("if r3 == r2 goto pc+3 ; R2_w=pkt_end() R3_w=pkt(off=8,r=0)") +__msg("invalid access to packet, off=0 size=8, R1(id=0,off=0,r=0)") +__naked void data_plus_const_eq_pkt_end_negative(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data_end]); \ + r3 = r1; \ + r3 += 8; \ + if r3 == r2 goto 1f; \ + r1 = *(u64 *)(r1 + 0); \ + r0 = 0; \ + exit; \ +1: \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) + : __clobber_all); +} + +SEC("tc") +__success +__naked void pkt_meta_plus_const_neq_pkt_data(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data_meta]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data]); \ + r3 = r1; \ + r3 += 8; \ + if r3 != r2 goto 1f; \ + r1 = *(u64 *)(r1 + 0); \ +1: \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_meta, offsetof(struct __sk_buff, data_meta)) + : __clobber_all); +} + +SEC("tc") +__success +__naked void pkt_data_neq_pkt_meta_plus_const(void) +{ + asm volatile (" \ + r9 = r1; \ + r1 = *(u32*)(r9 + %[__sk_buff_data_meta]); \ + r2 = *(u32*)(r9 + %[__sk_buff_data]); \ + r3 = r1; \ + r3 += 8; \ + if r2 != r3 goto 1f; \ + r1 = *(u64 *)(r1 + 0); \ +1: \ + r0 = 0; \ + exit; \ +" : + : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), + __imm_const(__sk_buff_data_meta, offsetof(struct __sk_buff, data_meta)) + : __clobber_all); +} + char _license[] SEC("license") = "GPL";