• Yonghong Song's avatar
    bpf: Provide better register bounds after jmp32 instructions · 581738a6
    Yonghong Song authored
    With latest llvm (trunk https://github.com/llvm/llvm-project),
    test_progs, which has +alu32 enabled, failed for strobemeta.o.
    The verifier output looks like below with edit to replace large
    decimal numbers with hex ones.
     193: (85) call bpf_probe_read_user_str#114
       R0=inv(id=0)
     194: (26) if w0 > 0x1 goto pc+4
       R0_w=inv(id=0,umax_value=0xffffffff00000001)
     195: (6b) *(u16 *)(r7 +80) = r0
     196: (bc) w6 = w0
       R6_w=inv(id=0,umax_value=0xffffffff,var_off=(0x0; 0xffffffff))
     197: (67) r6 <<= 32
       R6_w=inv(id=0,smax_value=0x7fffffff00000000,umax_value=0xffffffff00000000,
                var_off=(0x0; 0xffffffff00000000))
     198: (77) r6 >>= 32
       R6=inv(id=0,umax_value=0xffffffff,var_off=(0x0; 0xffffffff))
     ...
     201: (79) r8 = *(u64 *)(r10 -416)
       R8_w=map_value(id=0,off=40,ks=4,vs=13872,imm=0)
     202: (0f) r8 += r6
       R8_w=map_value(id=0,off=40,ks=4,vs=13872,umax_value=0xffffffff,var_off=(0x0; 0xffffffff))
     203: (07) r8 += 9696
       R8_w=map_value(id=0,off=9736,ks=4,vs=13872,umax_value=0xffffffff,var_off=(0x0; 0xffffffff))
     ...
     255: (bf) r1 = r8
       R1_w=map_value(id=0,off=9736,ks=4,vs=13872,umax_value=0xffffffff,var_off=(0x0; 0xffffffff))
     ...
     257: (85) call bpf_probe_read_user_str#114
     R1 unbounded memory access, make sure to bounds check any array access into a map
    
    The value range for register r6 at insn 198 should be really just 0/1.
    The umax_value=0xffffffff caused later verification failure.
    
    After jmp instructions, the current verifier already tried to use just
    obtained information to get better register range. The current mechanism is
    for 64bit register only. This patch implemented to tighten the range
    for 32bit sub-registers after jmp32 instructions.
    With the patch, we have the below range ranges for the
    above code sequence:
     193: (85) call bpf_probe_read_user_str#114
       R0=inv(id=0)
     194: (26) if w0 > 0x1 goto pc+4
       R0_w=inv(id=0,smax_value=0x7fffffff00000001,umax_value=0xffffffff00000001,
                var_off=(0x0; 0xffffffff00000001))
     195: (6b) *(u16 *)(r7 +80) = r0
     196: (bc) w6 = w0
       R6_w=inv(id=0,umax_value=0xffffffff,var_off=(0x0; 0x1))
     197: (67) r6 <<= 32
       R6_w=inv(id=0,umax_value=0x100000000,var_off=(0x0; 0x100000000))
     198: (77) r6 >>= 32
       R6=inv(id=0,umax_value=1,var_off=(0x0; 0x1))
     ...
     201: (79) r8 = *(u64 *)(r10 -416)
       R8_w=map_value(id=0,off=40,ks=4,vs=13872,imm=0)
     202: (0f) r8 += r6
       R8_w=map_value(id=0,off=40,ks=4,vs=13872,umax_value=1,var_off=(0x0; 0x1))
     203: (07) r8 += 9696
       R8_w=map_value(id=0,off=9736,ks=4,vs=13872,umax_value=1,var_off=(0x0; 0x1))
     ...
     255: (bf) r1 = r8
       R1_w=map_value(id=0,off=9736,ks=4,vs=13872,umax_value=1,var_off=(0x0; 0x1))
     ...
     257: (85) call bpf_probe_read_user_str#114
     ...
    
    At insn 194, the register R0 has better var_off.mask and smax_value.
    Especially, the var_off.mask ensures later lshift and rshift
    maintains proper value range.
    Suggested-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarYonghong Song <yhs@fb.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Link: https://lore.kernel.org/bpf/20191121170650.449030-1-yhs@fb.com
    581738a6
verifier.c 278 KB