From patchwork Wed Feb 12 13:52:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiayuan Chen X-Patchwork-Id: 13971444 X-Patchwork-Delegate: bpf@iogearbox.net Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.2]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AEA1820E6E1 for ; Wed, 12 Feb 2025 13:53:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.2 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739368442; cv=none; b=qjaqICddFRdKTA/oOk0KvxfrvVLw6jmh91xQtcJL+wUsCkiC47fMsYSk2oGKymACC9EanabkK7oCVVVBEGBo1TPNXb3QFpvatKkhFDvwnppzWNX2Uj2kY0NcfsQej7H9ARqwPsgBNxdIDMlidTYaU2pgh8N+4YMOyyvByUKYFpU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739368442; c=relaxed/simple; bh=KqVczGPQmDbso8goJQ17H2gqr9JzyoS9YGhdOUbQq5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CyrOH+c3Q5dEIImzmkkR3pVdEf6Mw79hbl2PlwpwDNwNmTbt4Anx+DnDsHUAsuIz1ueFn4S0P/JE/BI6QCQ2a4fseiYZ9NkndPcnOgV3M9VkSjBNg3E5pip5kpxPWS4KRSTmSl84jJ7weMwnuQgfQkTb6CCQ08lKXaQrbnrAFY4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=AGngtVVA; arc=none smtp.client-ip=220.197.31.2 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="AGngtVVA" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=QceoO 8k2h7uGLagBkuKouEvOovOe7yhNXI84DPM4hak=; b=AGngtVVAqj4+PHr8uPyn9 /PLeFdj5p36eLuGdcjcNJN+T0xUnedKaWPmwpI2E30+H3Hflq4XQ8xEOSy917AVI rdassvGPbKvfwlAHQTKwM+aqtYydSuDBeN1o1MoSDZ7OOGCGJErvHaX3oLbU9Ryo J+5cCKjYZ/xCL55vB3ic18= Received: from localhost.localdomain (unknown []) by gzga-smtp-mtada-g0-4 (Coremail) with SMTP id _____wD37x+9p6xn5UW6Lg--.513S3; Wed, 12 Feb 2025 21:53:07 +0800 (CST) From: Jiayuan Chen To: bpf@vger.kernel.org, ast@kernel.org Cc: daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, mykolal@fb.com, shuah@kernel.org, Jiayuan Chen , syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com Subject: [PATCH bpf-next v1 1/2] bpf: Fix array bounds error with may_goto Date: Wed, 12 Feb 2025 21:52:50 +0800 Message-ID: <20250212135251.85487-2-mrpre@163.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250212135251.85487-1-mrpre@163.com> References: <20250212135251.85487-1-mrpre@163.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-CM-TRANSID: _____wD37x+9p6xn5UW6Lg--.513S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7KF18Jr1fGrWDKr45ArWfuFg_yoW8uFyDpF n8CFyjkF4kKF4UK390k3ZrZrZ8GF48G3W7W3ZxAw18Gry7Xr4DCF12gFZ09r43Xr92kF1r Can8uryYkFZrt3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zEcTmxUUUUU= X-CM-SenderInfo: xpus2vi6rwjhhfrp/xtbBDx7xp2espEEvTQAAsL X-Patchwork-Delegate: bpf@iogearbox.net may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. Reported-by: syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/bpf/0000000000000f823606139faa5d@google.com/ Fixes: 011832b97b311 ("bpf: Introduce may_goto instruction") Signed-off-by: Jiayuan Chen --- kernel/bpf/core.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index da729cbbaeb9..498b35284f81 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2255,7 +2255,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \ EVAL6(DEFINE_BPF_PROG_RUN, 32, 64, 96, 128, 160, 192); EVAL6(DEFINE_BPF_PROG_RUN, 224, 256, 288, 320, 352, 384); -EVAL4(DEFINE_BPF_PROG_RUN, 416, 448, 480, 512); +EVAL5(DEFINE_BPF_PROG_RUN, 416, 448, 480, 512, 544); EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 32, 64, 96, 128, 160, 192); EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 224, 256, 288, 320, 352, 384); @@ -2267,8 +2267,11 @@ static unsigned int (*interpreters[])(const void *ctx, const struct bpf_insn *insn) = { EVAL6(PROG_NAME_LIST, 32, 64, 96, 128, 160, 192) EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384) -EVAL4(PROG_NAME_LIST, 416, 448, 480, 512) +EVAL5(PROG_NAME_LIST, 416, 448, 480, 512, 544) }; + +#define MAX_INTERPRETERS_CALLBACK (sizeof(interpreters) / sizeof(*interpreters)) + #undef PROG_NAME_LIST #define PROG_NAME_LIST(stack_size) PROG_NAME_ARGS(stack_size), static __maybe_unused @@ -2380,8 +2383,10 @@ static void bpf_prog_select_func(struct bpf_prog *fp) { #ifndef CONFIG_BPF_JIT_ALWAYS_ON u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1); + u32 idx = (round_up(stack_depth, 32) / 32) - 1; - fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1]; + WARN_ON_ONCE(idx >= MAX_INTERPRETERS_CALLBACK); + fp->bpf_func = interpreters[idx]; #else fp->bpf_func = __bpf_prog_ret0_warn; #endif From patchwork Wed Feb 12 13:52:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiayuan Chen X-Patchwork-Id: 13971443 X-Patchwork-Delegate: bpf@iogearbox.net Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.4]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51BD520E6F2 for ; Wed, 12 Feb 2025 13:53:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=117.135.210.4 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739368437; cv=none; b=iEOkxfrWzOFPzXgMENjgY1VQKIvCVW2lAE3RvysbUhF5wjtKDlyHSQteQY59RjR5InA10mt0jjJ62RodBfaCoGB8+om1E2fmJpOj+cBXJlBspUBjJjxX0F6Isn8a+36AaenLPbDzJE1QoKulBixLXjMUHaR46eFodNBDEzaSey0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739368437; c=relaxed/simple; bh=rYMDTx81ClVZh4KVVOcev4D4s8V8RRxkauyC9ofF8u0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SoETVJsjV0aqLMO8is8L6ViM7ZHyXF/S5ulkfdx6urhTGGC62DXnngxlYNJheComx5PPwKiZiGy8YCMG3tPyKPGjcN8FZe3VB2aOWwR0mGrm+l3jIMiwcLgu2sC3LLIptpioVWTlUha4e2f+NMAW2/+h0ddrc4C4LiFiooiAkws= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=TADpJbOK; arc=none smtp.client-ip=117.135.210.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="TADpJbOK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=pnFk5 rBF9Pjf2pE6kKC+wFv07jJsIPsZWYieX5n47fU=; b=TADpJbOK6U/iDWJri4sH4 uDJaKa9l/amXI1S+9XV8zlc8yuvKOMYciIrurt70p01en5EuY6W4w8u5qRqrsGBi cckX5v945Zw+svNlCfKaojFntyBoTrLPZtCvBkNRpGAOXqHdcp4/TttH2M8ioshT /eJX2SIBng1c7fMPXT+yrg= Received: from localhost.localdomain (unknown []) by gzga-smtp-mtada-g0-4 (Coremail) with SMTP id _____wD37x+9p6xn5UW6Lg--.513S4; Wed, 12 Feb 2025 21:53:11 +0800 (CST) From: Jiayuan Chen To: bpf@vger.kernel.org, ast@kernel.org Cc: daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, mykolal@fb.com, shuah@kernel.org, Jiayuan Chen Subject: [PATCH bpf-next v1 2/2] bpf/selftest: add selftest for may_goto Date: Wed, 12 Feb 2025 21:52:51 +0800 Message-ID: <20250212135251.85487-3-mrpre@163.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250212135251.85487-1-mrpre@163.com> References: <20250212135251.85487-1-mrpre@163.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-CM-TRANSID: _____wD37x+9p6xn5UW6Lg--.513S4 X-Coremail-Antispam: 1Uf129KBjvJXoW7AF13Kr13GrW3CF1xJFyfCrg_yoW8Xw4Dp3 4kWasxu3WkJw1Iga4xAFyDWFyrJa1kXr45CrWftr1FyF4Dtr92grWIkFyDJrWYyrZ3Zw43 ZFWIy39xGw48J3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pEVbytUUUUU= X-CM-SenderInfo: xpus2vi6rwjhhfrp/1tbiWxfxp2esn1lwawAAsM X-Patchwork-Delegate: bpf@iogearbox.net Add test case to ensure normal operation when may_goto exists and the stack size has already reached 512. ./test_progs -t verifier_stack_ptr ... verifier_stack_ptr/PTR_TO_STACK max stack size > 512:OK verifier_stack_ptr/PTR_TO_STACK max stack size 512 with may_goto:OK ... Signed-off-by: Jiayuan Chen --- .../selftests/bpf/progs/verifier_stack_ptr.c | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_stack_ptr.c b/tools/testing/selftests/bpf/progs/verifier_stack_ptr.c index 417c61cd4b19..b2e84714e1bc 100644 --- a/tools/testing/selftests/bpf/progs/verifier_stack_ptr.c +++ b/tools/testing/selftests/bpf/progs/verifier_stack_ptr.c @@ -481,4 +481,37 @@ l1_%=: r0 = 42; \ : __clobber_all); } +SEC("socket") +__description("PTR_TO_STACK max stack size > 512") +__failure __msg("invalid write to stack R1 off=-520 size=8") +__naked void stack_check_size_gt_512(void) +{ + asm volatile ( + "r1 = r10;" + "r1 += -520;" + "r0 = 42;" + "*(u64*)(r1 + 0) = r0;" + "exit;" + ::: __clobber_all); +} + +#ifdef __BPF_FEATURE_MAY_GOTO +SEC("socket") +__description("PTR_TO_STACK max stack size 512 with may_goto") +__success +__retval(42) +__naked void stack_check_size_512_with_may_goto(void) +{ + asm volatile ( + "r1 = r10;" + "r1 += -512;" + "r0 = 42;" + "*(u32*)(r1 + 0) = r0;" + "may_goto end;" + "r2 = 100;" +"end: exit;" + ::: __clobber_all); +} +#endif + char _license[] SEC("license") = "GPL";