From patchwork Mon Feb 12 14:38:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13553369 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA06E3A8CD for ; Mon, 12 Feb 2024 14:38:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748733; cv=none; b=ixO3zlWIQ+95EnOO8I8SO82idma3snrM0HX6nsioK7J6NiYBdC2YGhN//0LsgGbvAiwqDN7gmQgHbv9qAw4vOXLqRrlKx6dBPvTz/KMHF9aBRxdB+RtLGtnw0nHmqhckhdKrOwfQqbr5kF1YLaRc/+U6eVKShDX8kzHke4Uh6Qw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748733; c=relaxed/simple; bh=4Stv+skXJRMBqwnOwq3UNqgfvOmjR93AuXQliYXIMHk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NqPdnptF6Wmv9CqU1zsmr4f1XLxSrcMNjy/u44yp/918aMKMsl06YEAE2ry1LVvmnCt7lgMAdojgHApXJ/zIBO1xg7ALFm/x6OJA32G1VmGciexe5EpBYqRbDmAzY7bT96WKoz+dnkmO9onrGNzfcIif9GD7zRwfEjC4Ew97K2M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jSKY7jcW; arc=none smtp.client-ip=209.85.208.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jSKY7jcW" Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-55a035669d5so4815006a12.2 for ; Mon, 12 Feb 2024 06:38:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707748729; x=1708353529; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zQtV9oxkdAcFG8Er10w04nEgE9pxCO3UX0YkiUL+p/A=; b=jSKY7jcWieGdtnERs6oJFhjwJ3r7bd27zEk6oCzGSypndHdgXTo/AhlvrpMEHl80DU uA5ZvoyoAgPm4JOEKacCkbXFbHXuEnliL/fZsCbWID+1eUGoMwptknd5rb3oBdhcsdlK TT4BxRaT2NZRvSKILeHwMVuZo30+Scj+JUxu7HkPUF/sJ9yBi3UdsDbwTLKEWfzIvMi8 A10NGx2200DtUjjUl8CwT3ZEr88dp4rCUO8+FDmUQA8sgRoRu9Jxy6NDHrNUFqarcZmM Cn3f4D8jcETGkD9NhHZUoqnvi566b3GSJUBSc2JbdcPFpaHqsRO30dZiyPLUqmnrVdIv Ikgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707748729; x=1708353529; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zQtV9oxkdAcFG8Er10w04nEgE9pxCO3UX0YkiUL+p/A=; b=Ia66nmo0UuigHH5N9mLl1loEgZvKA75WO3BSfOEbrq1QvKl02ai/xS+NW4T2CdXgsg MWm8x0ZuuGxuUHyo9FFNCoHR2ATd7bBzqBGskk4pavd7XwUJdDCx0Kf69FuJZTmS2SFq o4SRCYaAfRPqeio9NuP2RFNUo+gi/vRH5vNmkH9M7ocRMpoe2xSCCZMn4ZtfwrOrG51p dFdB39xrHoUos/G2QMrnbK4LVaTmtcjFs8LjIOYDQeXJ8lgLSAYmCGaEw7Be5S/jFHcW 32ALHJhpWmWSbzg3/w+yLNCblyDcD56pWAalOut4KU3SB1gwhNbFZY0j//C9ILuFQ7FV 0/5A== X-Gm-Message-State: AOJu0YxTDZIHSElVjtXSC+zoJIUfahjql+CRO1ZhyKgbVNgFFiBsmcBF IUbbQ7zSxQQQqwZg/C3JO3+WwKISIo9/GGZWUPUb8aYnok7OFRgupzMzmMFx X-Google-Smtp-Source: AGHT+IHqYBjb9gZTCjAehoFR5Pq7dYgqo1/xb8vXsBByAmJelABlfJU0Rdz336+EK7GBBRph/6OI6w== X-Received: by 2002:a17:906:e208:b0:a3c:e2a9:d8ac with SMTP id gf8-20020a170906e20800b00a3ce2a9d8acmr283381ejb.6.1707748729461; Mon, 12 Feb 2024 06:38:49 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCUyCJA9UUDxPHtGcNoW581BO1PAR2LUVks56dBami80C7jmglc0JBOKjaFoZ24GdBLJKnGc07B1LNVVyO1j3e0Bt62GLfiboeC6Xo1YZ0tOLiOYj3Nmx9P23Ll0QyJ5Kj43ACE2y0xMdVCmM/ucTRj7sqHrNeUwC9kRzYKrka1p/pgw04NK2iH649a93ab9sf+iyaeSmc0RdHpJ2/9gNBuM8szzg3XNJ4z/4SIaLFC1OP1FiIgcwgRuLCjNdYE= Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id k3-20020a1709061c0300b00a360ba43173sm266918ejg.99.2024.02.12.06.38.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 06:38:49 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, kuniyu@amazon.com, Eduard Zingerman Subject: [PATCH bpf-next 1/3] selftests/bpf: update tcp_custom_syncookie to use scalar packet offset Date: Mon, 12 Feb 2024 16:38:30 +0200 Message-ID: <20240212143832.28838-2-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240212143832.28838-1-eddyz87@gmail.com> References: <20240212143832.28838-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net The next commit in a series fixes bug in bpf_loop() handling. That change makes tcp_custom_syncookie test too complex to verify. This commit updates tcp_custom_syncookie.c:tcp_parse_option() to use explicit packet offset (ctx->off) for packet access instead of ever moving pointer (ctx->ptr), this reduces verification complexity: - the tcp_parse_option() is passed as a callback to bpf_loop(); - suppose a checkpoint is created each time at function entry; - the ctx->ptr is tracked by verifier as PTR_TO_PACKET; - the ctx->ptr is incremented in tcp_parse_option(), thus umax_value field tracked for it is incremented as well; - on each next iteration of tcp_parse_option() checkpoint from a previous iteration can't be reused for state pruning, because PTR_TO_PACKET registers are considered equivalent only if old->umax_value >= cur->umax_value; - on the other hand, the ctx->off is a SCALAR, subject to widen_imprecise_scalars(); - it's exact bounds are eventually forgotten and it is tracked as unknown scalar at entry to tcp_parse_option(); - hence checkpoints created at the start of the function eventually converge. The change is similar to one applied in [0] to xdp_synproxy_kern.c. [0] commit 977bc146d4eb ("selftests/bpf: track tcp payload offset as scalar in xdp_synproxy") Signed-off-by: Eduard Zingerman Acked-by: Yonghong Song --- .../bpf/progs/test_tcp_custom_syncookie.c | 83 ++++++++++++------- 1 file changed, 53 insertions(+), 30 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c index a5501b29979a..c8e4553648bf 100644 --- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c +++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c @@ -10,6 +10,8 @@ #include "test_siphash.h" #include "test_tcp_custom_syncookie.h" +#define MAX_PACKET_OFF 0xffff + /* Hash is calculated for each client and split into ISN and TS. * * MSB LSB @@ -52,16 +54,15 @@ static siphash_key_t test_key_siphash = { struct tcp_syncookie { struct __sk_buff *skb; + void *data; void *data_end; struct ethhdr *eth; struct iphdr *ipv4; struct ipv6hdr *ipv6; struct tcphdr *tcp; - union { - char *ptr; - __be32 *ptr32; - }; + __be32 *ptr32; struct bpf_tcp_req_attrs attrs; + u32 off; u32 cookie; u64 first; }; @@ -70,6 +71,7 @@ bool handled_syn, handled_ack; static int tcp_load_headers(struct tcp_syncookie *ctx) { + ctx->data = (void *)(long)ctx->skb->data; ctx->data_end = (void *)(long)ctx->skb->data_end; ctx->eth = (struct ethhdr *)(long)ctx->skb->data; @@ -134,6 +136,7 @@ static int tcp_reload_headers(struct tcp_syncookie *ctx) if (bpf_skb_change_tail(ctx->skb, data_len + 60 - ctx->tcp->doff * 4, 0)) goto err; + ctx->data = (void *)(long)ctx->skb->data; ctx->data_end = (void *)(long)ctx->skb->data_end; ctx->eth = (struct ethhdr *)(long)ctx->skb->data; if (ctx->ipv4) { @@ -195,47 +198,68 @@ static int tcp_validate_header(struct tcp_syncookie *ctx) return -1; } -static int tcp_parse_option(__u32 index, struct tcp_syncookie *ctx) +static __always_inline void *next(struct tcp_syncookie *ctx, __u32 sz) { - char opcode, opsize; + __u64 off = ctx->off; + __u8 *data; - if (ctx->ptr + 1 > ctx->data_end) - goto stop; + /* Verifier forbids access to packet when offset exceeds MAX_PACKET_OFF */ + if (off > MAX_PACKET_OFF - sz) + return NULL; + + data = ctx->data + off; + barrier_var(data); + if (data + sz >= ctx->data_end) + return NULL; - opcode = *ctx->ptr++; + ctx->off += sz; + return data; +} - if (opcode == TCPOPT_EOL) +static int tcp_parse_option(__u32 index, struct tcp_syncookie *ctx) +{ + __u8 *opcode, *opsize, *wscale; + __u32 *tsval, *tsecr; + __u16 *mss; + __u32 off; + + off = ctx->off; + opcode = next(ctx, 1); + if (!opcode) goto stop; - if (opcode == TCPOPT_NOP) + if (*opcode == TCPOPT_EOL) + goto stop; + + if (*opcode == TCPOPT_NOP) goto next; - if (ctx->ptr + 1 > ctx->data_end) + opsize = next(ctx, 1); + if (!opsize) goto stop; - opsize = *ctx->ptr++; - - if (opsize < 2) + if (*opsize < 2) goto stop; - switch (opcode) { + switch (*opcode) { case TCPOPT_MSS: - if (opsize == TCPOLEN_MSS && ctx->tcp->syn && - ctx->ptr + (TCPOLEN_MSS - 2) < ctx->data_end) - ctx->attrs.mss = get_unaligned_be16(ctx->ptr); + mss = next(ctx, 2); + if (*opsize == TCPOLEN_MSS && ctx->tcp->syn && mss) + ctx->attrs.mss = get_unaligned_be16(mss); break; case TCPOPT_WINDOW: - if (opsize == TCPOLEN_WINDOW && ctx->tcp->syn && - ctx->ptr + (TCPOLEN_WINDOW - 2) < ctx->data_end) { + wscale = next(ctx, 1); + if (*opsize == TCPOLEN_WINDOW && ctx->tcp->syn && wscale) { ctx->attrs.wscale_ok = 1; - ctx->attrs.snd_wscale = *ctx->ptr; + ctx->attrs.snd_wscale = *wscale; } break; case TCPOPT_TIMESTAMP: - if (opsize == TCPOLEN_TIMESTAMP && - ctx->ptr + (TCPOLEN_TIMESTAMP - 2) < ctx->data_end) { - ctx->attrs.rcv_tsval = get_unaligned_be32(ctx->ptr); - ctx->attrs.rcv_tsecr = get_unaligned_be32(ctx->ptr + 4); + tsval = next(ctx, 4); + tsecr = next(ctx, 4); + if (*opsize == TCPOLEN_TIMESTAMP && tsval && tsecr) { + ctx->attrs.rcv_tsval = get_unaligned_be32(tsval); + ctx->attrs.rcv_tsecr = get_unaligned_be32(tsecr); if (ctx->tcp->syn && ctx->attrs.rcv_tsecr) ctx->attrs.tstamp_ok = 0; @@ -244,13 +268,12 @@ static int tcp_parse_option(__u32 index, struct tcp_syncookie *ctx) } break; case TCPOPT_SACK_PERM: - if (opsize == TCPOLEN_SACK_PERM && ctx->tcp->syn && - ctx->ptr + (TCPOLEN_SACK_PERM - 2) < ctx->data_end) + if (*opsize == TCPOLEN_SACK_PERM && ctx->tcp->syn) ctx->attrs.sack_ok = 1; break; } - ctx->ptr += opsize - 2; + ctx->off = off + *opsize; next: return 0; stop: @@ -259,7 +282,7 @@ static int tcp_parse_option(__u32 index, struct tcp_syncookie *ctx) static void tcp_parse_options(struct tcp_syncookie *ctx) { - ctx->ptr = (char *)(ctx->tcp + 1); + ctx->off = (__u8 *)(ctx->tcp + 1) - (__u8 *)ctx->data, bpf_loop(40, tcp_parse_option, ctx, 0); } From patchwork Mon Feb 12 14:38:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13553370 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F85A3A8F2 for ; Mon, 12 Feb 2024 14:38:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748734; cv=none; b=MVgVy6HQ2M+XBlYEhXsRGxbX3CIY0F1pPWFLYbvUoYV61IBWNo6dQN9N0FKCQIw0Uf6cFtgNtrAix7HydIod+JRpvjb/6O5gyKRIOYudHI0Dvj/bFUrL8wmXBTVuWrsPY/4x/qiswP3z/1N4V9EWVQFqCk83k16VsECXMMyslhU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748734; c=relaxed/simple; bh=GaQAhanZMMlRolDaX2CeGed6nPs04m760rk4oskkVAI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Trzun8M9IGo3W2W54xenLwsWZ8SYdor/eNx0QzRjQqtvWzzmVsMPSm/qZqBcWGWx4NH8opnqlG3s88JY/0o2O6o4wng/vCLoWWyQPMNyGD+0lRXhE+cUJNZafBIqDh0H6i8Ekm3kQoglZ0HYSPAltnPx4xEiz9QmykFi0NU09fU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GVdSlRYS; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GVdSlRYS" Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-a3c2efff32aso202927966b.0 for ; Mon, 12 Feb 2024 06:38:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707748731; x=1708353531; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+3HFF8F8Fn8RiDSWYG6HB/9fJWdtnup1mq4NKisX8aI=; b=GVdSlRYSWaKiG0Da4l8inM/cz3I87ylyJEpwP0hjWeXMiouMjtCR1TmhzVrf6Jo3mb uEoduKDwNwGygYjYu+mgzi1ezTtNwC016vhw07NBCd2NHVwYs6UsBhJTlcSkgpUYFDk/ WZWM30KP1b39s4VfEKSp9ParfaatSeJVr7soMA1t/ndiTy+1s15malzc11wUgi2hqsM8 ZPK19iJs/SWvMyZg7pTJ5r0rgUcCh6pyw45QBIbpsSeGd/upqXwvJTzb6pmBjeCmZBL0 QQKcICSA/rHUHaUNomzL02K35P3OrJMplNVmXCkJ6+Tj1pVSb/cUJ886TYQr4d9u8aYl 2joA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707748731; x=1708353531; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+3HFF8F8Fn8RiDSWYG6HB/9fJWdtnup1mq4NKisX8aI=; b=lRF79dYiRRREY4BIEcJnMAgSBh32It1GczLxLjgRL177/9KETMmYLoWDjSEfyykf7H SKZDDcYKT+xUZZ/POGCUyzrs/NjDux7jPuZnfJp9bSfW3yGZ7Scpc18VHpnv1tmrKw9x DFTibcCWGvwqXBTOr/WhIdA5ycw1W8ObZrS1w06+w4UlDAsWT294iYJmbmEtPCMDYKsJ aOmbVaU32LBO9riiTHrQ7B66HPGWpXJ+FN6e6fWnQ7c3GH6YBKqcIIbya+HewOFWpOgP kVqfx0oxMVKmZmJz18XD5BAgJ0LSOhVTjIiVtxfdaio2G070Xy8QClFEDg3tzF3g0oij Fk8w== X-Gm-Message-State: AOJu0YxFZ5SuKT9rMQoRyaY4uORFjTGhRBGK4S+aH4FcTDEgqpPICD/k Waixu4Sf2oajZIf7Xdea+YNHj24rvrBFuueU5BmqvW/3YQEoadWCgk+fmlWj X-Google-Smtp-Source: AGHT+IFNsVaLUjB0rkHaUCaAZ9afhXfyKKFs5AY2oTy3NWkQA7/7Kqtf/87CFkmRaEO1o3zqscao1A== X-Received: by 2002:a17:906:cd01:b0:a3c:ce4b:58fa with SMTP id oz1-20020a170906cd0100b00a3cce4b58famr1059586ejb.51.1707748730589; Mon, 12 Feb 2024 06:38:50 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCVN9Ly9w+gARq8unLJYn5iq8emVvQzcZW0ynfVfacOlfYiQcpG25FM97t1MhvK6jjODtIMdOWaw3C6sFn+czw6mjbdN+JFMy8xvGMiDpd+qH4CtpSj/9/b3tC+o108itOltgNoWzz+pxxeutomuuFrjBgrARw63jwC3ARD9eAceMjr9LmY75IGcMKz6bnDWxNeAlwnQq5PVY5cDrMaP3eVnM0Bz2AYf46aKO1NWKgo/UtW37LZsAiXrpeDVXEY= Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id k3-20020a1709061c0300b00a360ba43173sm266918ejg.99.2024.02.12.06.38.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 06:38:50 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, kuniyu@amazon.com, Eduard Zingerman Subject: [PATCH bpf-next 2/3] bpf: check bpf_func_state->callback_depth when pruning states Date: Mon, 12 Feb 2024 16:38:31 +0200 Message-ID: <20240212143832.28838-3-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240212143832.28838-1-eddyz87@gmail.com> References: <20240212143832.28838-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net When comparing current and cached states verifier should consider bpf_func_state->callback_depth. Current state cannot be pruned against cached state, when current states has more iterations left compared to cached state. Current state has more iterations left when it's callback_depth is smaller. Below is an example illustrating this bug, minimized from mailing list discussion [0]. The example is not a safe program: if loop_cb point (1) is followed by loop_cb point (2), then division by zero is possible at point (4). struct ctx { __u64 a; __u64 b; __u64 c; }; static void loop_cb(int i, struct ctx *ctx) { /* assume that generated code is "fallthrough-first": * if ... == 1 goto * if ... == 2 goto * */ switch (bpf_get_prandom_u32()) { case 1: /* 1 */ ctx->a = 42; return 0; break; case 2: /* 2 */ ctx->b = 42; return 0; break; default: /* 3 */ ctx->c = 42; return 0; break; } } SEC("tc") __failure __flag(BPF_F_TEST_STATE_FREQ) int test(struct __sk_buff *skb) { struct ctx ctx = { 7, 7, 7 }; bpf_loop(2, loop_cb, &ctx, 0); /* 0 */ /* assume generated checks are in-order: .a first */ if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) asm volatile("r0 /= 0;":::"r0"); /* 4 */ return 0; } Prior to this commit verifier built the following checkpoint tree for this example (notation: `(code point #) {a>,b>,c>}`): - (0) {7P,7,7} - (3) {7P,7,7} - (0) {7P,7,42} (checkpoint #1): - (3) {7P,7,42} - (0) {7P,7,42} -> to end - (2) {7P,7,42} - (0) {7P,42,42} -> to end - (1) {7P,7,42} (checkpoint #2) - (0) {42P,7P,42} -> to end - (2) {7P,7,7} - (0) {7P,42,7} safe (checkpoint #1) - (1) {7,7,7} safe (checkpoint #2) Here checkpoint #2 has callback_depth of 1, meaning that it would never reach state {42,42,7}. While the last branch of the tree has callback_depth of 0, and thus could yet explore the state {42,42,7} if not pruned prematurely. This commit makes disallows such premature pruning. [0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/ Suggested-by: Yonghong Song Signed-off-by: Eduard Zingerman --- kernel/bpf/verifier.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ddaf09db1175..df99fcdbaa05 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16715,6 +16715,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat { int i; + if (old->callback_depth > cur->callback_depth) + return false; + for (i = 0; i < MAX_BPF_REG; i++) if (!regsafe(env, &old->regs[i], &cur->regs[i], &env->idmap_scratch, exact)) From patchwork Mon Feb 12 14:38:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13553371 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3C6D3B296 for ; Mon, 12 Feb 2024 14:38:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748735; cv=none; b=Q/gUZkSebl2VgOS+rA7MEXsUQxSeThdBRcogsCSDN6CG5/0zy8sMLUs7UaWG/vED1pUdyYlA6SXScHavhVR0kXKIwYr/Xd89XIoWhfaKf4enbnWCNDl5PYwpEWNWmulFGFCJHSfIGd/Ao1BepuFstbrXNcxlRQ+30QN1tyI0WCs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707748735; c=relaxed/simple; bh=ZZGZ8jg42ZNxJPS33J4vIOEC18dNvJreMcUt/b38mzY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JChyro27ue2tjX7vO1tpytSZbIsCIb8EMS4ysLw0jpejgcAkq/UQ7C/Bx3qG1Dkpt0jV+DLNrtU3vJ6+aGu+TuNFk1kOUvzxg4WDqGgenRFb+Bmc2/YtXBVb1ce2XZgGeM3H6GrWUM/9ZyNotYe/uDwRhKoVCPKoC7jYNS/VWQA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iVbwhbHa; arc=none smtp.client-ip=209.85.218.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iVbwhbHa" Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-a2a17f3217aso423294266b.2 for ; Mon, 12 Feb 2024 06:38:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707748732; x=1708353532; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qbZZJtHttgWYhCWR6rqzHSFm1UqLGzy74tIhV2kB3GA=; b=iVbwhbHaq3ZQHxXsaVwHqib3Kh2trmThARfyDf16j4YF7ZqSIrtMtNoy9lb391v9Wk no+CL+yFcGGx61vwZOr3etk1MGQWVia+OR9VImjxMP+iEpe2R+1IpWqAQRe4kfub+st1 6DvHTmgRFoJiS450aBwzlff4HNwM92OHy1nbf8GBpjm8nGRThjad8Q9GEDnzCcqO9H/n wE2TGzDdjE1RjdRNPg5apY294KQM+2RoYdUJFH4HmQLCRD2wuq39BJdQjVHYDVGSzcyQ lGCgRpmSk22FWxzvdTWTEQ+oNAubIvD4sUHIG4TxH96Msg2M/8Y2gT7P4i1YO5pvY9Ea STBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707748732; x=1708353532; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qbZZJtHttgWYhCWR6rqzHSFm1UqLGzy74tIhV2kB3GA=; b=bP6TBYtR2Pl6la43OmHXc6zFaz+9vctxpxV/8jn58Aol/zwNG1jhnGclxYvrq1x9q3 gzYuF+qlP4cy6hsWziUfNezodCNdegOFlVPDUnVQQEwoq8lRVi0eGq/EgC7aFbvHbZl/ ahKodp/NTXSuWIzWGlRQai60OizIUAa9RsVqsuUATjSzcMb+5MT9c8++nDfMVkuJb/lI CcEFMAvxgZ/a6WydaICUkstYYQQ4ElxY2Z4rBSONoWkwfMJxMAkszReKwfgxvnEbIduC 7dtZlNz0jk1cWOjLUMqoVufqdqRWCXPxB0ZalshELv+ALQ9QrKtoA9Jg9pRlIiHN7ppj vaBA== X-Gm-Message-State: AOJu0YzB1ngcNUG3G9gv7/MUW6TmFC0CBKDgezZ8WkXITrAvNXkWk6bB CnVjTQV/rAo5sFj24b2m8BfvQbnUdA9s5KnQCwTOzUzo/bs+2lHnfihtAsgq X-Google-Smtp-Source: AGHT+IHWihoL0jlNPksRIIIiXUNeDlO7bC22icya+W8/crYvdnyCxB6vs4fc98e/cUwhyFlRKuuzeA== X-Received: by 2002:a17:906:11da:b0:a38:488a:601f with SMTP id o26-20020a17090611da00b00a38488a601fmr4209696eja.53.1707748731805; Mon, 12 Feb 2024 06:38:51 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCWA+BehaSESfNGN9Evig8xZhg2yLow8fNckpM+kvGm285W5zXcf9hg6aqCvP44su7XcrA5D+DVSrPrc2wD/gStq7KmHRoE1Klk+ZJBsCV++qrBUAJx77ouc1WPp98/jiNOPbU6NmtoPbTOO214My7fWVEfLVb6Jlz9blG4SW4CYHjvQ6Wvx8tqVdoqFcR9z4NPPZ/nufeTSt2Ndv0gFSMuNulzHxlXqGpbSVaqawE62tndR75AK+Pjl306JgrI= Received: from localhost.localdomain (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id k3-20020a1709061c0300b00a360ba43173sm266918ejg.99.2024.02.12.06.38.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 06:38:51 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, kuniyu@amazon.com, Eduard Zingerman Subject: [PATCH bpf-next 3/3] selftests/bpf: test case for callback_depth states pruning logic Date: Mon, 12 Feb 2024 16:38:32 +0200 Message-ID: <20240212143832.28838-4-eddyz87@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240212143832.28838-1-eddyz87@gmail.com> References: <20240212143832.28838-1-eddyz87@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net The test case was minimized from mailing list discussion [0]. It is equivalent to the following C program: struct iter_limit_bug_ctx { __u64 a; __u64 b; __u64 c; }; static __naked void iter_limit_bug_cb(void) { switch (bpf_get_prandom_u32()) { case 1: ctx->a = 42; break; case 2: ctx->b = 42; break; default: ctx->c = 42; break; } } int iter_limit_bug(struct __sk_buff *skb) { struct iter_limit_bug_ctx ctx = { 7, 7, 7 }; bpf_loop(2, iter_limit_bug_cb, &ctx, 0); if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) asm volatile("r1 /= 0;":::"r1"); return 0; } The main idea is that each loop iteration changes one of the state variables in a non-deterministic manner. Hence it is premature to prune the states that have two iterations left comparing them to states with one iteration left. E.g. {{7,7,7}, callback_depth=0} can reach state {42,42,7}, while {{7,7,7}, callback_depth=1} can't. [0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/ Signed-off-by: Eduard Zingerman --- .../bpf/progs/verifier_iterating_callbacks.c | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c index 5905e036e0ea..a955a6358206 100644 --- a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c +++ b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c @@ -239,4 +239,74 @@ int bpf_loop_iter_limit_nested(void *unused) return 1000 * a + b + c; } +struct iter_limit_bug_ctx { + __u64 a; + __u64 b; + __u64 c; +}; + +static __naked void iter_limit_bug_cb(void) +{ + /* This is the same as C code below, but written + * in assembly to control which branches are fall-through. + * + * switch (bpf_get_prandom_u32()) { + * case 1: ctx->a = 42; break; + * case 2: ctx->b = 42; break; + * default: ctx->c = 42; break; + * } + */ + asm volatile ( + "r9 = r2;" + "call %[bpf_get_prandom_u32];" + "r1 = r0;" + "r2 = 42;" + "r0 = 0;" + "if r1 == 0x1 goto 1f;" + "if r1 == 0x2 goto 2f;" + "*(u64 *)(r9 + 16) = r2;" + "exit;" + "1: *(u64 *)(r9 + 0) = r2;" + "exit;" + "2: *(u64 *)(r9 + 8) = r2;" + "exit;" + : + : __imm(bpf_get_prandom_u32) + : __clobber_all + ); +} + +SEC("tc") +__failure +__flag(BPF_F_TEST_STATE_FREQ) +int iter_limit_bug(struct __sk_buff *skb) +{ + struct iter_limit_bug_ctx ctx = { 7, 7, 7 }; + + bpf_loop(2, iter_limit_bug_cb, &ctx, 0); + + /* This is the same as C code below, + * written in assembly to guarantee checks order. + * + * if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) + * asm volatile("r1 /= 0;":::"r1"); + */ + asm volatile ( + "r1 = *(u64 *)%[ctx_a];" + "if r1 != 42 goto 1f;" + "r1 = *(u64 *)%[ctx_b];" + "if r1 != 42 goto 1f;" + "r1 = *(u64 *)%[ctx_c];" + "if r1 != 7 goto 1f;" + "r1 /= 0;" + "1:" + : + : [ctx_a]"m"(ctx.a), + [ctx_b]"m"(ctx.b), + [ctx_c]"m"(ctx.c) + : "r1" + ); + return 0; +} + char _license[] SEC("license") = "GPL";