• Andrei Matei's avatar
    bpf: Simplify checking size of helper accesses · 8a021e7f
    Andrei Matei authored
    This patch simplifies the verification of size arguments associated to
    pointer arguments to helpers and kfuncs. Many helpers take a pointer
    argument followed by the size of the memory access performed to be
    performed through that pointer. Before this patch, the handling of the
    size argument in check_mem_size_reg() was confusing and wasteful: if the
    size register's lower bound was 0, then the verification was done twice:
    once considering the size of the access to be the lower-bound of the
    respective argument, and once considering the upper bound (even if the
    two are the same). The upper bound checking is a super-set of the
    lower-bound checking(*), except: the only point of the lower-bound check
    is to handle the case where zero-sized-accesses are explicitly not
    allowed and the lower-bound is zero. This static condition is now
    checked explicitly, replacing a much more complex, expensive and
    confusing verification call to check_helper_mem_access().
    
    Error messages change in this patch. Before, messages about illegal
    zero-size accesses depended on the type of the pointer and on other
    conditions, and sometimes the message was plain wrong: in some tests
    that changed you'll see that the old message was something like "R1 min
    value is outside of the allowed memory range", where R1 is the pointer
    register; the error was wrongly claiming that the pointer was bad
    instead of the size being bad. Other times the information that the size
    came for a register with a possible range of values was wrong, and the
    error presented the size as a fixed zero. Now the errors refer to the
    right register. However, the old error messages did contain useful
    information about the pointer register which is now lost; recovering
    this information was deemed not important enough.
    
    (*) Besides standing to reason that the checks for a bigger size access
    are a super-set of the checks for a smaller size access, I have also
    mechanically verified this by reading the code for all types of
    pointers. I could convince myself that it's true for all but
    PTR_TO_BTF_ID (check_ptr_to_btf_access). There, simply looking
    line-by-line does not immediately prove what we want. If anyone has any
    qualms, let me know.
    Signed-off-by: default avatarAndrei Matei <andreimatei1@gmail.com>
    Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
    Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/20231221232225.568730-2-andreimatei1@gmail.com
    8a021e7f
verifier.c 624 KB