Blame view
kernel/bpf/verifier.c
137 KB
51580e798 bpf: verifier (ad... |
1 |
/* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com |
969bf05eb bpf: direct packe... |
2 |
* Copyright (c) 2016 Facebook |
51580e798 bpf: verifier (ad... |
3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
* * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public * License as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. */ #include <linux/kernel.h> #include <linux/types.h> #include <linux/slab.h> #include <linux/bpf.h> |
58e2af8b3 bpf: expose inter... |
17 |
#include <linux/bpf_verifier.h> |
51580e798 bpf: verifier (ad... |
18 19 20 21 |
#include <linux/filter.h> #include <net/netlink.h> #include <linux/file.h> #include <linux/vmalloc.h> |
ebb676daa bpf: Print functi... |
22 |
#include <linux/stringify.h> |
51580e798 bpf: verifier (ad... |
23 24 25 26 27 28 29 30 31 32 33 34 35 |
/* bpf_check() is a static code analyzer that walks eBPF program * instruction by instruction and updates register/stack state. * All paths of conditional branches are analyzed until 'bpf_exit' insn. * * The first pass is depth-first-search to check that the program is a DAG. * It rejects the following programs: * - larger than BPF_MAXINSNS insns * - if loop is present (detected via back-edge) * - unreachable insns exist (shouldn't be a forest. program = one function) * - out of bounds or malformed jumps * The second pass is all possible path descent from the 1st insn. * Since it's analyzing all pathes through the program, the length of the |
eba38a968 bpf: update the c... |
36 |
* analysis is limited to 64k insn, which may be hit even if total number of |
51580e798 bpf: verifier (ad... |
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
* insn is less then 4K, but there are too many branches that change stack/regs. * Number of 'branches to be analyzed' is limited to 1k * * On entry to each instruction, each register has a type, and the instruction * changes the types of the registers depending on instruction semantics. * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is * copied to R1. * * All registers are 64-bit. * R0 - return register * R1-R5 argument passing registers * R6-R9 callee saved registers * R10 - frame pointer read-only * * At the start of BPF program the register R1 contains a pointer to bpf_context * and has type PTR_TO_CTX. * * Verifier tracks arithmetic operations on pointers in case: * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20), * 1st insn copies R10 (which has FRAME_PTR) type into R1 * and 2nd arithmetic instruction is pattern matched to recognize * that it wants to construct a pointer to some element within stack. * So after 2nd insn, the register R1 has type PTR_TO_STACK * (and -20 constant is saved for further stack bounds checking). * Meaning that this reg is a pointer to stack plus known immediate constant. * |
f1174f77b bpf/verifier: rew... |
64 |
* Most of the time the registers have SCALAR_VALUE type, which |
51580e798 bpf: verifier (ad... |
65 |
* means the register has some value, but it's not a valid pointer. |
f1174f77b bpf/verifier: rew... |
66 |
* (like pointer plus pointer becomes SCALAR_VALUE type) |
51580e798 bpf: verifier (ad... |
67 68 |
* * When verifier sees load or store instructions the type of base register |
f1174f77b bpf/verifier: rew... |
69 |
* can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK. These are three pointer |
51580e798 bpf: verifier (ad... |
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
* types recognized by check_mem_access() function. * * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value' * and the range of [ptr, ptr + map's value_size) is accessible. * * registers used to pass values to function calls are checked against * function argument constraints. * * ARG_PTR_TO_MAP_KEY is one of such argument constraints. * It means that the register type passed to this function must be * PTR_TO_STACK and it will be used inside the function as * 'pointer to map element key' * * For example the argument constraints for bpf_map_lookup_elem(): * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, * .arg1_type = ARG_CONST_MAP_PTR, * .arg2_type = ARG_PTR_TO_MAP_KEY, * * ret_type says that this function returns 'pointer to map elem value or null' * function expects 1st argument to be a const pointer to 'struct bpf_map' and * 2nd argument should be a pointer to stack, which will be used inside * the helper function as a pointer to map element key. * * On the kernel side the helper function looks like: * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) * { * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1; * void *key = (void *) (unsigned long) r2; * void *value; * * here kernel can access 'key' and 'map' pointers safely, knowing that * [key, key + map->key_size) bytes are valid and were initialized on * the stack of eBPF program. * } * * Corresponding eBPF program may look like: * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), * here verifier looks at prototype of map_lookup_elem() and sees: * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok, * Now verifier knows that this map has key of R1->map_ptr->key_size bytes * * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far, * Now verifier checks that [R2, R2 + map's key_size) are within stack limits * and were initialized prior to this call. * If it's ok, then verifier allows this BPF_CALL insn and looks at * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function * returns ether pointer to map value or NULL. * * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off' * insn, the register holding that pointer in the true branch changes state to * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false * branch. See check_cond_jmp_op(). * * After the call R0 is set to return type of the function and registers R1-R5 * are set to NOT_INIT to indicate that they are no longer readable. */ |
17a526706 bpf: verifier (ad... |
130 |
/* verifier_state + insn_idx are pushed to stack when branch is encountered */ |
58e2af8b3 bpf: expose inter... |
131 |
struct bpf_verifier_stack_elem { |
17a526706 bpf: verifier (ad... |
132 133 134 135 |
/* verifer state is 'st' * before processing instruction 'insn_idx' * and after processing instruction 'prev_insn_idx' */ |
58e2af8b3 bpf: expose inter... |
136 |
struct bpf_verifier_state st; |
17a526706 bpf: verifier (ad... |
137 138 |
int insn_idx; int prev_insn_idx; |
58e2af8b3 bpf: expose inter... |
139 |
struct bpf_verifier_stack_elem *next; |
cbd357008 bpf: verifier (ad... |
140 |
}; |
8e17c1b16 bpf/verifier: inc... |
141 |
#define BPF_COMPLEXITY_LIMIT_INSNS 131072 |
07016151a bpf, verifier: fu... |
142 |
#define BPF_COMPLEXITY_LIMIT_STACK 1024 |
fad73a1a3 bpf: Fix and simp... |
143 |
#define BPF_MAP_PTR_POISON ((void *)0xeB9F + POISON_POINTER_DELTA) |
33ff9823c bpf, verifier: ad... |
144 145 |
struct bpf_call_arg_meta { struct bpf_map *map_ptr; |
435faee1a bpf, verifier: ad... |
146 |
bool raw_mode; |
36bbef52c bpf: direct packe... |
147 |
bool pkt_access; |
435faee1a bpf, verifier: ad... |
148 149 |
int regno; int access_size; |
33ff9823c bpf, verifier: ad... |
150 |
}; |
cbd357008 bpf: verifier (ad... |
151 152 153 154 155 156 157 158 159 160 161 162 |
/* verbose verifier prints what it's seeing * bpf_check() is called under lock, so no race to access these global vars */ static u32 log_level, log_size, log_len; static char *log_buf; static DEFINE_MUTEX(bpf_verifier_lock); /* log_level controls verbosity level of eBPF verifier. * verbose() is used to dump the verification trace to the log, so the user * can figure out what's wrong with the program */ |
1d056d9c9 bpf, verifier: an... |
163 |
static __printf(1, 2) void verbose(const char *fmt, ...) |
cbd357008 bpf: verifier (ad... |
164 165 166 167 168 169 170 171 172 173 |
{ va_list args; if (log_level == 0 || log_len >= log_size - 1) return; va_start(args, fmt); log_len += vscnprintf(log_buf + log_len, log_size - log_len, fmt, args); va_end(args); } |
17a526706 bpf: verifier (ad... |
174 175 176 |
/* string representation of 'enum bpf_reg_type' */ static const char * const reg_type_str[] = { [NOT_INIT] = "?", |
f1174f77b bpf/verifier: rew... |
177 |
[SCALAR_VALUE] = "inv", |
17a526706 bpf: verifier (ad... |
178 179 180 181 |
[PTR_TO_CTX] = "ctx", [CONST_PTR_TO_MAP] = "map_ptr", [PTR_TO_MAP_VALUE] = "map_value", [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", |
17a526706 bpf: verifier (ad... |
182 |
[PTR_TO_STACK] = "fp", |
969bf05eb bpf: direct packe... |
183 184 |
[PTR_TO_PACKET] = "pkt", [PTR_TO_PACKET_END] = "pkt_end", |
17a526706 bpf: verifier (ad... |
185 |
}; |
ebb676daa bpf: Print functi... |
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
#define __BPF_FUNC_STR_FN(x) [BPF_FUNC_ ## x] = __stringify(bpf_ ## x) static const char * const func_id_str[] = { __BPF_FUNC_MAPPER(__BPF_FUNC_STR_FN) }; #undef __BPF_FUNC_STR_FN static const char *func_id_name(int id) { BUILD_BUG_ON(ARRAY_SIZE(func_id_str) != __BPF_FUNC_MAX_ID); if (id >= 0 && id < __BPF_FUNC_MAX_ID && func_id_str[id]) return func_id_str[id]; else return "unknown"; } |
58e2af8b3 bpf: expose inter... |
201 |
static void print_verifier_state(struct bpf_verifier_state *state) |
17a526706 bpf: verifier (ad... |
202 |
{ |
58e2af8b3 bpf: expose inter... |
203 |
struct bpf_reg_state *reg; |
17a526706 bpf: verifier (ad... |
204 205 206 207 |
enum bpf_reg_type t; int i; for (i = 0; i < MAX_BPF_REG; i++) { |
1a0dc1ac1 bpf: cleanup veri... |
208 209 |
reg = &state->regs[i]; t = reg->type; |
17a526706 bpf: verifier (ad... |
210 211 212 |
if (t == NOT_INIT) continue; verbose(" R%d=%s", i, reg_type_str[t]); |
f1174f77b bpf/verifier: rew... |
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 |
if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && tnum_is_const(reg->var_off)) { /* reg->off should be 0 for SCALAR_VALUE */ verbose("%lld", reg->var_off.value + reg->off); } else { verbose("(id=%d", reg->id); if (t != SCALAR_VALUE) verbose(",off=%d", reg->off); if (t == PTR_TO_PACKET) verbose(",r=%d", reg->range); else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE || t == PTR_TO_MAP_VALUE_OR_NULL) verbose(",ks=%d,vs=%d", reg->map_ptr->key_size, reg->map_ptr->value_size); |
7d1238f21 bpf/verifier: mor... |
229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 |
if (tnum_is_const(reg->var_off)) { /* Typically an immediate SCALAR_VALUE, but * could be a pointer whose offset is too big * for reg->off */ verbose(",imm=%llx", reg->var_off.value); } else { if (reg->smin_value != reg->umin_value && reg->smin_value != S64_MIN) verbose(",smin_value=%lld", (long long)reg->smin_value); if (reg->smax_value != reg->umax_value && reg->smax_value != S64_MAX) verbose(",smax_value=%lld", (long long)reg->smax_value); if (reg->umin_value != 0) verbose(",umin_value=%llu", (unsigned long long)reg->umin_value); if (reg->umax_value != U64_MAX) verbose(",umax_value=%llu", (unsigned long long)reg->umax_value); if (!tnum_is_unknown(reg->var_off)) { char tn_buf[48]; |
f1174f77b bpf/verifier: rew... |
252 |
|
7d1238f21 bpf/verifier: mor... |
253 254 255 |
tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); verbose(",var_off=%s", tn_buf); } |
f1174f77b bpf/verifier: rew... |
256 257 258 |
} verbose(")"); } |
17a526706 bpf: verifier (ad... |
259 |
} |
9c3997601 bpf: reduce verif... |
260 |
for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
1a0dc1ac1 bpf: cleanup veri... |
261 |
if (state->stack_slot_type[i] == STACK_SPILL) |
17a526706 bpf: verifier (ad... |
262 |
verbose(" fp%d=%s", -MAX_BPF_STACK + i, |
1a0dc1ac1 bpf: cleanup veri... |
263 |
reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]); |
17a526706 bpf: verifier (ad... |
264 265 266 267 |
} verbose(" "); } |
cbd357008 bpf: verifier (ad... |
268 269 270 271 272 273 274 275 276 277 |
static const char *const bpf_class_string[] = { [BPF_LD] = "ld", [BPF_LDX] = "ldx", [BPF_ST] = "st", [BPF_STX] = "stx", [BPF_ALU] = "alu", [BPF_JMP] = "jmp", [BPF_RET] = "BUG", [BPF_ALU64] = "alu64", }; |
687f07156 bpf: fix out of b... |
278 |
static const char *const bpf_alu_string[16] = { |
cbd357008 bpf: verifier (ad... |
279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 |
[BPF_ADD >> 4] = "+=", [BPF_SUB >> 4] = "-=", [BPF_MUL >> 4] = "*=", [BPF_DIV >> 4] = "/=", [BPF_OR >> 4] = "|=", [BPF_AND >> 4] = "&=", [BPF_LSH >> 4] = "<<=", [BPF_RSH >> 4] = ">>=", [BPF_NEG >> 4] = "neg", [BPF_MOD >> 4] = "%=", [BPF_XOR >> 4] = "^=", [BPF_MOV >> 4] = "=", [BPF_ARSH >> 4] = "s>>=", [BPF_END >> 4] = "endian", }; static const char *const bpf_ldst_string[] = { [BPF_W >> 3] = "u32", [BPF_H >> 3] = "u16", [BPF_B >> 3] = "u8", [BPF_DW >> 3] = "u64", }; |
687f07156 bpf: fix out of b... |
301 |
static const char *const bpf_jmp_string[16] = { |
cbd357008 bpf: verifier (ad... |
302 303 304 |
[BPF_JA >> 4] = "jmp", [BPF_JEQ >> 4] = "==", [BPF_JGT >> 4] = ">", |
b4e432f10 bpf: enable BPF_J... |
305 |
[BPF_JLT >> 4] = "<", |
cbd357008 bpf: verifier (ad... |
306 |
[BPF_JGE >> 4] = ">=", |
b4e432f10 bpf: enable BPF_J... |
307 |
[BPF_JLE >> 4] = "<=", |
cbd357008 bpf: verifier (ad... |
308 309 310 |
[BPF_JSET >> 4] = "&", [BPF_JNE >> 4] = "!=", [BPF_JSGT >> 4] = "s>", |
b4e432f10 bpf: enable BPF_J... |
311 |
[BPF_JSLT >> 4] = "s<", |
cbd357008 bpf: verifier (ad... |
312 |
[BPF_JSGE >> 4] = "s>=", |
b4e432f10 bpf: enable BPF_J... |
313 |
[BPF_JSLE >> 4] = "s<=", |
cbd357008 bpf: verifier (ad... |
314 315 316 |
[BPF_CALL >> 4] = "call", [BPF_EXIT >> 4] = "exit", }; |
0d0e57697 bpf: don't let ld... |
317 318 |
static void print_bpf_insn(const struct bpf_verifier_env *env, const struct bpf_insn *insn) |
cbd357008 bpf: verifier (ad... |
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 |
{ u8 class = BPF_CLASS(insn->code); if (class == BPF_ALU || class == BPF_ALU64) { if (BPF_SRC(insn->code) == BPF_X) verbose("(%02x) %sr%d %s %sr%d ", insn->code, class == BPF_ALU ? "(u32) " : "", insn->dst_reg, bpf_alu_string[BPF_OP(insn->code) >> 4], class == BPF_ALU ? "(u32) " : "", insn->src_reg); else verbose("(%02x) %sr%d %s %s%d ", insn->code, class == BPF_ALU ? "(u32) " : "", insn->dst_reg, bpf_alu_string[BPF_OP(insn->code) >> 4], class == BPF_ALU ? "(u32) " : "", insn->imm); } else if (class == BPF_STX) { if (BPF_MODE(insn->code) == BPF_MEM) verbose("(%02x) *(%s *)(r%d %+d) = r%d ", insn->code, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->dst_reg, insn->off, insn->src_reg); else if (BPF_MODE(insn->code) == BPF_XADD) verbose("(%02x) lock *(%s *)(r%d %+d) += r%d ", insn->code, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->dst_reg, insn->off, insn->src_reg); else verbose("BUG_%02x ", insn->code); } else if (class == BPF_ST) { if (BPF_MODE(insn->code) != BPF_MEM) { verbose("BUG_st_%02x ", insn->code); return; } verbose("(%02x) *(%s *)(r%d %+d) = %d ", insn->code, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->dst_reg, insn->off, insn->imm); } else if (class == BPF_LDX) { if (BPF_MODE(insn->code) != BPF_MEM) { verbose("BUG_ldx_%02x ", insn->code); return; } verbose("(%02x) r%d = *(%s *)(r%d %+d) ", insn->code, insn->dst_reg, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->src_reg, insn->off); } else if (class == BPF_LD) { if (BPF_MODE(insn->code) == BPF_ABS) { verbose("(%02x) r0 = *(%s *)skb[%d] ", insn->code, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->imm); } else if (BPF_MODE(insn->code) == BPF_IND) { verbose("(%02x) r0 = *(%s *)skb[r%d + %d] ", insn->code, bpf_ldst_string[BPF_SIZE(insn->code) >> 3], insn->src_reg, insn->imm); |
0d0e57697 bpf: don't let ld... |
393 394 395 396 397 398 399 400 401 402 403 404 405 406 |
} else if (BPF_MODE(insn->code) == BPF_IMM && BPF_SIZE(insn->code) == BPF_DW) { /* At this point, we already made sure that the second * part of the ldimm64 insn is accessible. */ u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD; if (map_ptr && !env->allow_ptr_leaks) imm = 0; verbose("(%02x) r%d = 0x%llx ", insn->code, insn->dst_reg, (unsigned long long)imm); |
cbd357008 bpf: verifier (ad... |
407 408 409 410 411 412 413 414 415 |
} else { verbose("BUG_ld_%02x ", insn->code); return; } } else if (class == BPF_JMP) { u8 opcode = BPF_OP(insn->code); if (opcode == BPF_CALL) { |
ebb676daa bpf: Print functi... |
416 417 418 |
verbose("(%02x) call %s#%d ", insn->code, func_id_name(insn->imm), insn->imm); |
cbd357008 bpf: verifier (ad... |
419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 |
} else if (insn->code == (BPF_JMP | BPF_JA)) { verbose("(%02x) goto pc%+d ", insn->code, insn->off); } else if (insn->code == (BPF_JMP | BPF_EXIT)) { verbose("(%02x) exit ", insn->code); } else if (BPF_SRC(insn->code) == BPF_X) { verbose("(%02x) if r%d %s r%d goto pc%+d ", insn->code, insn->dst_reg, bpf_jmp_string[BPF_OP(insn->code) >> 4], insn->src_reg, insn->off); } else { verbose("(%02x) if r%d %s 0x%x goto pc%+d ", insn->code, insn->dst_reg, bpf_jmp_string[BPF_OP(insn->code) >> 4], insn->imm, insn->off); } } else { verbose("(%02x) %s ", insn->code, bpf_class_string[class]); } } |
58e2af8b3 bpf: expose inter... |
444 |
static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx) |
17a526706 bpf: verifier (ad... |
445 |
{ |
58e2af8b3 bpf: expose inter... |
446 |
struct bpf_verifier_stack_elem *elem; |
17a526706 bpf: verifier (ad... |
447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 |
int insn_idx; if (env->head == NULL) return -1; memcpy(&env->cur_state, &env->head->st, sizeof(env->cur_state)); insn_idx = env->head->insn_idx; if (prev_insn_idx) *prev_insn_idx = env->head->prev_insn_idx; elem = env->head->next; kfree(env->head); env->head = elem; env->stack_size--; return insn_idx; } |
58e2af8b3 bpf: expose inter... |
462 463 |
static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, int insn_idx, int prev_insn_idx) |
17a526706 bpf: verifier (ad... |
464 |
{ |
58e2af8b3 bpf: expose inter... |
465 |
struct bpf_verifier_stack_elem *elem; |
17a526706 bpf: verifier (ad... |
466 |
|
58e2af8b3 bpf: expose inter... |
467 |
elem = kmalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); |
17a526706 bpf: verifier (ad... |
468 469 470 471 472 473 474 475 476 |
if (!elem) goto err; memcpy(&elem->st, &env->cur_state, sizeof(env->cur_state)); elem->insn_idx = insn_idx; elem->prev_insn_idx = prev_insn_idx; elem->next = env->head; env->head = elem; env->stack_size++; |
07016151a bpf, verifier: fu... |
477 |
if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
17a526706 bpf: verifier (ad... |
478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 |
verbose("BPF program is too complex "); goto err; } return &elem->st; err: /* pop all elements and return */ while (pop_stack(env, NULL) >= 0); return NULL; } #define CALLER_SAVED_REGS 6 static const int caller_saved[CALLER_SAVED_REGS] = { BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5 }; |
f1174f77b bpf/verifier: rew... |
493 |
static void __mark_reg_not_init(struct bpf_reg_state *reg); |
b03c9f9fd bpf/verifier: tra... |
494 495 496 497 498 499 500 501 502 503 504 505 |
/* Mark the unknown part of a register (variable offset or scalar value) as * known to have the value @imm. */ static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) { reg->id = 0; reg->var_off = tnum_const(imm); reg->smin_value = (s64)imm; reg->smax_value = (s64)imm; reg->umin_value = imm; reg->umax_value = imm; } |
f1174f77b bpf/verifier: rew... |
506 507 508 509 |
/* Mark the 'variable offset' part of a register as zero. This should be * used only on registers holding a pointer type. */ static void __mark_reg_known_zero(struct bpf_reg_state *reg) |
a9789ef9a bpf: properly res... |
510 |
{ |
b03c9f9fd bpf/verifier: tra... |
511 |
__mark_reg_known(reg, 0); |
f1174f77b bpf/verifier: rew... |
512 |
} |
a9789ef9a bpf: properly res... |
513 |
|
f1174f77b bpf/verifier: rew... |
514 515 516 517 518 519 520 521 522 523 524 525 |
static void mark_reg_known_zero(struct bpf_reg_state *regs, u32 regno) { if (WARN_ON(regno >= MAX_BPF_REG)) { verbose("mark_reg_known_zero(regs, %u) ", regno); /* Something bad happened, let's kill all regs */ for (regno = 0; regno < MAX_BPF_REG; regno++) __mark_reg_not_init(regs + regno); return; } __mark_reg_known_zero(regs + regno); } |
b03c9f9fd bpf/verifier: tra... |
526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 |
/* Attempts to improve min/max values based on var_off information */ static void __update_reg_bounds(struct bpf_reg_state *reg) { /* min signed is max(sign bit) | min(other bits) */ reg->smin_value = max_t(s64, reg->smin_value, reg->var_off.value | (reg->var_off.mask & S64_MIN)); /* max signed is min(sign bit) | max(other bits) */ reg->smax_value = min_t(s64, reg->smax_value, reg->var_off.value | (reg->var_off.mask & S64_MAX)); reg->umin_value = max(reg->umin_value, reg->var_off.value); reg->umax_value = min(reg->umax_value, reg->var_off.value | reg->var_off.mask); } /* Uses signed min/max values to inform unsigned, and vice-versa */ static void __reg_deduce_bounds(struct bpf_reg_state *reg) { /* Learn sign from signed bounds. * If we cannot cross the sign boundary, then signed and unsigned bounds * are the same, so combine. This works even in the negative case, e.g. * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff. */ if (reg->smin_value >= 0 || reg->smax_value < 0) { reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, reg->umin_value); reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, reg->umax_value); return; } /* Learn sign from unsigned bounds. Signed bounds cross the sign * boundary, so we must be careful. */ if ((s64)reg->umax_value >= 0) { /* Positive. We can't learn anything from the smin, but smax * is positive, hence safe. */ reg->smin_value = reg->umin_value; reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, reg->umax_value); } else if ((s64)reg->umin_value < 0) { /* Negative. We can't learn anything from the smax, but smin * is negative, hence safe. */ reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, reg->umin_value); reg->smax_value = reg->umax_value; } } /* Attempts to improve var_off based on unsigned min/max information */ static void __reg_bound_offset(struct bpf_reg_state *reg) { reg->var_off = tnum_intersect(reg->var_off, tnum_range(reg->umin_value, reg->umax_value)); } /* Reset the min/max bounds of a register */ static void __mark_reg_unbounded(struct bpf_reg_state *reg) { reg->smin_value = S64_MIN; reg->smax_value = S64_MAX; reg->umin_value = 0; reg->umax_value = U64_MAX; } |
f1174f77b bpf/verifier: rew... |
591 592 593 594 595 596 597 |
/* Mark a register as having a completely unknown (scalar) value. */ static void __mark_reg_unknown(struct bpf_reg_state *reg) { reg->type = SCALAR_VALUE; reg->id = 0; reg->off = 0; reg->var_off = tnum_unknown; |
b03c9f9fd bpf/verifier: tra... |
598 |
__mark_reg_unbounded(reg); |
f1174f77b bpf/verifier: rew... |
599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 |
} static void mark_reg_unknown(struct bpf_reg_state *regs, u32 regno) { if (WARN_ON(regno >= MAX_BPF_REG)) { verbose("mark_reg_unknown(regs, %u) ", regno); /* Something bad happened, let's kill all regs */ for (regno = 0; regno < MAX_BPF_REG; regno++) __mark_reg_not_init(regs + regno); return; } __mark_reg_unknown(regs + regno); } static void __mark_reg_not_init(struct bpf_reg_state *reg) { __mark_reg_unknown(reg); reg->type = NOT_INIT; } static void mark_reg_not_init(struct bpf_reg_state *regs, u32 regno) { if (WARN_ON(regno >= MAX_BPF_REG)) { verbose("mark_reg_not_init(regs, %u) ", regno); /* Something bad happened, let's kill all regs */ for (regno = 0; regno < MAX_BPF_REG; regno++) __mark_reg_not_init(regs + regno); return; } __mark_reg_not_init(regs + regno); |
a9789ef9a bpf: properly res... |
631 |
} |
58e2af8b3 bpf: expose inter... |
632 |
static void init_reg_state(struct bpf_reg_state *regs) |
17a526706 bpf: verifier (ad... |
633 634 |
{ int i; |
dc503a8ad bpf/verifier: tra... |
635 |
for (i = 0; i < MAX_BPF_REG; i++) { |
a9789ef9a bpf: properly res... |
636 |
mark_reg_not_init(regs, i); |
dc503a8ad bpf/verifier: tra... |
637 638 |
regs[i].live = REG_LIVE_NONE; } |
17a526706 bpf: verifier (ad... |
639 640 |
/* frame pointer */ |
f1174f77b bpf/verifier: rew... |
641 642 |
regs[BPF_REG_FP].type = PTR_TO_STACK; mark_reg_known_zero(regs, BPF_REG_FP); |
17a526706 bpf: verifier (ad... |
643 644 645 |
/* 1st arg to a function */ regs[BPF_REG_1].type = PTR_TO_CTX; |
f1174f77b bpf/verifier: rew... |
646 |
mark_reg_known_zero(regs, BPF_REG_1); |
6760bf2dd bpf: fix mark_reg... |
647 |
} |
17a526706 bpf: verifier (ad... |
648 649 650 651 652 |
enum reg_arg_type { SRC_OP, /* register is used as source operand */ DST_OP, /* register is used as destination operand */ DST_OP_NO_MARK /* same as above, check only, don't mark */ }; |
dc503a8ad bpf/verifier: tra... |
653 654 655 |
static void mark_reg_read(const struct bpf_verifier_state *state, u32 regno) { struct bpf_verifier_state *parent = state->parent; |
8fe2d6ccd bpf: fix liveness... |
656 657 658 |
if (regno == BPF_REG_FP) /* We don't need to worry about FP liveness because it's read-only */ return; |
dc503a8ad bpf/verifier: tra... |
659 660 661 662 663 664 665 666 667 668 669 670 |
while (parent) { /* if read wasn't screened by an earlier write ... */ if (state->regs[regno].live & REG_LIVE_WRITTEN) break; /* ... then we depend on parent's value */ parent->regs[regno].live |= REG_LIVE_READ; state = parent; parent = state->parent; } } static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, |
17a526706 bpf: verifier (ad... |
671 672 |
enum reg_arg_type t) { |
dc503a8ad bpf/verifier: tra... |
673 |
struct bpf_reg_state *regs = env->cur_state.regs; |
17a526706 bpf: verifier (ad... |
674 675 676 677 678 679 680 681 682 683 684 685 686 |
if (regno >= MAX_BPF_REG) { verbose("R%d is invalid ", regno); return -EINVAL; } if (t == SRC_OP) { /* check whether register used as source operand can be read */ if (regs[regno].type == NOT_INIT) { verbose("R%d !read_ok ", regno); return -EACCES; } |
dc503a8ad bpf/verifier: tra... |
687 |
mark_reg_read(&env->cur_state, regno); |
17a526706 bpf: verifier (ad... |
688 689 690 691 692 693 694 |
} else { /* check whether register used as dest operand can be written to */ if (regno == BPF_REG_FP) { verbose("frame pointer is read only "); return -EACCES; } |
dc503a8ad bpf/verifier: tra... |
695 |
regs[regno].live |= REG_LIVE_WRITTEN; |
17a526706 bpf: verifier (ad... |
696 |
if (t == DST_OP) |
f1174f77b bpf/verifier: rew... |
697 |
mark_reg_unknown(regs, regno); |
17a526706 bpf: verifier (ad... |
698 699 700 |
} return 0; } |
1be7f75d1 bpf: enable non-r... |
701 702 703 704 705 706 707 |
static bool is_spillable_regtype(enum bpf_reg_type type) { switch (type) { case PTR_TO_MAP_VALUE: case PTR_TO_MAP_VALUE_OR_NULL: case PTR_TO_STACK: case PTR_TO_CTX: |
969bf05eb bpf: direct packe... |
708 709 |
case PTR_TO_PACKET: case PTR_TO_PACKET_END: |
1be7f75d1 bpf: enable non-r... |
710 711 712 713 714 715 |
case CONST_PTR_TO_MAP: return true; default: return false; } } |
17a526706 bpf: verifier (ad... |
716 717 718 |
/* check_stack_read/write functions track spill/fill of registers, * stack boundary and alignment are checked in check_mem_access() */ |
58e2af8b3 bpf: expose inter... |
719 720 |
static int check_stack_write(struct bpf_verifier_state *state, int off, int size, int value_regno) |
17a526706 bpf: verifier (ad... |
721 |
{ |
dc503a8ad bpf/verifier: tra... |
722 |
int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; |
9c3997601 bpf: reduce verif... |
723 724 725 |
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, * so it's aligned access and [off, off + size) are within stack limits */ |
17a526706 bpf: verifier (ad... |
726 727 |
if (value_regno >= 0 && |
1be7f75d1 bpf: enable non-r... |
728 |
is_spillable_regtype(state->regs[value_regno].type)) { |
17a526706 bpf: verifier (ad... |
729 730 |
/* register containing pointer is being spilled into stack */ |
9c3997601 bpf: reduce verif... |
731 |
if (size != BPF_REG_SIZE) { |
17a526706 bpf: verifier (ad... |
732 733 734 735 |
verbose("invalid size of register spill "); return -EACCES; } |
17a526706 bpf: verifier (ad... |
736 |
/* save register state */ |
dc503a8ad bpf/verifier: tra... |
737 738 |
state->spilled_regs[spi] = state->regs[value_regno]; state->spilled_regs[spi].live |= REG_LIVE_WRITTEN; |
17a526706 bpf: verifier (ad... |
739 |
|
9c3997601 bpf: reduce verif... |
740 741 742 |
for (i = 0; i < BPF_REG_SIZE; i++) state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL; } else { |
17a526706 bpf: verifier (ad... |
743 |
/* regular write of data into stack */ |
dc503a8ad bpf/verifier: tra... |
744 |
state->spilled_regs[spi] = (struct bpf_reg_state) {}; |
9c3997601 bpf: reduce verif... |
745 746 747 |
for (i = 0; i < size; i++) state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC; |
17a526706 bpf: verifier (ad... |
748 749 750 |
} return 0; } |
dc503a8ad bpf/verifier: tra... |
751 752 753 754 755 756 757 758 759 760 761 762 763 764 |
static void mark_stack_slot_read(const struct bpf_verifier_state *state, int slot) { struct bpf_verifier_state *parent = state->parent; while (parent) { /* if read wasn't screened by an earlier write ... */ if (state->spilled_regs[slot].live & REG_LIVE_WRITTEN) break; /* ... then we depend on parent's value */ parent->spilled_regs[slot].live |= REG_LIVE_READ; state = parent; parent = state->parent; } } |
58e2af8b3 bpf: expose inter... |
765 |
static int check_stack_read(struct bpf_verifier_state *state, int off, int size, |
17a526706 bpf: verifier (ad... |
766 767 |
int value_regno) { |
9c3997601 bpf: reduce verif... |
768 |
u8 *slot_type; |
dc503a8ad bpf/verifier: tra... |
769 |
int i, spi; |
17a526706 bpf: verifier (ad... |
770 |
|
9c3997601 bpf: reduce verif... |
771 |
slot_type = &state->stack_slot_type[MAX_BPF_STACK + off]; |
17a526706 bpf: verifier (ad... |
772 |
|
9c3997601 bpf: reduce verif... |
773 774 |
if (slot_type[0] == STACK_SPILL) { if (size != BPF_REG_SIZE) { |
17a526706 bpf: verifier (ad... |
775 776 777 778 |
verbose("invalid size of register spill "); return -EACCES; } |
9c3997601 bpf: reduce verif... |
779 780 |
for (i = 1; i < BPF_REG_SIZE; i++) { if (slot_type[i] != STACK_SPILL) { |
17a526706 bpf: verifier (ad... |
781 782 783 784 785 |
verbose("corrupted spill memory "); return -EACCES; } } |
dc503a8ad bpf/verifier: tra... |
786 787 788 |
spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; if (value_regno >= 0) { |
17a526706 bpf: verifier (ad... |
789 |
/* restore register state from stack */ |
dc503a8ad bpf/verifier: tra... |
790 791 792 |
state->regs[value_regno] = state->spilled_regs[spi]; mark_stack_slot_read(state, spi); } |
17a526706 bpf: verifier (ad... |
793 794 795 |
return 0; } else { for (i = 0; i < size; i++) { |
9c3997601 bpf: reduce verif... |
796 |
if (slot_type[i] != STACK_MISC) { |
17a526706 bpf: verifier (ad... |
797 798 799 800 801 802 803 804 |
verbose("invalid read from stack off %d+%d size %d ", off, i, size); return -EACCES; } } if (value_regno >= 0) /* have read misc data from the stack */ |
f1174f77b bpf/verifier: rew... |
805 |
mark_reg_unknown(state->regs, value_regno); |
17a526706 bpf: verifier (ad... |
806 807 808 809 810 |
return 0; } } /* check read/write into map element returned by bpf_map_lookup_elem() */ |
f1174f77b bpf/verifier: rew... |
811 |
static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off, |
17a526706 bpf: verifier (ad... |
812 813 814 |
int size) { struct bpf_map *map = env->cur_state.regs[regno].map_ptr; |
5722569bb bpf: allow helper... |
815 |
if (off < 0 || size <= 0 || off + size > map->value_size) { |
17a526706 bpf: verifier (ad... |
816 817 818 819 820 821 822 |
verbose("invalid access to map value, value_size=%d off=%d size=%d ", map->value_size, off, size); return -EACCES; } return 0; } |
f1174f77b bpf/verifier: rew... |
823 824 |
/* check read/write into a map element with possible variable offset */ static int check_map_access(struct bpf_verifier_env *env, u32 regno, |
dbcfe5f76 bpf: split check_... |
825 826 827 828 829 |
int off, int size) { struct bpf_verifier_state *state = &env->cur_state; struct bpf_reg_state *reg = &state->regs[regno]; int err; |
f1174f77b bpf/verifier: rew... |
830 831 832 |
/* We may have adjusted the register to this map value, so we * need to try adding each of min_value and max_value to off * to make sure our theoretical access will be safe. |
dbcfe5f76 bpf: split check_... |
833 834 835 |
*/ if (log_level) print_verifier_state(state); |
dbcfe5f76 bpf: split check_... |
836 837 838 839 840 841 |
/* The minimum value is only important with signed * comparisons where we can't assume the floor of a * value is 0. If we are using signed variables for our * index'es we need to make sure that whatever we use * will have a set floor within our range. */ |
b03c9f9fd bpf/verifier: tra... |
842 |
if (reg->smin_value < 0) { |
dbcfe5f76 bpf: split check_... |
843 844 845 846 847 |
verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check. ", regno); return -EACCES; } |
b03c9f9fd bpf/verifier: tra... |
848 |
err = __check_map_access(env, regno, reg->smin_value + off, size); |
dbcfe5f76 bpf: split check_... |
849 |
if (err) { |
f1174f77b bpf/verifier: rew... |
850 851 |
verbose("R%d min value is outside of the array range ", regno); |
dbcfe5f76 bpf: split check_... |
852 853 |
return err; } |
b03c9f9fd bpf/verifier: tra... |
854 855 856 |
/* If we haven't set a max value then we need to bail since we can't be * sure we won't do bad things. * If reg->umax_value + off could overflow, treat that as unbounded too. |
dbcfe5f76 bpf: split check_... |
857 |
*/ |
b03c9f9fd bpf/verifier: tra... |
858 |
if (reg->umax_value >= BPF_MAX_VAR_OFF) { |
dbcfe5f76 bpf: split check_... |
859 860 861 862 863 |
verbose("R%d unbounded memory access, make sure to bounds check any array access into a map ", regno); return -EACCES; } |
b03c9f9fd bpf/verifier: tra... |
864 |
err = __check_map_access(env, regno, reg->umax_value + off, size); |
f1174f77b bpf/verifier: rew... |
865 866 867 868 |
if (err) verbose("R%d max value is outside of the array range ", regno); return err; |
dbcfe5f76 bpf: split check_... |
869 |
} |
969bf05eb bpf: direct packe... |
870 |
#define MAX_PACKET_OFF 0xffff |
58e2af8b3 bpf: expose inter... |
871 |
static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, |
3a0af8fd6 bpf: BPF for ligh... |
872 873 |
const struct bpf_call_arg_meta *meta, enum bpf_access_type t) |
4acf6c0b8 bpf: enable direc... |
874 |
{ |
36bbef52c bpf: direct packe... |
875 |
switch (env->prog->type) { |
3a0af8fd6 bpf: BPF for ligh... |
876 877 878 879 880 |
case BPF_PROG_TYPE_LWT_IN: case BPF_PROG_TYPE_LWT_OUT: /* dst_input() and dst_output() can't write for now */ if (t == BPF_WRITE) return false; |
7e57fbb2a bpf: reduce compi... |
881 |
/* fallthrough */ |
36bbef52c bpf: direct packe... |
882 883 |
case BPF_PROG_TYPE_SCHED_CLS: case BPF_PROG_TYPE_SCHED_ACT: |
4acf6c0b8 bpf: enable direc... |
884 |
case BPF_PROG_TYPE_XDP: |
3a0af8fd6 bpf: BPF for ligh... |
885 |
case BPF_PROG_TYPE_LWT_XMIT: |
8a31db561 bpf: add access t... |
886 |
case BPF_PROG_TYPE_SK_SKB: |
36bbef52c bpf: direct packe... |
887 888 889 890 |
if (meta) return meta->pkt_access; env->seen_direct_write = true; |
4acf6c0b8 bpf: enable direc... |
891 892 893 894 895 |
return true; default: return false; } } |
f1174f77b bpf/verifier: rew... |
896 897 |
static int __check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, int size) |
969bf05eb bpf: direct packe... |
898 |
{ |
58e2af8b3 bpf: expose inter... |
899 900 |
struct bpf_reg_state *regs = env->cur_state.regs; struct bpf_reg_state *reg = ®s[regno]; |
969bf05eb bpf: direct packe... |
901 |
|
f1174f77b bpf/verifier: rew... |
902 |
if (off < 0 || size <= 0 || (u64)off + size > reg->range) { |
d91b28ed4 bpf: support decr... |
903 904 905 |
verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d) ", off, size, regno, reg->id, reg->off, reg->range); |
969bf05eb bpf: direct packe... |
906 907 908 909 |
return -EACCES; } return 0; } |
f1174f77b bpf/verifier: rew... |
910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 |
static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, int size) { struct bpf_reg_state *regs = env->cur_state.regs; struct bpf_reg_state *reg = ®s[regno]; int err; /* We may have added a variable offset to the packet pointer; but any * reg->range we have comes after that. We are only checking the fixed * offset. */ /* We don't allow negative numbers, because we aren't tracking enough * detail to prove they're safe. */ |
b03c9f9fd bpf/verifier: tra... |
925 |
if (reg->smin_value < 0) { |
f1174f77b bpf/verifier: rew... |
926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 |
verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check. ", regno); return -EACCES; } err = __check_packet_access(env, regno, off, size); if (err) { verbose("R%d offset is outside of the packet ", regno); return err; } return err; } /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ |
31fd85816 bpf: permits narr... |
941 |
static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, |
19de99f70 bpf: fix matching... |
942 |
enum bpf_access_type t, enum bpf_reg_type *reg_type) |
17a526706 bpf: verifier (ad... |
943 |
{ |
f96da0947 bpf: simplify nar... |
944 945 946 |
struct bpf_insn_access_aux info = { .reg_type = *reg_type, }; |
31fd85816 bpf: permits narr... |
947 |
|
13a27dfc6 bpf: enable non-c... |
948 949 950 |
/* for analyzer ctx accesses are already validated and converted */ if (env->analyzer_ops) return 0; |
17a526706 bpf: verifier (ad... |
951 |
if (env->prog->aux->ops->is_valid_access && |
239946314 bpf: possibly avo... |
952 |
env->prog->aux->ops->is_valid_access(off, size, t, &info)) { |
f96da0947 bpf: simplify nar... |
953 954 955 956 957 958 |
/* A non zero info.ctx_field_size indicates that this field is a * candidate for later verifier transformation to load the whole * field and then apply a mask when accessed with a narrower * access than actual ctx access size. A zero info.ctx_field_size * will only allow for whole field access and rejects any other * type of narrower access. |
31fd85816 bpf: permits narr... |
959 |
*/ |
f96da0947 bpf: simplify nar... |
960 |
env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size; |
239946314 bpf: possibly avo... |
961 |
*reg_type = info.reg_type; |
31fd85816 bpf: permits narr... |
962 |
|
32bbe0078 bpf: sanitize bpf... |
963 964 965 |
/* remember the offset of last byte accessed in ctx */ if (env->prog->aux->max_ctx_offset < off + size) env->prog->aux->max_ctx_offset = off + size; |
17a526706 bpf: verifier (ad... |
966 |
return 0; |
32bbe0078 bpf: sanitize bpf... |
967 |
} |
17a526706 bpf: verifier (ad... |
968 969 970 971 972 |
verbose("invalid bpf_context access off=%d size=%d ", off, size); return -EACCES; } |
4cabc5b18 bpf: fix mixed si... |
973 974 |
static bool __is_pointer_value(bool allow_ptr_leaks, const struct bpf_reg_state *reg) |
1be7f75d1 bpf: enable non-r... |
975 |
{ |
4cabc5b18 bpf: fix mixed si... |
976 |
if (allow_ptr_leaks) |
1be7f75d1 bpf: enable non-r... |
977 |
return false; |
f1174f77b bpf/verifier: rew... |
978 |
return reg->type != SCALAR_VALUE; |
1be7f75d1 bpf: enable non-r... |
979 |
} |
4cabc5b18 bpf: fix mixed si... |
980 981 982 983 |
static bool is_pointer_value(struct bpf_verifier_env *env, int regno) { return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); } |
a17536742 bpf: reject store... |
984 985 986 987 988 989 |
static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) { const struct bpf_reg_state *reg = &env->cur_state.regs[regno]; return reg->type == PTR_TO_CTX; } |
3e272a8cd bpf: allow xadd o... |
990 991 992 993 994 995 |
static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) { const struct bpf_reg_state *reg = &env->cur_state.regs[regno]; return reg->type == PTR_TO_PACKET; } |
79adffcd6 bpf, verifier: fi... |
996 |
static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg, |
d11744167 bpf: Track alignm... |
997 |
int off, int size, bool strict) |
969bf05eb bpf: direct packe... |
998 |
{ |
f1174f77b bpf/verifier: rew... |
999 |
struct tnum reg_off; |
e07b98d9b bpf: Add strict a... |
1000 |
int ip_align; |
d11744167 bpf: Track alignm... |
1001 1002 1003 1004 |
/* Byte size accesses are always allowed. */ if (!strict || size == 1) return 0; |
e4eda884d net: Make IP alig... |
1005 1006 1007 1008 1009 1010 1011 |
/* For platforms that do not have a Kconfig enabling * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of * NET_IP_ALIGN is universally set to '2'. And on platforms * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get * to this code only in strict mode where we want to emulate * the NET_IP_ALIGN==2 checking. Therefore use an * unconditional IP align value of '2'. |
e07b98d9b bpf: Add strict a... |
1012 |
*/ |
e4eda884d net: Make IP alig... |
1013 |
ip_align = 2; |
f1174f77b bpf/verifier: rew... |
1014 1015 1016 1017 1018 1019 1020 1021 1022 |
reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off)); if (!tnum_is_aligned(reg_off, size)) { char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); verbose("misaligned packet access off %d+%s+%d+%d size %d ", ip_align, tn_buf, reg->off, off, size); |
969bf05eb bpf: direct packe... |
1023 1024 |
return -EACCES; } |
79adffcd6 bpf, verifier: fi... |
1025 |
|
969bf05eb bpf: direct packe... |
1026 1027 |
return 0; } |
f1174f77b bpf/verifier: rew... |
1028 1029 1030 |
static int check_generic_ptr_alignment(const struct bpf_reg_state *reg, const char *pointer_desc, int off, int size, bool strict) |
79adffcd6 bpf, verifier: fi... |
1031 |
{ |
f1174f77b bpf/verifier: rew... |
1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 |
struct tnum reg_off; /* Byte size accesses are always allowed. */ if (!strict || size == 1) return 0; reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off)); if (!tnum_is_aligned(reg_off, size)) { char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); verbose("misaligned %saccess off %s+%d+%d size %d ", pointer_desc, tn_buf, reg->off, off, size); |
79adffcd6 bpf, verifier: fi... |
1046 1047 |
return -EACCES; } |
969bf05eb bpf: direct packe... |
1048 1049 |
return 0; } |
e07b98d9b bpf: Add strict a... |
1050 |
static int check_ptr_alignment(struct bpf_verifier_env *env, |
3e272a8cd bpf: allow xadd o... |
1051 1052 |
const struct bpf_reg_state *reg, int off, int size, bool strict_alignment_once) |
79adffcd6 bpf, verifier: fi... |
1053 |
{ |
3e272a8cd bpf: allow xadd o... |
1054 |
bool strict = env->strict_alignment || strict_alignment_once; |
f1174f77b bpf/verifier: rew... |
1055 |
const char *pointer_desc = ""; |
d11744167 bpf: Track alignm... |
1056 |
|
79adffcd6 bpf, verifier: fi... |
1057 1058 |
switch (reg->type) { case PTR_TO_PACKET: |
f1174f77b bpf/verifier: rew... |
1059 |
/* special case, because of NET_IP_ALIGN */ |
d11744167 bpf: Track alignm... |
1060 |
return check_pkt_ptr_alignment(reg, off, size, strict); |
f1174f77b bpf/verifier: rew... |
1061 1062 1063 1064 1065 1066 1067 1068 |
case PTR_TO_MAP_VALUE: pointer_desc = "value "; break; case PTR_TO_CTX: pointer_desc = "context "; break; case PTR_TO_STACK: pointer_desc = "stack "; |
c90268f7c bpf: force strict... |
1069 1070 1071 1072 1073 |
/* The stack spill tracking logic in check_stack_write() * and check_stack_read() relies on stack accesses being * aligned. */ strict = true; |
f1174f77b bpf/verifier: rew... |
1074 |
break; |
79adffcd6 bpf, verifier: fi... |
1075 |
default: |
f1174f77b bpf/verifier: rew... |
1076 |
break; |
79adffcd6 bpf, verifier: fi... |
1077 |
} |
f1174f77b bpf/verifier: rew... |
1078 |
return check_generic_ptr_alignment(reg, pointer_desc, off, size, strict); |
79adffcd6 bpf, verifier: fi... |
1079 |
} |
bf5ee24e8 bpf: fix incorrec... |
1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 |
/* truncate register to smaller size (in bytes) * must be called with size < BPF_REG_SIZE */ static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) { u64 mask; /* clear high bits in bit representation */ reg->var_off = tnum_cast(reg->var_off, size); /* fix arithmetic bounds */ mask = ((u64)1 << (size * 8)) - 1; if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { reg->umin_value &= mask; reg->umax_value &= mask; } else { reg->umin_value = 0; reg->umax_value = mask; } reg->smin_value = reg->umin_value; reg->smax_value = reg->umax_value; } |
17a526706 bpf: verifier (ad... |
1102 1103 1104 1105 1106 1107 |
/* check whether memory at (regno + off) is accessible for t = (read | write) * if t==write, value_regno is a register which value is stored into memory * if t==read, value_regno is a register which will receive the value from memory * if t==write && value_regno==-1, some unknown value is stored into memory * if t==read && value_regno==-1, don't care what we read from memory */ |
3e272a8cd bpf: allow xadd o... |
1108 1109 1110 |
static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, int bpf_size, enum bpf_access_type t, int value_regno, bool strict_alignment_once) |
17a526706 bpf: verifier (ad... |
1111 |
{ |
58e2af8b3 bpf: expose inter... |
1112 1113 |
struct bpf_verifier_state *state = &env->cur_state; struct bpf_reg_state *reg = &state->regs[regno]; |
17a526706 bpf: verifier (ad... |
1114 1115 1116 1117 1118 |
int size, err = 0; size = bpf_size_to_bytes(bpf_size); if (size < 0) return size; |
f1174f77b bpf/verifier: rew... |
1119 |
/* alignment checks will add in reg->off themselves */ |
3e272a8cd bpf: allow xadd o... |
1120 |
err = check_ptr_alignment(env, reg, off, size, strict_alignment_once); |
969bf05eb bpf: direct packe... |
1121 1122 |
if (err) return err; |
17a526706 bpf: verifier (ad... |
1123 |
|
f1174f77b bpf/verifier: rew... |
1124 1125 1126 1127 |
/* for access checks, reg->off is just part of off */ off += reg->off; if (reg->type == PTR_TO_MAP_VALUE) { |
1be7f75d1 bpf: enable non-r... |
1128 1129 1130 1131 1132 1133 |
if (t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno)) { verbose("R%d leaks addr into map ", value_regno); return -EACCES; } |
484611357 bpf: allow access... |
1134 |
|
f1174f77b bpf/verifier: rew... |
1135 |
err = check_map_access(env, regno, off, size); |
17a526706 bpf: verifier (ad... |
1136 |
if (!err && t == BPF_READ && value_regno >= 0) |
f1174f77b bpf/verifier: rew... |
1137 |
mark_reg_unknown(state->regs, value_regno); |
17a526706 bpf: verifier (ad... |
1138 |
|
1a0dc1ac1 bpf: cleanup veri... |
1139 |
} else if (reg->type == PTR_TO_CTX) { |
f1174f77b bpf/verifier: rew... |
1140 |
enum bpf_reg_type reg_type = SCALAR_VALUE; |
19de99f70 bpf: fix matching... |
1141 |
|
1be7f75d1 bpf: enable non-r... |
1142 1143 1144 1145 1146 1147 |
if (t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno)) { verbose("R%d leaks addr into ctx ", value_regno); return -EACCES; } |
f1174f77b bpf/verifier: rew... |
1148 1149 1150 |
/* ctx accesses must be at a fixed offset, so that we can * determine what type of data were returned. */ |
28e33f9d7 bpf: disallow ari... |
1151 1152 1153 1154 1155 1156 1157 |
if (reg->off) { verbose("dereference of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not ", regno, reg->off, off - reg->off); return -EACCES; } if (!tnum_is_const(reg->var_off) || reg->var_off.value) { |
f1174f77b bpf/verifier: rew... |
1158 1159 1160 1161 1162 1163 1164 |
char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); verbose("variable ctx access var_off=%s off=%d size=%d", tn_buf, off, size); return -EACCES; } |
31fd85816 bpf: permits narr... |
1165 |
err = check_ctx_access(env, insn_idx, off, size, t, ®_type); |
969bf05eb bpf: direct packe... |
1166 |
if (!err && t == BPF_READ && value_regno >= 0) { |
f1174f77b bpf/verifier: rew... |
1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 |
/* ctx access returns either a scalar, or a * PTR_TO_PACKET[_END]. In the latter case, we know * the offset is zero. */ if (reg_type == SCALAR_VALUE) mark_reg_unknown(state->regs, value_regno); else mark_reg_known_zero(state->regs, value_regno); state->regs[value_regno].id = 0; state->regs[value_regno].off = 0; state->regs[value_regno].range = 0; |
1955351da bpf: Set register... |
1178 |
state->regs[value_regno].type = reg_type; |
969bf05eb bpf: direct packe... |
1179 |
} |
17a526706 bpf: verifier (ad... |
1180 |
|
f1174f77b bpf/verifier: rew... |
1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 |
} else if (reg->type == PTR_TO_STACK) { /* stack accesses must be at a fixed offset, so that we can * determine what type of data were returned. * See check_stack_read(). */ if (!tnum_is_const(reg->var_off)) { char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); verbose("variable stack access var_off=%s off=%d size=%d", tn_buf, off, size); return -EACCES; } off += reg->var_off.value; |
17a526706 bpf: verifier (ad... |
1195 1196 1197 1198 1199 |
if (off >= 0 || off < -MAX_BPF_STACK) { verbose("invalid stack off=%d size=%d ", off, size); return -EACCES; } |
8726679a0 bpf: teach verifi... |
1200 1201 1202 |
if (env->prog->aux->stack_depth < -off) env->prog->aux->stack_depth = -off; |
1be7f75d1 bpf: enable non-r... |
1203 1204 1205 1206 1207 1208 1209 1210 |
if (t == BPF_WRITE) { if (!env->allow_ptr_leaks && state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL && size != BPF_REG_SIZE) { verbose("attempt to corrupt spilled pointer on stack "); return -EACCES; } |
17a526706 bpf: verifier (ad... |
1211 |
err = check_stack_write(state, off, size, value_regno); |
1be7f75d1 bpf: enable non-r... |
1212 |
} else { |
17a526706 bpf: verifier (ad... |
1213 |
err = check_stack_read(state, off, size, value_regno); |
1be7f75d1 bpf: enable non-r... |
1214 |
} |
f1174f77b bpf/verifier: rew... |
1215 |
} else if (reg->type == PTR_TO_PACKET) { |
3a0af8fd6 bpf: BPF for ligh... |
1216 |
if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { |
969bf05eb bpf: direct packe... |
1217 1218 1219 1220 |
verbose("cannot write into packet "); return -EACCES; } |
4acf6c0b8 bpf: enable direc... |
1221 1222 1223 1224 1225 1226 |
if (t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno)) { verbose("R%d leaks addr into packet ", value_regno); return -EACCES; } |
969bf05eb bpf: direct packe... |
1227 1228 |
err = check_packet_access(env, regno, off, size); if (!err && t == BPF_READ && value_regno >= 0) |
f1174f77b bpf/verifier: rew... |
1229 |
mark_reg_unknown(state->regs, value_regno); |
17a526706 bpf: verifier (ad... |
1230 1231 1232 |
} else { verbose("R%d invalid mem access '%s' ", |
1a0dc1ac1 bpf: cleanup veri... |
1233 |
regno, reg_type_str[reg->type]); |
17a526706 bpf: verifier (ad... |
1234 1235 |
return -EACCES; } |
969bf05eb bpf: direct packe... |
1236 |
|
f1174f77b bpf/verifier: rew... |
1237 1238 1239 |
if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && state->regs[value_regno].type == SCALAR_VALUE) { /* b/h/w load zero-extends, mark upper bits as known 0 */ |
bf5ee24e8 bpf: fix incorrec... |
1240 |
coerce_reg_to_size(&state->regs[value_regno], size); |
969bf05eb bpf: direct packe... |
1241 |
} |
17a526706 bpf: verifier (ad... |
1242 1243 |
return err; } |
31fd85816 bpf: permits narr... |
1244 |
static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn) |
17a526706 bpf: verifier (ad... |
1245 |
{ |
17a526706 bpf: verifier (ad... |
1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 |
int err; if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || insn->imm != 0) { verbose("BPF_XADD uses reserved fields "); return -EINVAL; } /* check src1 operand */ |
dc503a8ad bpf/verifier: tra... |
1256 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
1257 1258 1259 1260 |
if (err) return err; /* check src2 operand */ |
dc503a8ad bpf/verifier: tra... |
1261 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
1262 1263 |
if (err) return err; |
6bdf6abc5 bpf: prevent leak... |
1264 1265 1266 1267 1268 |
if (is_pointer_value(env, insn->src_reg)) { verbose("R%d leaks addr into mem ", insn->src_reg); return -EACCES; } |
3e272a8cd bpf: allow xadd o... |
1269 1270 1271 1272 1273 1274 |
if (is_ctx_reg(env, insn->dst_reg) || is_pkt_reg(env, insn->dst_reg)) { verbose("BPF_XADD stores into R%d %s is not allowed ", insn->dst_reg, is_ctx_reg(env, insn->dst_reg) ? "context" : "packet"); |
a17536742 bpf: reject store... |
1275 1276 |
return -EACCES; } |
17a526706 bpf: verifier (ad... |
1277 |
/* check whether atomic_add can read the memory */ |
31fd85816 bpf: permits narr... |
1278 |
err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
3e272a8cd bpf: allow xadd o... |
1279 |
BPF_SIZE(insn->code), BPF_READ, -1, true); |
17a526706 bpf: verifier (ad... |
1280 1281 1282 1283 |
if (err) return err; /* check whether atomic_add can write into the same memory */ |
31fd85816 bpf: permits narr... |
1284 |
return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
3e272a8cd bpf: allow xadd o... |
1285 |
BPF_SIZE(insn->code), BPF_WRITE, -1, true); |
17a526706 bpf: verifier (ad... |
1286 |
} |
f1174f77b bpf/verifier: rew... |
1287 1288 1289 1290 1291 |
/* Does this register contain a constant zero? */ static bool register_is_null(struct bpf_reg_state reg) { return reg.type == SCALAR_VALUE && tnum_equals_const(reg.var_off, 0); } |
17a526706 bpf: verifier (ad... |
1292 1293 |
/* when register 'regno' is passed into function that will read 'access_size' * bytes from that pointer, make sure that it's within stack boundary |
f1174f77b bpf/verifier: rew... |
1294 1295 1296 |
* and all elements of stack are initialized. * Unlike most pointer bounds-checking functions, this one doesn't take an * 'off' argument, so it has to add in reg->off itself. |
17a526706 bpf: verifier (ad... |
1297 |
*/ |
58e2af8b3 bpf: expose inter... |
1298 |
static int check_stack_boundary(struct bpf_verifier_env *env, int regno, |
435faee1a bpf, verifier: ad... |
1299 1300 |
int access_size, bool zero_size_allowed, struct bpf_call_arg_meta *meta) |
17a526706 bpf: verifier (ad... |
1301 |
{ |
58e2af8b3 bpf: expose inter... |
1302 1303 |
struct bpf_verifier_state *state = &env->cur_state; struct bpf_reg_state *regs = state->regs; |
17a526706 bpf: verifier (ad... |
1304 |
int off, i; |
8e2fe1d9f bpf: add new arg_... |
1305 |
if (regs[regno].type != PTR_TO_STACK) { |
f1174f77b bpf/verifier: rew... |
1306 |
/* Allow zero-byte read from NULL, regardless of pointer type */ |
8e2fe1d9f bpf: add new arg_... |
1307 |
if (zero_size_allowed && access_size == 0 && |
f1174f77b bpf/verifier: rew... |
1308 |
register_is_null(regs[regno])) |
8e2fe1d9f bpf: add new arg_... |
1309 1310 1311 1312 1313 1314 |
return 0; verbose("R%d type=%s expected=%s ", regno, reg_type_str[regs[regno].type], reg_type_str[PTR_TO_STACK]); |
17a526706 bpf: verifier (ad... |
1315 |
return -EACCES; |
8e2fe1d9f bpf: add new arg_... |
1316 |
} |
17a526706 bpf: verifier (ad... |
1317 |
|
f1174f77b bpf/verifier: rew... |
1318 1319 1320 1321 1322 1323 1324 1325 |
/* Only allow fixed-offset stack reads */ if (!tnum_is_const(regs[regno].var_off)) { char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); verbose("invalid variable stack read R%d var_off=%s ", regno, tn_buf); |
2120fca0e bpf: fix missing ... |
1326 |
return -EACCES; |
f1174f77b bpf/verifier: rew... |
1327 1328 |
} off = regs[regno].off + regs[regno].var_off.value; |
17a526706 bpf: verifier (ad... |
1329 1330 1331 1332 1333 1334 1335 |
if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || access_size <= 0) { verbose("invalid stack type R%d off=%d access_size=%d ", regno, off, access_size); return -EACCES; } |
8726679a0 bpf: teach verifi... |
1336 1337 |
if (env->prog->aux->stack_depth < -off) env->prog->aux->stack_depth = -off; |
435faee1a bpf, verifier: ad... |
1338 1339 1340 1341 1342 |
if (meta && meta->raw_mode) { meta->access_size = access_size; meta->regno = regno; return 0; } |
17a526706 bpf: verifier (ad... |
1343 |
for (i = 0; i < access_size; i++) { |
9c3997601 bpf: reduce verif... |
1344 |
if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { |
17a526706 bpf: verifier (ad... |
1345 1346 1347 1348 1349 1350 1351 1352 |
verbose("invalid indirect read from stack off %d+%d size %d ", off, i, access_size); return -EACCES; } } return 0; } |
06c1c0497 bpf: allow helper... |
1353 1354 1355 1356 |
static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, int access_size, bool zero_size_allowed, struct bpf_call_arg_meta *meta) { |
f1174f77b bpf/verifier: rew... |
1357 |
struct bpf_reg_state *regs = env->cur_state.regs, *reg = ®s[regno]; |
06c1c0497 bpf: allow helper... |
1358 |
|
f1174f77b bpf/verifier: rew... |
1359 |
switch (reg->type) { |
06c1c0497 bpf: allow helper... |
1360 |
case PTR_TO_PACKET: |
f1174f77b bpf/verifier: rew... |
1361 |
return check_packet_access(env, regno, reg->off, access_size); |
06c1c0497 bpf: allow helper... |
1362 |
case PTR_TO_MAP_VALUE: |
f1174f77b bpf/verifier: rew... |
1363 1364 |
return check_map_access(env, regno, reg->off, access_size); default: /* scalar_value|ptr_to_stack or invalid ptr */ |
06c1c0497 bpf: allow helper... |
1365 1366 1367 1368 |
return check_stack_boundary(env, regno, access_size, zero_size_allowed, meta); } } |
58e2af8b3 bpf: expose inter... |
1369 |
static int check_func_arg(struct bpf_verifier_env *env, u32 regno, |
33ff9823c bpf, verifier: ad... |
1370 1371 |
enum bpf_arg_type arg_type, struct bpf_call_arg_meta *meta) |
17a526706 bpf: verifier (ad... |
1372 |
{ |
58e2af8b3 bpf: expose inter... |
1373 |
struct bpf_reg_state *regs = env->cur_state.regs, *reg = ®s[regno]; |
6841de8b0 bpf: allow helper... |
1374 |
enum bpf_reg_type expected_type, type = reg->type; |
17a526706 bpf: verifier (ad... |
1375 |
int err = 0; |
80f1d68cc ebpf: verifier: c... |
1376 |
if (arg_type == ARG_DONTCARE) |
17a526706 bpf: verifier (ad... |
1377 |
return 0; |
dc503a8ad bpf/verifier: tra... |
1378 1379 1380 |
err = check_reg_arg(env, regno, SRC_OP); if (err) return err; |
17a526706 bpf: verifier (ad... |
1381 |
|
1be7f75d1 bpf: enable non-r... |
1382 1383 1384 1385 1386 1387 |
if (arg_type == ARG_ANYTHING) { if (is_pointer_value(env, regno)) { verbose("R%d leaks addr into helper function ", regno); return -EACCES; } |
80f1d68cc ebpf: verifier: c... |
1388 |
return 0; |
1be7f75d1 bpf: enable non-r... |
1389 |
} |
80f1d68cc ebpf: verifier: c... |
1390 |
|
3a0af8fd6 bpf: BPF for ligh... |
1391 1392 |
if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta, BPF_READ)) { |
36bbef52c bpf: direct packe... |
1393 1394 |
verbose("helper access to the packet is not allowed "); |
6841de8b0 bpf: allow helper... |
1395 1396 |
return -EACCES; } |
8e2fe1d9f bpf: add new arg_... |
1397 |
if (arg_type == ARG_PTR_TO_MAP_KEY || |
17a526706 bpf: verifier (ad... |
1398 1399 |
arg_type == ARG_PTR_TO_MAP_VALUE) { expected_type = PTR_TO_STACK; |
6841de8b0 bpf: allow helper... |
1400 1401 |
if (type != PTR_TO_PACKET && type != expected_type) goto err_type; |
39f19ebbf bpf: rename ARG_P... |
1402 1403 |
} else if (arg_type == ARG_CONST_SIZE || arg_type == ARG_CONST_SIZE_OR_ZERO) { |
f1174f77b bpf/verifier: rew... |
1404 1405 |
expected_type = SCALAR_VALUE; if (type != expected_type) |
6841de8b0 bpf: allow helper... |
1406 |
goto err_type; |
17a526706 bpf: verifier (ad... |
1407 1408 |
} else if (arg_type == ARG_CONST_MAP_PTR) { expected_type = CONST_PTR_TO_MAP; |
6841de8b0 bpf: allow helper... |
1409 1410 |
if (type != expected_type) goto err_type; |
608cd71a9 tc: bpf: generali... |
1411 1412 |
} else if (arg_type == ARG_PTR_TO_CTX) { expected_type = PTR_TO_CTX; |
6841de8b0 bpf: allow helper... |
1413 1414 |
if (type != expected_type) goto err_type; |
39f19ebbf bpf: rename ARG_P... |
1415 1416 |
} else if (arg_type == ARG_PTR_TO_MEM || arg_type == ARG_PTR_TO_UNINIT_MEM) { |
8e2fe1d9f bpf: add new arg_... |
1417 1418 |
expected_type = PTR_TO_STACK; /* One exception here. In case function allows for NULL to be |
f1174f77b bpf/verifier: rew... |
1419 |
* passed in as argument, it's a SCALAR_VALUE type. Final test |
8e2fe1d9f bpf: add new arg_... |
1420 1421 |
* happens during stack boundary checking. */ |
f1174f77b bpf/verifier: rew... |
1422 |
if (register_is_null(*reg)) |
6841de8b0 bpf: allow helper... |
1423 |
/* final test in check_stack_boundary() */; |
5722569bb bpf: allow helper... |
1424 |
else if (type != PTR_TO_PACKET && type != PTR_TO_MAP_VALUE && |
f1174f77b bpf/verifier: rew... |
1425 |
type != expected_type) |
6841de8b0 bpf: allow helper... |
1426 |
goto err_type; |
39f19ebbf bpf: rename ARG_P... |
1427 |
meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; |
17a526706 bpf: verifier (ad... |
1428 1429 1430 1431 1432 |
} else { verbose("unsupported arg_type %d ", arg_type); return -EFAULT; } |
17a526706 bpf: verifier (ad... |
1433 1434 |
if (arg_type == ARG_CONST_MAP_PTR) { /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ |
33ff9823c bpf, verifier: ad... |
1435 |
meta->map_ptr = reg->map_ptr; |
17a526706 bpf: verifier (ad... |
1436 1437 1438 1439 1440 |
} else if (arg_type == ARG_PTR_TO_MAP_KEY) { /* bpf_map_xxx(..., map_ptr, ..., key) call: * check that [key, key + map->key_size) are within * stack limits and initialized */ |
33ff9823c bpf, verifier: ad... |
1441 |
if (!meta->map_ptr) { |
17a526706 bpf: verifier (ad... |
1442 1443 1444 1445 1446 1447 1448 1449 1450 |
/* in function declaration map_ptr must come before * map_key, so that it's verified and known before * we have to check map_key here. Otherwise it means * that kernel subsystem misconfigured verifier */ verbose("invalid map_ptr to access map->key "); return -EACCES; } |
6841de8b0 bpf: allow helper... |
1451 |
if (type == PTR_TO_PACKET) |
f1174f77b bpf/verifier: rew... |
1452 |
err = check_packet_access(env, regno, reg->off, |
6841de8b0 bpf: allow helper... |
1453 1454 1455 1456 1457 |
meta->map_ptr->key_size); else err = check_stack_boundary(env, regno, meta->map_ptr->key_size, false, NULL); |
17a526706 bpf: verifier (ad... |
1458 1459 1460 1461 |
} else if (arg_type == ARG_PTR_TO_MAP_VALUE) { /* bpf_map_xxx(..., map_ptr, ..., value) call: * check [value, value + map->value_size) validity */ |
33ff9823c bpf, verifier: ad... |
1462 |
if (!meta->map_ptr) { |
17a526706 bpf: verifier (ad... |
1463 1464 1465 1466 1467 |
/* kernel subsystem misconfigured verifier */ verbose("invalid map_ptr to access map->value "); return -EACCES; } |
6841de8b0 bpf: allow helper... |
1468 |
if (type == PTR_TO_PACKET) |
f1174f77b bpf/verifier: rew... |
1469 |
err = check_packet_access(env, regno, reg->off, |
6841de8b0 bpf: allow helper... |
1470 1471 1472 1473 1474 |
meta->map_ptr->value_size); else err = check_stack_boundary(env, regno, meta->map_ptr->value_size, false, NULL); |
39f19ebbf bpf: rename ARG_P... |
1475 1476 1477 |
} else if (arg_type == ARG_CONST_SIZE || arg_type == ARG_CONST_SIZE_OR_ZERO) { bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); |
17a526706 bpf: verifier (ad... |
1478 |
|
17a526706 bpf: verifier (ad... |
1479 1480 1481 1482 1483 1484 |
/* bpf_xxx(..., buf, len) call will access 'len' bytes * from stack pointer 'buf'. Check it * note: regno == len, regno - 1 == buf */ if (regno == 0) { /* kernel subsystem misconfigured verifier */ |
39f19ebbf bpf: rename ARG_P... |
1485 1486 |
verbose("ARG_CONST_SIZE cannot be first argument "); |
17a526706 bpf: verifier (ad... |
1487 1488 |
return -EACCES; } |
06c1c0497 bpf: allow helper... |
1489 |
|
f1174f77b bpf/verifier: rew... |
1490 1491 |
/* The register is SCALAR_VALUE; the access check * happens using its boundaries. |
06c1c0497 bpf: allow helper... |
1492 |
*/ |
f1174f77b bpf/verifier: rew... |
1493 1494 |
if (!tnum_is_const(reg->var_off)) |
06c1c0497 bpf: allow helper... |
1495 1496 1497 1498 1499 1500 |
/* For unprivileged variable accesses, disable raw * mode so that the program is required to * initialize all the memory that the helper could * just partially fill up. */ meta = NULL; |
b03c9f9fd bpf/verifier: tra... |
1501 |
if (reg->smin_value < 0) { |
f1174f77b bpf/verifier: rew... |
1502 1503 1504 1505 1506 |
verbose("R%d min value is negative, either use unsigned or 'var &= const' ", regno); return -EACCES; } |
06c1c0497 bpf: allow helper... |
1507 |
|
b03c9f9fd bpf/verifier: tra... |
1508 |
if (reg->umin_value == 0) { |
f1174f77b bpf/verifier: rew... |
1509 1510 1511 |
err = check_helper_mem_access(env, regno - 1, 0, zero_size_allowed, meta); |
06c1c0497 bpf: allow helper... |
1512 1513 |
if (err) return err; |
06c1c0497 bpf: allow helper... |
1514 |
} |
f1174f77b bpf/verifier: rew... |
1515 |
|
b03c9f9fd bpf/verifier: tra... |
1516 |
if (reg->umax_value >= BPF_MAX_VAR_SIZ) { |
f1174f77b bpf/verifier: rew... |
1517 1518 1519 1520 1521 1522 |
verbose("R%d unbounded memory access, use 'var &= const' or 'if (var < const)' ", regno); return -EACCES; } err = check_helper_mem_access(env, regno - 1, |
b03c9f9fd bpf/verifier: tra... |
1523 |
reg->umax_value, |
f1174f77b bpf/verifier: rew... |
1524 |
zero_size_allowed, meta); |
17a526706 bpf: verifier (ad... |
1525 1526 1527 |
} return err; |
6841de8b0 bpf: allow helper... |
1528 1529 1530 1531 1532 |
err_type: verbose("R%d type=%s expected=%s ", regno, reg_type_str[type], reg_type_str[expected_type]); return -EACCES; |
17a526706 bpf: verifier (ad... |
1533 |
} |
35578d798 bpf: Implement fu... |
1534 1535 |
static int check_map_func_compatibility(struct bpf_map *map, int func_id) { |
35578d798 bpf: Implement fu... |
1536 1537 |
if (!map) return 0; |
6aff67c85 bpf: fix check_ma... |
1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 |
/* We need a two way check, first is from map perspective ... */ switch (map->map_type) { case BPF_MAP_TYPE_PROG_ARRAY: if (func_id != BPF_FUNC_tail_call) goto error; break; case BPF_MAP_TYPE_PERF_EVENT_ARRAY: if (func_id != BPF_FUNC_perf_event_read && func_id != BPF_FUNC_perf_event_output) goto error; break; case BPF_MAP_TYPE_STACK_TRACE: if (func_id != BPF_FUNC_get_stackid) goto error; break; |
4ed8ec521 cgroup: bpf: Add ... |
1553 |
case BPF_MAP_TYPE_CGROUP_ARRAY: |
60747ef4d Merge git://git.k... |
1554 |
if (func_id != BPF_FUNC_skb_under_cgroup && |
60d20f919 bpf: Add bpf_curr... |
1555 |
func_id != BPF_FUNC_current_task_under_cgroup) |
4a482f34a cgroup: bpf: Add ... |
1556 1557 |
goto error; break; |
546ac1ffb bpf: add devmap, ... |
1558 1559 1560 1561 1562 |
/* devmap returns a pointer to a live net_device ifindex that we cannot * allow to be modified from bpf side. So do not allow lookup elements * for now. */ case BPF_MAP_TYPE_DEVMAP: |
2ddf71e23 net: add notifier... |
1563 |
if (func_id != BPF_FUNC_redirect_map) |
546ac1ffb bpf: add devmap, ... |
1564 1565 |
goto error; break; |
56f668dfe bpf: Add array of... |
1566 |
case BPF_MAP_TYPE_ARRAY_OF_MAPS: |
bcc6b1b7e bpf: Add hash of ... |
1567 |
case BPF_MAP_TYPE_HASH_OF_MAPS: |
56f668dfe bpf: Add array of... |
1568 1569 |
if (func_id != BPF_FUNC_map_lookup_elem) goto error; |
16a436257 bpf: Fix map-in-m... |
1570 |
break; |
174a79ff9 bpf: sockmap with... |
1571 1572 1573 1574 1575 1576 |
case BPF_MAP_TYPE_SOCKMAP: if (func_id != BPF_FUNC_sk_redirect_map && func_id != BPF_FUNC_sock_map_update && func_id != BPF_FUNC_map_delete_elem) goto error; break; |
6aff67c85 bpf: fix check_ma... |
1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 |
default: break; } /* ... and second from the function itself. */ switch (func_id) { case BPF_FUNC_tail_call: if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) goto error; break; case BPF_FUNC_perf_event_read: case BPF_FUNC_perf_event_output: if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) goto error; break; case BPF_FUNC_get_stackid: if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) goto error; break; |
60d20f919 bpf: Add bpf_curr... |
1596 |
case BPF_FUNC_current_task_under_cgroup: |
747ea55e4 bpf: fix bpf_skb_... |
1597 |
case BPF_FUNC_skb_under_cgroup: |
4a482f34a cgroup: bpf: Add ... |
1598 1599 1600 |
if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY) goto error; break; |
97f91a7cf bpf: add bpf_redi... |
1601 1602 1603 1604 |
case BPF_FUNC_redirect_map: if (map->map_type != BPF_MAP_TYPE_DEVMAP) goto error; break; |
174a79ff9 bpf: sockmap with... |
1605 1606 1607 1608 1609 1610 1611 1612 |
case BPF_FUNC_sk_redirect_map: if (map->map_type != BPF_MAP_TYPE_SOCKMAP) goto error; break; case BPF_FUNC_sock_map_update: if (map->map_type != BPF_MAP_TYPE_SOCKMAP) goto error; break; |
6aff67c85 bpf: fix check_ma... |
1613 1614 |
default: break; |
35578d798 bpf: Implement fu... |
1615 1616 1617 |
} return 0; |
6aff67c85 bpf: fix check_ma... |
1618 |
error: |
ebb676daa bpf: Print functi... |
1619 1620 1621 |
verbose("cannot pass map_type %d into func %s#%d ", map->map_type, func_id_name(func_id), func_id); |
6aff67c85 bpf: fix check_ma... |
1622 |
return -EINVAL; |
35578d798 bpf: Implement fu... |
1623 |
} |
435faee1a bpf, verifier: ad... |
1624 1625 1626 |
static int check_raw_mode(const struct bpf_func_proto *fn) { int count = 0; |
39f19ebbf bpf: rename ARG_P... |
1627 |
if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1a bpf, verifier: ad... |
1628 |
count++; |
39f19ebbf bpf: rename ARG_P... |
1629 |
if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1a bpf, verifier: ad... |
1630 |
count++; |
39f19ebbf bpf: rename ARG_P... |
1631 |
if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1a bpf, verifier: ad... |
1632 |
count++; |
39f19ebbf bpf: rename ARG_P... |
1633 |
if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1a bpf, verifier: ad... |
1634 |
count++; |
39f19ebbf bpf: rename ARG_P... |
1635 |
if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1a bpf, verifier: ad... |
1636 1637 1638 1639 |
count++; return count > 1 ? -EINVAL : 0; } |
f1174f77b bpf/verifier: rew... |
1640 1641 1642 |
/* Packet data might have moved, any old PTR_TO_PACKET[_END] are now invalid, * so turn them into unknown SCALAR_VALUE. */ |
58e2af8b3 bpf: expose inter... |
1643 |
static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
969bf05eb bpf: direct packe... |
1644 |
{ |
58e2af8b3 bpf: expose inter... |
1645 1646 |
struct bpf_verifier_state *state = &env->cur_state; struct bpf_reg_state *regs = state->regs, *reg; |
969bf05eb bpf: direct packe... |
1647 1648 1649 1650 1651 |
int i; for (i = 0; i < MAX_BPF_REG; i++) if (regs[i].type == PTR_TO_PACKET || regs[i].type == PTR_TO_PACKET_END) |
f1174f77b bpf/verifier: rew... |
1652 |
mark_reg_unknown(regs, i); |
969bf05eb bpf: direct packe... |
1653 1654 1655 1656 1657 1658 1659 1660 |
for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { if (state->stack_slot_type[i] != STACK_SPILL) continue; reg = &state->spilled_regs[i / BPF_REG_SIZE]; if (reg->type != PTR_TO_PACKET && reg->type != PTR_TO_PACKET_END) continue; |
f1174f77b bpf/verifier: rew... |
1661 |
__mark_reg_unknown(reg); |
969bf05eb bpf: direct packe... |
1662 1663 |
} } |
81ed18ab3 bpf: add helper i... |
1664 |
static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) |
17a526706 bpf: verifier (ad... |
1665 |
{ |
58e2af8b3 bpf: expose inter... |
1666 |
struct bpf_verifier_state *state = &env->cur_state; |
17a526706 bpf: verifier (ad... |
1667 |
const struct bpf_func_proto *fn = NULL; |
58e2af8b3 bpf: expose inter... |
1668 |
struct bpf_reg_state *regs = state->regs; |
33ff9823c bpf, verifier: ad... |
1669 |
struct bpf_call_arg_meta meta; |
969bf05eb bpf: direct packe... |
1670 |
bool changes_data; |
17a526706 bpf: verifier (ad... |
1671 1672 1673 1674 |
int i, err; /* find function prototype */ if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { |
ebb676daa bpf: Print functi... |
1675 1676 |
verbose("invalid func %s#%d ", func_id_name(func_id), func_id); |
17a526706 bpf: verifier (ad... |
1677 1678 1679 1680 1681 1682 1683 |
return -EINVAL; } if (env->prog->aux->ops->get_func_proto) fn = env->prog->aux->ops->get_func_proto(func_id); if (!fn) { |
ebb676daa bpf: Print functi... |
1684 1685 |
verbose("unknown func %s#%d ", func_id_name(func_id), func_id); |
17a526706 bpf: verifier (ad... |
1686 1687 1688 1689 |
return -EINVAL; } /* eBPF programs must be GPL compatible to use GPL-ed functions */ |
24701ecea ebpf: move read-o... |
1690 |
if (!env->prog->gpl_compatible && fn->gpl_only) { |
17a526706 bpf: verifier (ad... |
1691 1692 1693 1694 |
verbose("cannot call GPL only function from proprietary program "); return -EINVAL; } |
17bedab27 bpf: xdp: Allow h... |
1695 |
changes_data = bpf_helper_changes_pkt_data(fn->func); |
969bf05eb bpf: direct packe... |
1696 |
|
33ff9823c bpf, verifier: ad... |
1697 |
memset(&meta, 0, sizeof(meta)); |
36bbef52c bpf: direct packe... |
1698 |
meta.pkt_access = fn->pkt_access; |
33ff9823c bpf, verifier: ad... |
1699 |
|
435faee1a bpf, verifier: ad... |
1700 1701 1702 1703 1704 |
/* We only support one arg being in raw mode at the moment, which * is sufficient for the helper functions we have right now. */ err = check_raw_mode(fn); if (err) { |
ebb676daa bpf: Print functi... |
1705 1706 1707 |
verbose("kernel subsystem misconfigured func %s#%d ", func_id_name(func_id), func_id); |
435faee1a bpf, verifier: ad... |
1708 1709 |
return err; } |
17a526706 bpf: verifier (ad... |
1710 |
/* check args */ |
33ff9823c bpf, verifier: ad... |
1711 |
err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta); |
17a526706 bpf: verifier (ad... |
1712 1713 |
if (err) return err; |
33ff9823c bpf, verifier: ad... |
1714 |
err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta); |
17a526706 bpf: verifier (ad... |
1715 1716 |
if (err) return err; |
a5dbaf876 bpf: prevent out-... |
1717 1718 1719 1720 1721 1722 1723 1724 |
if (func_id == BPF_FUNC_tail_call) { if (meta.map_ptr == NULL) { verbose("verifier bug "); return -EINVAL; } env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr; } |
33ff9823c bpf, verifier: ad... |
1725 |
err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta); |
17a526706 bpf: verifier (ad... |
1726 1727 |
if (err) return err; |
33ff9823c bpf, verifier: ad... |
1728 |
err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta); |
17a526706 bpf: verifier (ad... |
1729 1730 |
if (err) return err; |
33ff9823c bpf, verifier: ad... |
1731 |
err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta); |
17a526706 bpf: verifier (ad... |
1732 1733 |
if (err) return err; |
435faee1a bpf, verifier: ad... |
1734 1735 1736 1737 |
/* Mark slots with STACK_MISC in case of raw mode, stack offset * is inferred from register state. */ for (i = 0; i < meta.access_size; i++) { |
3e272a8cd bpf: allow xadd o... |
1738 1739 |
err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1, false); |
435faee1a bpf, verifier: ad... |
1740 1741 1742 |
if (err) return err; } |
17a526706 bpf: verifier (ad... |
1743 |
/* reset caller saved regs */ |
dc503a8ad bpf/verifier: tra... |
1744 |
for (i = 0; i < CALLER_SAVED_REGS; i++) { |
a9789ef9a bpf: properly res... |
1745 |
mark_reg_not_init(regs, caller_saved[i]); |
dc503a8ad bpf/verifier: tra... |
1746 1747 |
check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); } |
17a526706 bpf: verifier (ad... |
1748 |
|
dc503a8ad bpf/verifier: tra... |
1749 |
/* update return register (already marked as written above) */ |
17a526706 bpf: verifier (ad... |
1750 |
if (fn->ret_type == RET_INTEGER) { |
f1174f77b bpf/verifier: rew... |
1751 1752 |
/* sets type to SCALAR_VALUE */ mark_reg_unknown(regs, BPF_REG_0); |
17a526706 bpf: verifier (ad... |
1753 1754 1755 |
} else if (fn->ret_type == RET_VOID) { regs[BPF_REG_0].type = NOT_INIT; } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { |
fad73a1a3 bpf: Fix and simp... |
1756 |
struct bpf_insn_aux_data *insn_aux; |
17a526706 bpf: verifier (ad... |
1757 |
regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; |
f1174f77b bpf/verifier: rew... |
1758 1759 1760 |
/* There is no offset yet applied, variable or fixed */ mark_reg_known_zero(regs, BPF_REG_0); regs[BPF_REG_0].off = 0; |
17a526706 bpf: verifier (ad... |
1761 1762 1763 1764 |
/* remember map_ptr, so that check_map_access() * can check 'value_size' boundary of memory access * to map element returned from bpf_map_lookup_elem() */ |
33ff9823c bpf, verifier: ad... |
1765 |
if (meta.map_ptr == NULL) { |
17a526706 bpf: verifier (ad... |
1766 1767 1768 1769 |
verbose("kernel subsystem misconfigured verifier "); return -EINVAL; } |
33ff9823c bpf, verifier: ad... |
1770 |
regs[BPF_REG_0].map_ptr = meta.map_ptr; |
57a09bf0a bpf: Detect ident... |
1771 |
regs[BPF_REG_0].id = ++env->id_gen; |
fad73a1a3 bpf: Fix and simp... |
1772 1773 1774 1775 1776 |
insn_aux = &env->insn_aux_data[insn_idx]; if (!insn_aux->map_ptr) insn_aux->map_ptr = meta.map_ptr; else if (insn_aux->map_ptr != meta.map_ptr) insn_aux->map_ptr = BPF_MAP_PTR_POISON; |
17a526706 bpf: verifier (ad... |
1777 |
} else { |
ebb676daa bpf: Print functi... |
1778 1779 1780 |
verbose("unknown return type %d of func %s#%d ", fn->ret_type, func_id_name(func_id), func_id); |
17a526706 bpf: verifier (ad... |
1781 1782 |
return -EINVAL; } |
04fd61ab3 bpf: allow bpf pr... |
1783 |
|
33ff9823c bpf, verifier: ad... |
1784 |
err = check_map_func_compatibility(meta.map_ptr, func_id); |
35578d798 bpf: Implement fu... |
1785 1786 |
if (err) return err; |
04fd61ab3 bpf: allow bpf pr... |
1787 |
|
969bf05eb bpf: direct packe... |
1788 1789 1790 1791 |
if (changes_data) clear_all_pkt_pointers(env); return 0; } |
b03c9f9fd bpf/verifier: tra... |
1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 |
static bool signed_add_overflows(s64 a, s64 b) { /* Do the add in u64, where overflow is well-defined */ s64 res = (s64)((u64)a + (u64)b); if (b < 0) return res > a; return res < a; } static bool signed_sub_overflows(s64 a, s64 b) { /* Do the sub in u64, where overflow is well-defined */ s64 res = (s64)((u64)a - (u64)b); if (b < 0) return res < a; return res > a; |
969bf05eb bpf: direct packe... |
1810 |
} |
de31796c0 bpf: fix integer ... |
1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 |
static bool check_reg_sane_offset(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, enum bpf_reg_type type) { bool known = tnum_is_const(reg->var_off); s64 val = reg->var_off.value; s64 smin = reg->smin_value; if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { verbose("math between %s pointer and %lld is not allowed ", reg_type_str[type], val); return false; } if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { verbose("%s pointer offset %d is not allowed ", reg_type_str[type], reg->off); return false; } if (smin == S64_MIN) { verbose("math between %s pointer and register with unbounded min value is not allowed ", reg_type_str[type]); return false; } if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { verbose("value %lld makes %s pointer be out of bounds ", smin, reg_type_str[type]); return false; } return true; } |
f1174f77b bpf/verifier: rew... |
1849 |
/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. |
f1174f77b bpf/verifier: rew... |
1850 1851 1852 1853 1854 1855 1856 1857 |
* Caller should also handle BPF_MOV case separately. * If we return -EACCES, caller may want to try again treating pointer as a * scalar. So we only emit a diagnostic if !env->allow_ptr_leaks. */ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg) |
969bf05eb bpf: direct packe... |
1858 |
{ |
f1174f77b bpf/verifier: rew... |
1859 1860 |
struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg; bool known = tnum_is_const(off_reg->var_off); |
b03c9f9fd bpf/verifier: tra... |
1861 1862 1863 1864 |
s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value, smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; |
969bf05eb bpf: direct packe... |
1865 |
u8 opcode = BPF_OP(insn->code); |
f1174f77b bpf/verifier: rew... |
1866 |
u32 dst = insn->dst_reg; |
969bf05eb bpf: direct packe... |
1867 |
|
f1174f77b bpf/verifier: rew... |
1868 |
dst_reg = ®s[dst]; |
969bf05eb bpf: direct packe... |
1869 |
|
ddf0936b9 bpf: mark dst unk... |
1870 1871 1872 1873 1874 1875 1876 |
if ((known && (smin_val != smax_val || umin_val != umax_val)) || smin_val > smax_val || umin_val > umax_val) { /* Taint dst register if offset had invalid bounds derived from * e.g. dead branches. */ __mark_reg_unknown(dst_reg); return 0; |
f1174f77b bpf/verifier: rew... |
1877 1878 1879 1880 1881 1882 1883 1884 1885 |
} if (BPF_CLASS(insn->code) != BPF_ALU64) { /* 32-bit ALU ops on pointers produce (meaningless) scalars */ if (!env->allow_ptr_leaks) verbose("R%d 32-bit pointer arithmetic prohibited ", dst); return -EACCES; |
969bf05eb bpf: direct packe... |
1886 |
} |
f1174f77b bpf/verifier: rew... |
1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 |
if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { if (!env->allow_ptr_leaks) verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first ", dst); return -EACCES; } if (ptr_reg->type == CONST_PTR_TO_MAP) { if (!env->allow_ptr_leaks) verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited ", dst); return -EACCES; } if (ptr_reg->type == PTR_TO_PACKET_END) { if (!env->allow_ptr_leaks) verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited ", dst); return -EACCES; } /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. * The id may be overwritten later if we create a new variable offset. |
969bf05eb bpf: direct packe... |
1911 |
*/ |
f1174f77b bpf/verifier: rew... |
1912 1913 |
dst_reg->type = ptr_reg->type; dst_reg->id = ptr_reg->id; |
969bf05eb bpf: direct packe... |
1914 |
|
de31796c0 bpf: fix integer ... |
1915 1916 1917 |
if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) return -EINVAL; |
f1174f77b bpf/verifier: rew... |
1918 1919 1920 1921 |
switch (opcode) { case BPF_ADD: /* We can take a fixed offset as long as it doesn't overflow * the s32 'off' field |
969bf05eb bpf: direct packe... |
1922 |
*/ |
b03c9f9fd bpf/verifier: tra... |
1923 1924 |
if (known && (ptr_reg->off + smin_val == (s64)(s32)(ptr_reg->off + smin_val))) { |
f1174f77b bpf/verifier: rew... |
1925 |
/* pointer += K. Accumulate it into fixed offset */ |
b03c9f9fd bpf/verifier: tra... |
1926 1927 1928 1929 |
dst_reg->smin_value = smin_ptr; dst_reg->smax_value = smax_ptr; dst_reg->umin_value = umin_ptr; dst_reg->umax_value = umax_ptr; |
f1174f77b bpf/verifier: rew... |
1930 |
dst_reg->var_off = ptr_reg->var_off; |
b03c9f9fd bpf/verifier: tra... |
1931 |
dst_reg->off = ptr_reg->off + smin_val; |
f1174f77b bpf/verifier: rew... |
1932 1933 1934 |
dst_reg->range = ptr_reg->range; break; } |
f1174f77b bpf/verifier: rew... |
1935 1936 1937 1938 1939 1940 1941 1942 |
/* A new variable offset is created. Note that off_reg->off * == 0, since it's a scalar. * dst_reg gets the pointer type and since some positive * integer value was added to the pointer, give it a new 'id' * if it's a PTR_TO_PACKET. * this creates a new 'base' pointer, off_reg (variable) gets * added into the variable offset, and we copy the fixed offset * from ptr_reg. |
969bf05eb bpf: direct packe... |
1943 |
*/ |
b03c9f9fd bpf/verifier: tra... |
1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 |
if (signed_add_overflows(smin_ptr, smin_val) || signed_add_overflows(smax_ptr, smax_val)) { dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { dst_reg->smin_value = smin_ptr + smin_val; dst_reg->smax_value = smax_ptr + smax_val; } if (umin_ptr + umin_val < umin_ptr || umax_ptr + umax_val < umax_ptr) { dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else { dst_reg->umin_value = umin_ptr + umin_val; dst_reg->umax_value = umax_ptr + umax_val; } |
f1174f77b bpf/verifier: rew... |
1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 |
dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; if (ptr_reg->type == PTR_TO_PACKET) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ dst_reg->range = 0; } break; case BPF_SUB: if (dst_reg == off_reg) { /* scalar -= pointer. Creates an unknown scalar */ if (!env->allow_ptr_leaks) verbose("R%d tried to subtract pointer from scalar ", dst); return -EACCES; } /* We don't allow subtraction from FP, because (according to * test_verifier.c test "invalid fp arithmetic", JITs might not * be able to deal with it. |
969bf05eb bpf: direct packe... |
1980 |
*/ |
f1174f77b bpf/verifier: rew... |
1981 1982 1983 1984 1985 1986 1987 |
if (ptr_reg->type == PTR_TO_STACK) { if (!env->allow_ptr_leaks) verbose("R%d subtraction from stack pointer prohibited ", dst); return -EACCES; } |
b03c9f9fd bpf/verifier: tra... |
1988 1989 |
if (known && (ptr_reg->off - smin_val == (s64)(s32)(ptr_reg->off - smin_val))) { |
f1174f77b bpf/verifier: rew... |
1990 |
/* pointer -= K. Subtract it from fixed offset */ |
b03c9f9fd bpf/verifier: tra... |
1991 1992 1993 1994 |
dst_reg->smin_value = smin_ptr; dst_reg->smax_value = smax_ptr; dst_reg->umin_value = umin_ptr; dst_reg->umax_value = umax_ptr; |
f1174f77b bpf/verifier: rew... |
1995 1996 |
dst_reg->var_off = ptr_reg->var_off; dst_reg->id = ptr_reg->id; |
b03c9f9fd bpf/verifier: tra... |
1997 |
dst_reg->off = ptr_reg->off - smin_val; |
f1174f77b bpf/verifier: rew... |
1998 1999 2000 |
dst_reg->range = ptr_reg->range; break; } |
f1174f77b bpf/verifier: rew... |
2001 2002 |
/* A new variable offset is created. If the subtrahend is known * nonnegative, then any reg->range we had before is still good. |
969bf05eb bpf: direct packe... |
2003 |
*/ |
b03c9f9fd bpf/verifier: tra... |
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 |
if (signed_sub_overflows(smin_ptr, smax_val) || signed_sub_overflows(smax_ptr, smin_val)) { /* Overflow possible, we know nothing */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { dst_reg->smin_value = smin_ptr - smax_val; dst_reg->smax_value = smax_ptr - smin_val; } if (umin_ptr < umax_val) { /* Overflow possible, we know nothing */ dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else { /* Cannot overflow (as long as bounds are consistent) */ dst_reg->umin_value = umin_ptr - umax_val; dst_reg->umax_value = umax_ptr - umin_val; } |
f1174f77b bpf/verifier: rew... |
2022 2023 2024 2025 2026 |
dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; if (ptr_reg->type == PTR_TO_PACKET) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ |
b03c9f9fd bpf/verifier: tra... |
2027 |
if (smin_val < 0) |
f1174f77b bpf/verifier: rew... |
2028 |
dst_reg->range = 0; |
43188702b bpf, verifier: ad... |
2029 |
} |
f1174f77b bpf/verifier: rew... |
2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 |
break; case BPF_AND: case BPF_OR: case BPF_XOR: /* bitwise ops on pointers are troublesome, prohibit for now. * (However, in principle we could allow some cases, e.g. * ptr &= ~3 which would reduce min_value by 3.) */ if (!env->allow_ptr_leaks) verbose("R%d bitwise operator %s on pointer prohibited ", dst, bpf_alu_string[opcode >> 4]); return -EACCES; default: /* other operators (e.g. MUL,LSH) produce non-pointer results */ if (!env->allow_ptr_leaks) verbose("R%d pointer arithmetic with %s operator prohibited ", dst, bpf_alu_string[opcode >> 4]); return -EACCES; |
43188702b bpf, verifier: ad... |
2050 |
} |
de31796c0 bpf: fix integer ... |
2051 2052 |
if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) return -EINVAL; |
b03c9f9fd bpf/verifier: tra... |
2053 2054 2055 |
__update_reg_bounds(dst_reg); __reg_deduce_bounds(dst_reg); __reg_bound_offset(dst_reg); |
43188702b bpf, verifier: ad... |
2056 2057 |
return 0; } |
6c8e098d0 bpf: fix 32-bit A... |
2058 2059 2060 2061 |
/* WARNING: This function does calculations on 64-bit values, but the actual * execution may occur on 32-bit values. Therefore, things like bitshifts * need extra checks in the 32-bit case. */ |
f1174f77b bpf/verifier: rew... |
2062 2063 2064 2065 |
static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn, struct bpf_reg_state *dst_reg, struct bpf_reg_state src_reg) |
969bf05eb bpf: direct packe... |
2066 |
{ |
58e2af8b3 bpf: expose inter... |
2067 |
struct bpf_reg_state *regs = env->cur_state.regs; |
484611357 bpf: allow access... |
2068 |
u8 opcode = BPF_OP(insn->code); |
f1174f77b bpf/verifier: rew... |
2069 |
bool src_known, dst_known; |
b03c9f9fd bpf/verifier: tra... |
2070 2071 |
s64 smin_val, smax_val; u64 umin_val, umax_val; |
6c8e098d0 bpf: fix 32-bit A... |
2072 |
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
484611357 bpf: allow access... |
2073 |
|
10fdfea70 bpf: 32-bit RSH v... |
2074 2075 2076 2077 2078 2079 2080 2081 |
if (insn_bitness == 32) { /* Relevant for 32-bit RSH: Information can propagate towards * LSB, so it isn't sufficient to only truncate the output to * 32 bits. */ coerce_reg_to_size(dst_reg, 4); coerce_reg_to_size(&src_reg, 4); } |
b03c9f9fd bpf/verifier: tra... |
2082 2083 2084 2085 |
smin_val = src_reg.smin_value; smax_val = src_reg.smax_value; umin_val = src_reg.umin_value; umax_val = src_reg.umax_value; |
f1174f77b bpf/verifier: rew... |
2086 2087 |
src_known = tnum_is_const(src_reg.var_off); dst_known = tnum_is_const(dst_reg->var_off); |
f23cc643f bpf: fix range ar... |
2088 |
|
ddf0936b9 bpf: mark dst unk... |
2089 2090 2091 2092 2093 2094 2095 2096 |
if ((src_known && (smin_val != smax_val || umin_val != umax_val)) || smin_val > smax_val || umin_val > umax_val) { /* Taint dst register if offset had invalid bounds derived from * e.g. dead branches. */ __mark_reg_unknown(dst_reg); return 0; } |
de31796c0 bpf: fix integer ... |
2097 2098 2099 2100 2101 |
if (!src_known && opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { __mark_reg_unknown(dst_reg); return 0; } |
484611357 bpf: allow access... |
2102 2103 |
switch (opcode) { case BPF_ADD: |
b03c9f9fd bpf/verifier: tra... |
2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 |
if (signed_add_overflows(dst_reg->smin_value, smin_val) || signed_add_overflows(dst_reg->smax_value, smax_val)) { dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { dst_reg->smin_value += smin_val; dst_reg->smax_value += smax_val; } if (dst_reg->umin_value + umin_val < umin_val || dst_reg->umax_value + umax_val < umax_val) { dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else { dst_reg->umin_value += umin_val; dst_reg->umax_value += umax_val; } |
f1174f77b bpf/verifier: rew... |
2120 |
dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); |
484611357 bpf: allow access... |
2121 2122 |
break; case BPF_SUB: |
b03c9f9fd bpf/verifier: tra... |
2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 |
if (signed_sub_overflows(dst_reg->smin_value, smax_val) || signed_sub_overflows(dst_reg->smax_value, smin_val)) { /* Overflow possible, we know nothing */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { dst_reg->smin_value -= smax_val; dst_reg->smax_value -= smin_val; } if (dst_reg->umin_value < umax_val) { /* Overflow possible, we know nothing */ dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; } else { /* Cannot overflow (as long as bounds are consistent) */ dst_reg->umin_value -= umax_val; dst_reg->umax_value -= umin_val; } |
f1174f77b bpf/verifier: rew... |
2141 |
dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off); |
484611357 bpf: allow access... |
2142 2143 |
break; case BPF_MUL: |
b03c9f9fd bpf/verifier: tra... |
2144 2145 |
dst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off); if (smin_val < 0 || dst_reg->smin_value < 0) { |
f1174f77b bpf/verifier: rew... |
2146 |
/* Ain't nobody got time to multiply that sign */ |
b03c9f9fd bpf/verifier: tra... |
2147 2148 |
__mark_reg_unbounded(dst_reg); __update_reg_bounds(dst_reg); |
f1174f77b bpf/verifier: rew... |
2149 2150 |
break; } |
b03c9f9fd bpf/verifier: tra... |
2151 2152 |
/* Both values are positive, so we can work with unsigned and * copy the result to signed (unless it exceeds S64_MAX). |
f1174f77b bpf/verifier: rew... |
2153 |
*/ |
b03c9f9fd bpf/verifier: tra... |
2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 |
if (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) { /* Potential overflow, we know nothing */ __mark_reg_unbounded(dst_reg); /* (except what we can learn from the var_off) */ __update_reg_bounds(dst_reg); break; } dst_reg->umin_value *= umin_val; dst_reg->umax_value *= umax_val; if (dst_reg->umax_value > S64_MAX) { /* Overflow possible, we know nothing */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { dst_reg->smin_value = dst_reg->umin_value; dst_reg->smax_value = dst_reg->umax_value; } |
484611357 bpf: allow access... |
2171 2172 |
break; case BPF_AND: |
f1174f77b bpf/verifier: rew... |
2173 |
if (src_known && dst_known) { |
b03c9f9fd bpf/verifier: tra... |
2174 2175 |
__mark_reg_known(dst_reg, dst_reg->var_off.value & src_reg.var_off.value); |
f1174f77b bpf/verifier: rew... |
2176 2177 |
break; } |
b03c9f9fd bpf/verifier: tra... |
2178 2179 |
/* We get our minimum from the var_off, since that's inherently * bitwise. Our maximum is the minimum of the operands' maxima. |
f23cc643f bpf: fix range ar... |
2180 |
*/ |
f1174f77b bpf/verifier: rew... |
2181 |
dst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off); |
b03c9f9fd bpf/verifier: tra... |
2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 |
dst_reg->umin_value = dst_reg->var_off.value; dst_reg->umax_value = min(dst_reg->umax_value, umax_val); if (dst_reg->smin_value < 0 || smin_val < 0) { /* Lose signed bounds when ANDing negative numbers, * ain't nobody got time for that. */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; } else { /* ANDing two positives gives a positive, so safe to * cast result into s64. */ dst_reg->smin_value = dst_reg->umin_value; dst_reg->smax_value = dst_reg->umax_value; } /* We may learn something more from the var_off */ __update_reg_bounds(dst_reg); |
f1174f77b bpf/verifier: rew... |
2199 2200 2201 |
break; case BPF_OR: if (src_known && dst_known) { |
b03c9f9fd bpf/verifier: tra... |
2202 2203 |
__mark_reg_known(dst_reg, dst_reg->var_off.value | src_reg.var_off.value); |
f1174f77b bpf/verifier: rew... |
2204 2205 |
break; } |
b03c9f9fd bpf/verifier: tra... |
2206 2207 |
/* We get our maximum from the var_off, and our minimum is the * maximum of the operands' minima |
f1174f77b bpf/verifier: rew... |
2208 2209 |
*/ dst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off); |
b03c9f9fd bpf/verifier: tra... |
2210 2211 2212 2213 2214 2215 2216 2217 2218 |
dst_reg->umin_value = max(dst_reg->umin_value, umin_val); dst_reg->umax_value = dst_reg->var_off.value | dst_reg->var_off.mask; if (dst_reg->smin_value < 0 || smin_val < 0) { /* Lose signed bounds when ORing negative numbers, * ain't nobody got time for that. */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; |
f1174f77b bpf/verifier: rew... |
2219 |
} else { |
b03c9f9fd bpf/verifier: tra... |
2220 2221 2222 2223 2224 |
/* ORing two positives gives a positive, so safe to * cast result into s64. */ dst_reg->smin_value = dst_reg->umin_value; dst_reg->smax_value = dst_reg->umax_value; |
f1174f77b bpf/verifier: rew... |
2225 |
} |
b03c9f9fd bpf/verifier: tra... |
2226 2227 |
/* We may learn something more from the var_off */ __update_reg_bounds(dst_reg); |
484611357 bpf: allow access... |
2228 2229 |
break; case BPF_LSH: |
6c8e098d0 bpf: fix 32-bit A... |
2230 2231 2232 |
if (umax_val >= insn_bitness) { /* Shifts greater than 31 or 63 are undefined. * This includes shifts by a negative number. |
b03c9f9fd bpf/verifier: tra... |
2233 |
*/ |
f1174f77b bpf/verifier: rew... |
2234 2235 2236 |
mark_reg_unknown(regs, insn->dst_reg); break; } |
b03c9f9fd bpf/verifier: tra... |
2237 2238 |
/* We lose all sign bit information (except what we can pick * up from var_off) |
484611357 bpf: allow access... |
2239 |
*/ |
b03c9f9fd bpf/verifier: tra... |
2240 2241 2242 2243 2244 2245 |
dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; /* If we might shift our top bit out, then we know nothing */ if (dst_reg->umax_value > 1ULL << (63 - umax_val)) { dst_reg->umin_value = 0; dst_reg->umax_value = U64_MAX; |
d11744167 bpf: Track alignm... |
2246 |
} else { |
b03c9f9fd bpf/verifier: tra... |
2247 2248 |
dst_reg->umin_value <<= umin_val; dst_reg->umax_value <<= umax_val; |
d11744167 bpf: Track alignm... |
2249 |
} |
b03c9f9fd bpf/verifier: tra... |
2250 2251 2252 2253 2254 2255 |
if (src_known) dst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val); else dst_reg->var_off = tnum_lshift(tnum_unknown, umin_val); /* We may learn something more from the var_off */ __update_reg_bounds(dst_reg); |
484611357 bpf: allow access... |
2256 2257 |
break; case BPF_RSH: |
6c8e098d0 bpf: fix 32-bit A... |
2258 2259 2260 |
if (umax_val >= insn_bitness) { /* Shifts greater than 31 or 63 are undefined. * This includes shifts by a negative number. |
b03c9f9fd bpf/verifier: tra... |
2261 |
*/ |
f1174f77b bpf/verifier: rew... |
2262 2263 2264 |
mark_reg_unknown(regs, insn->dst_reg); break; } |
4d54f7df5 bpf/verifier: fix... |
2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 |
/* BPF_RSH is an unsigned shift. If the value in dst_reg might * be negative, then either: * 1) src_reg might be zero, so the sign bit of the result is * unknown, so we lose our signed bounds * 2) it's known negative, thus the unsigned bounds capture the * signed bounds * 3) the signed bounds cross zero, so they tell us nothing * about the result * If the value in dst_reg is known nonnegative, then again the * unsigned bounts capture the signed bounds. * Thus, in all cases it suffices to blow away our signed bounds * and rely on inferring new ones from the unsigned bounds and * var_off of the result. */ dst_reg->smin_value = S64_MIN; dst_reg->smax_value = S64_MAX; |
f1174f77b bpf/verifier: rew... |
2281 |
if (src_known) |
b03c9f9fd bpf/verifier: tra... |
2282 2283 |
dst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val); |
f1174f77b bpf/verifier: rew... |
2284 |
else |
b03c9f9fd bpf/verifier: tra... |
2285 2286 2287 2288 2289 |
dst_reg->var_off = tnum_rshift(tnum_unknown, umin_val); dst_reg->umin_value >>= umax_val; dst_reg->umax_value >>= umin_val; /* We may learn something more from the var_off */ __update_reg_bounds(dst_reg); |
484611357 bpf: allow access... |
2290 2291 |
break; default: |
f1174f77b bpf/verifier: rew... |
2292 |
mark_reg_unknown(regs, insn->dst_reg); |
484611357 bpf: allow access... |
2293 2294 |
break; } |
6c8e098d0 bpf: fix 32-bit A... |
2295 2296 2297 |
if (BPF_CLASS(insn->code) != BPF_ALU64) { /* 32-bit ALU ops are (32,32)->32 */ coerce_reg_to_size(dst_reg, 4); |
6c8e098d0 bpf: fix 32-bit A... |
2298 |
} |
b03c9f9fd bpf/verifier: tra... |
2299 2300 |
__reg_deduce_bounds(dst_reg); __reg_bound_offset(dst_reg); |
f1174f77b bpf/verifier: rew... |
2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 |
return 0; } /* Handles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max * and var_off. */ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn) { struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg, *src_reg; struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; u8 opcode = BPF_OP(insn->code); int rc; dst_reg = ®s[insn->dst_reg]; |
f1174f77b bpf/verifier: rew... |
2316 2317 2318 2319 2320 |
src_reg = NULL; if (dst_reg->type != SCALAR_VALUE) ptr_reg = dst_reg; if (BPF_SRC(insn->code) == BPF_X) { src_reg = ®s[insn->src_reg]; |
f1174f77b bpf/verifier: rew... |
2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 |
if (src_reg->type != SCALAR_VALUE) { if (dst_reg->type != SCALAR_VALUE) { /* Combining two pointers by any ALU op yields * an arbitrary scalar. */ if (!env->allow_ptr_leaks) { verbose("R%d pointer %s pointer prohibited ", insn->dst_reg, bpf_alu_string[opcode >> 4]); return -EACCES; } mark_reg_unknown(regs, insn->dst_reg); return 0; } else { /* scalar += pointer * This is legal, but we have to reverse our * src/dest handling in computing the range */ rc = adjust_ptr_min_max_vals(env, insn, src_reg, dst_reg); if (rc == -EACCES && env->allow_ptr_leaks) { /* scalar += unknown scalar */ __mark_reg_unknown(&off_reg); return adjust_scalar_min_max_vals( env, insn, dst_reg, off_reg); } return rc; } } else if (ptr_reg) { /* pointer += scalar */ rc = adjust_ptr_min_max_vals(env, insn, dst_reg, src_reg); if (rc == -EACCES && env->allow_ptr_leaks) { /* unknown scalar += scalar */ __mark_reg_unknown(dst_reg); return adjust_scalar_min_max_vals( env, insn, dst_reg, *src_reg); } return rc; } } else { /* Pretend the src is a reg with a known value, since we only * need to be able to read from this state. */ off_reg.type = SCALAR_VALUE; |
b03c9f9fd bpf/verifier: tra... |
2368 |
__mark_reg_known(&off_reg, insn->imm); |
f1174f77b bpf/verifier: rew... |
2369 |
src_reg = &off_reg; |
f1174f77b bpf/verifier: rew... |
2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 |
if (ptr_reg) { /* pointer += K */ rc = adjust_ptr_min_max_vals(env, insn, ptr_reg, src_reg); if (rc == -EACCES && env->allow_ptr_leaks) { /* unknown scalar += K */ __mark_reg_unknown(dst_reg); return adjust_scalar_min_max_vals( env, insn, dst_reg, off_reg); } return rc; } } /* Got here implies adding two SCALAR_VALUEs */ if (WARN_ON_ONCE(ptr_reg)) { print_verifier_state(&env->cur_state); verbose("verifier internal error: unexpected ptr_reg "); return -EINVAL; } if (WARN_ON(!src_reg)) { print_verifier_state(&env->cur_state); verbose("verifier internal error: no src_reg "); return -EINVAL; } return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); |
484611357 bpf: allow access... |
2397 |
} |
17a526706 bpf: verifier (ad... |
2398 |
/* check validity of 32-bit and 64-bit arithmetic operations */ |
58e2af8b3 bpf: expose inter... |
2399 |
static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a526706 bpf: verifier (ad... |
2400 |
{ |
f1174f77b bpf/verifier: rew... |
2401 |
struct bpf_reg_state *regs = env->cur_state.regs; |
17a526706 bpf: verifier (ad... |
2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 |
u8 opcode = BPF_OP(insn->code); int err; if (opcode == BPF_END || opcode == BPF_NEG) { if (opcode == BPF_NEG) { if (BPF_SRC(insn->code) != 0 || insn->src_reg != BPF_REG_0 || insn->off != 0 || insn->imm != 0) { verbose("BPF_NEG uses reserved fields "); return -EINVAL; } } else { if (insn->src_reg != BPF_REG_0 || insn->off != 0 || |
e67b8a685 bpf/verifier: rej... |
2416 2417 |
(insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || BPF_CLASS(insn->code) == BPF_ALU64) { |
17a526706 bpf: verifier (ad... |
2418 2419 2420 2421 2422 2423 2424 |
verbose("BPF_END uses reserved fields "); return -EINVAL; } } /* check src operand */ |
dc503a8ad bpf/verifier: tra... |
2425 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2426 2427 |
if (err) return err; |
1be7f75d1 bpf: enable non-r... |
2428 2429 2430 2431 2432 2433 |
if (is_pointer_value(env, insn->dst_reg)) { verbose("R%d pointer arithmetic prohibited ", insn->dst_reg); return -EACCES; } |
17a526706 bpf: verifier (ad... |
2434 |
/* check dest operand */ |
dc503a8ad bpf/verifier: tra... |
2435 |
err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a526706 bpf: verifier (ad... |
2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 |
if (err) return err; } else if (opcode == BPF_MOV) { if (BPF_SRC(insn->code) == BPF_X) { if (insn->imm != 0 || insn->off != 0) { verbose("BPF_MOV uses reserved fields "); return -EINVAL; } /* check src operand */ |
dc503a8ad bpf/verifier: tra... |
2449 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 |
if (err) return err; } else { if (insn->src_reg != BPF_REG_0 || insn->off != 0) { verbose("BPF_MOV uses reserved fields "); return -EINVAL; } } /* check dest operand */ |
dc503a8ad bpf/verifier: tra... |
2461 |
err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a526706 bpf: verifier (ad... |
2462 2463 2464 2465 2466 2467 2468 2469 2470 |
if (err) return err; if (BPF_SRC(insn->code) == BPF_X) { if (BPF_CLASS(insn->code) == BPF_ALU64) { /* case: R1 = R2 * copy register state to dest reg */ regs[insn->dst_reg] = regs[insn->src_reg]; |
8fe2d6ccd bpf: fix liveness... |
2471 |
regs[insn->dst_reg].live |= REG_LIVE_WRITTEN; |
17a526706 bpf: verifier (ad... |
2472 |
} else { |
f1174f77b bpf/verifier: rew... |
2473 |
/* R1 = (u32) R2 */ |
1be7f75d1 bpf: enable non-r... |
2474 2475 2476 2477 2478 2479 |
if (is_pointer_value(env, insn->src_reg)) { verbose("R%d partial copy of pointer ", insn->src_reg); return -EACCES; } |
f1174f77b bpf/verifier: rew... |
2480 |
mark_reg_unknown(regs, insn->dst_reg); |
bf5ee24e8 bpf: fix incorrec... |
2481 |
coerce_reg_to_size(®s[insn->dst_reg], 4); |
17a526706 bpf: verifier (ad... |
2482 2483 2484 2485 2486 |
} } else { /* case: R = imm * remember the value we stored into this reg */ |
f1174f77b bpf/verifier: rew... |
2487 |
regs[insn->dst_reg].type = SCALAR_VALUE; |
6e12ea4fb bpf: fix incorrec... |
2488 2489 2490 2491 2492 2493 2494 |
if (BPF_CLASS(insn->code) == BPF_ALU64) { __mark_reg_known(regs + insn->dst_reg, insn->imm); } else { __mark_reg_known(regs + insn->dst_reg, (u32)insn->imm); } |
17a526706 bpf: verifier (ad... |
2495 2496 2497 2498 2499 2500 2501 2502 |
} } else if (opcode > BPF_END) { verbose("invalid BPF_ALU opcode %x ", opcode); return -EINVAL; } else { /* all other ALU ops: and, sub, xor, add, ... */ |
17a526706 bpf: verifier (ad... |
2503 2504 2505 2506 2507 2508 2509 |
if (BPF_SRC(insn->code) == BPF_X) { if (insn->imm != 0 || insn->off != 0) { verbose("BPF_ALU uses reserved fields "); return -EINVAL; } /* check src1 operand */ |
dc503a8ad bpf/verifier: tra... |
2510 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 |
if (err) return err; } else { if (insn->src_reg != BPF_REG_0 || insn->off != 0) { verbose("BPF_ALU uses reserved fields "); return -EINVAL; } } /* check src2 operand */ |
dc503a8ad bpf/verifier: tra... |
2522 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2523 2524 2525 2526 2527 2528 2529 2530 2531 |
if (err) return err; if ((opcode == BPF_MOD || opcode == BPF_DIV) && BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { verbose("div by zero "); return -EINVAL; } |
a2e0b5db9 bpf: arsh is not ... |
2532 2533 2534 2535 2536 |
if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) { verbose("BPF_ARSH not supported for 32 bit ALU "); return -EINVAL; } |
229394e8e net: bpf: reject ... |
2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 |
if ((opcode == BPF_LSH || opcode == BPF_RSH || opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; if (insn->imm < 0 || insn->imm >= size) { verbose("invalid shift %d ", insn->imm); return -EINVAL; } } |
1a0dc1ac1 bpf: cleanup veri... |
2547 |
/* check dest operand */ |
dc503a8ad bpf/verifier: tra... |
2548 |
err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
1a0dc1ac1 bpf: cleanup veri... |
2549 2550 |
if (err) return err; |
f1174f77b bpf/verifier: rew... |
2551 |
return adjust_reg_min_max_vals(env, insn); |
17a526706 bpf: verifier (ad... |
2552 2553 2554 2555 |
} return 0; } |
58e2af8b3 bpf: expose inter... |
2556 |
static void find_good_pkt_pointers(struct bpf_verifier_state *state, |
fb2a311a3 bpf: fix off by o... |
2557 2558 |
struct bpf_reg_state *dst_reg, bool range_right_open) |
969bf05eb bpf: direct packe... |
2559 |
{ |
58e2af8b3 bpf: expose inter... |
2560 |
struct bpf_reg_state *regs = state->regs, *reg; |
fb2a311a3 bpf: fix off by o... |
2561 |
u16 new_range; |
969bf05eb bpf: direct packe... |
2562 |
int i; |
2d2be8cab bpf: fix range pr... |
2563 |
|
fb2a311a3 bpf: fix off by o... |
2564 2565 |
if (dst_reg->off < 0 || (dst_reg->off == 0 && range_right_open)) |
f1174f77b bpf/verifier: rew... |
2566 2567 |
/* This doesn't give us any range */ return; |
b03c9f9fd bpf/verifier: tra... |
2568 2569 |
if (dst_reg->umax_value > MAX_PACKET_OFF || dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF) |
f1174f77b bpf/verifier: rew... |
2570 2571 2572 2573 |
/* Risk of overflow. For instance, ptr + (1<<63) may be less * than pkt_end, but that's because it's also less than pkt. */ return; |
fb2a311a3 bpf: fix off by o... |
2574 2575 2576 2577 2578 |
new_range = dst_reg->off; if (range_right_open) new_range--; /* Examples for register markings: |
2d2be8cab bpf: fix range pr... |
2579 |
* |
fb2a311a3 bpf: fix off by o... |
2580 |
* pkt_data in dst register: |
2d2be8cab bpf: fix range pr... |
2581 2582 2583 2584 2585 2586 |
* * r2 = r3; * r2 += 8; * if (r2 > pkt_end) goto <handle exception> * <access okay> * |
b4e432f10 bpf: enable BPF_J... |
2587 2588 2589 2590 2591 |
* r2 = r3; * r2 += 8; * if (r2 < pkt_end) goto <access okay> * <handle exception> * |
2d2be8cab bpf: fix range pr... |
2592 2593 2594 2595 2596 |
* Where: * r2 == dst_reg, pkt_end == src_reg * r2=pkt(id=n,off=8,r=0) * r3=pkt(id=n,off=0,r=0) * |
fb2a311a3 bpf: fix off by o... |
2597 |
* pkt_data in src register: |
2d2be8cab bpf: fix range pr... |
2598 2599 2600 2601 2602 2603 |
* * r2 = r3; * r2 += 8; * if (pkt_end >= r2) goto <access okay> * <handle exception> * |
b4e432f10 bpf: enable BPF_J... |
2604 2605 2606 2607 2608 |
* r2 = r3; * r2 += 8; * if (pkt_end <= r2) goto <handle exception> * <access okay> * |
2d2be8cab bpf: fix range pr... |
2609 2610 2611 2612 2613 2614 |
* Where: * pkt_end == dst_reg, r2 == src_reg * r2=pkt(id=n,off=8,r=0) * r3=pkt(id=n,off=0,r=0) * * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8) |
fb2a311a3 bpf: fix off by o... |
2615 2616 2617 |
* or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8) * and [r3, r3 + 8-1) respectively is safe to access depending on * the check. |
969bf05eb bpf: direct packe... |
2618 |
*/ |
2d2be8cab bpf: fix range pr... |
2619 |
|
f1174f77b bpf/verifier: rew... |
2620 2621 2622 2623 2624 |
/* If our ids match, then we must have the same max_value. And we * don't care about the other reg's fixed offset, since if it's too big * the range won't allow anything. * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16. */ |
969bf05eb bpf: direct packe... |
2625 2626 |
for (i = 0; i < MAX_BPF_REG; i++) if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id) |
b1977682a bpf: improve veri... |
2627 |
/* keep the maximum range already checked */ |
fb2a311a3 bpf: fix off by o... |
2628 |
regs[i].range = max(regs[i].range, new_range); |
969bf05eb bpf: direct packe... |
2629 2630 2631 2632 2633 2634 |
for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { if (state->stack_slot_type[i] != STACK_SPILL) continue; reg = &state->spilled_regs[i / BPF_REG_SIZE]; if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id) |
fb2a311a3 bpf: fix off by o... |
2635 |
reg->range = max(reg->range, new_range); |
969bf05eb bpf: direct packe... |
2636 2637 |
} } |
484611357 bpf: allow access... |
2638 2639 2640 |
/* Adjusts the register min/max values in the case that the dst_reg is the * variable register that we are working on, and src_reg is a constant or we're * simply doing a BPF_K check. |
f1174f77b bpf/verifier: rew... |
2641 |
* In JEQ/JNE cases we also adjust the var_off values. |
484611357 bpf: allow access... |
2642 2643 2644 2645 2646 |
*/ static void reg_set_min_max(struct bpf_reg_state *true_reg, struct bpf_reg_state *false_reg, u64 val, u8 opcode) { |
f1174f77b bpf/verifier: rew... |
2647 2648 2649 2650 2651 2652 2653 2654 |
/* If the dst_reg is a pointer, we can't learn anything about its * variable offset from the compare (unless src_reg were a pointer into * the same object, but we don't bother with that. * Since false_reg and true_reg have the same type by construction, we * only need to check one of them for pointerness. */ if (__is_pointer_value(false, false_reg)) return; |
4cabc5b18 bpf: fix mixed si... |
2655 |
|
484611357 bpf: allow access... |
2656 2657 2658 2659 2660 |
switch (opcode) { case BPF_JEQ: /* If this is false then we know nothing Jon Snow, but if it is * true then we know for sure. */ |
b03c9f9fd bpf/verifier: tra... |
2661 |
__mark_reg_known(true_reg, val); |
484611357 bpf: allow access... |
2662 2663 2664 2665 2666 |
break; case BPF_JNE: /* If this is true we know nothing Jon Snow, but if it is false * we know the value for sure; */ |
b03c9f9fd bpf/verifier: tra... |
2667 |
__mark_reg_known(false_reg, val); |
484611357 bpf: allow access... |
2668 2669 |
break; case BPF_JGT: |
b03c9f9fd bpf/verifier: tra... |
2670 2671 2672 |
false_reg->umax_value = min(false_reg->umax_value, val); true_reg->umin_value = max(true_reg->umin_value, val + 1); break; |
484611357 bpf: allow access... |
2673 |
case BPF_JSGT: |
b03c9f9fd bpf/verifier: tra... |
2674 2675 |
false_reg->smax_value = min_t(s64, false_reg->smax_value, val); true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1); |
484611357 bpf: allow access... |
2676 |
break; |
b4e432f10 bpf: enable BPF_J... |
2677 2678 2679 2680 2681 2682 2683 2684 |
case BPF_JLT: false_reg->umin_value = max(false_reg->umin_value, val); true_reg->umax_value = min(true_reg->umax_value, val - 1); break; case BPF_JSLT: false_reg->smin_value = max_t(s64, false_reg->smin_value, val); true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1); break; |
484611357 bpf: allow access... |
2685 |
case BPF_JGE: |
b03c9f9fd bpf/verifier: tra... |
2686 2687 2688 |
false_reg->umax_value = min(false_reg->umax_value, val - 1); true_reg->umin_value = max(true_reg->umin_value, val); break; |
484611357 bpf: allow access... |
2689 |
case BPF_JSGE: |
b03c9f9fd bpf/verifier: tra... |
2690 2691 |
false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1); true_reg->smin_value = max_t(s64, true_reg->smin_value, val); |
484611357 bpf: allow access... |
2692 |
break; |
b4e432f10 bpf: enable BPF_J... |
2693 2694 2695 2696 2697 2698 2699 2700 |
case BPF_JLE: false_reg->umin_value = max(false_reg->umin_value, val + 1); true_reg->umax_value = min(true_reg->umax_value, val); break; case BPF_JSLE: false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1); true_reg->smax_value = min_t(s64, true_reg->smax_value, val); break; |
484611357 bpf: allow access... |
2701 2702 2703 |
default: break; } |
b03c9f9fd bpf/verifier: tra... |
2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 |
__reg_deduce_bounds(false_reg); __reg_deduce_bounds(true_reg); /* We might have learned some bits from the bounds. */ __reg_bound_offset(false_reg); __reg_bound_offset(true_reg); /* Intersecting with the old var_off might have improved our bounds * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), * then new var_off is (0; 0x7f...fc) which improves our umax. */ __update_reg_bounds(false_reg); __update_reg_bounds(true_reg); |
484611357 bpf: allow access... |
2715 |
} |
f1174f77b bpf/verifier: rew... |
2716 2717 |
/* Same as above, but for the case that dst_reg holds a constant and src_reg is * the variable reg. |
484611357 bpf: allow access... |
2718 2719 2720 2721 2722 |
*/ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, struct bpf_reg_state *false_reg, u64 val, u8 opcode) { |
f1174f77b bpf/verifier: rew... |
2723 2724 |
if (__is_pointer_value(false, false_reg)) return; |
4cabc5b18 bpf: fix mixed si... |
2725 |
|
484611357 bpf: allow access... |
2726 2727 2728 2729 2730 |
switch (opcode) { case BPF_JEQ: /* If this is false then we know nothing Jon Snow, but if it is * true then we know for sure. */ |
b03c9f9fd bpf/verifier: tra... |
2731 |
__mark_reg_known(true_reg, val); |
484611357 bpf: allow access... |
2732 2733 2734 2735 2736 |
break; case BPF_JNE: /* If this is true we know nothing Jon Snow, but if it is false * we know the value for sure; */ |
b03c9f9fd bpf/verifier: tra... |
2737 |
__mark_reg_known(false_reg, val); |
484611357 bpf: allow access... |
2738 2739 |
break; case BPF_JGT: |
b03c9f9fd bpf/verifier: tra... |
2740 2741 2742 |
true_reg->umax_value = min(true_reg->umax_value, val - 1); false_reg->umin_value = max(false_reg->umin_value, val); break; |
484611357 bpf: allow access... |
2743 |
case BPF_JSGT: |
b03c9f9fd bpf/verifier: tra... |
2744 2745 |
true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1); false_reg->smin_value = max_t(s64, false_reg->smin_value, val); |
484611357 bpf: allow access... |
2746 |
break; |
b4e432f10 bpf: enable BPF_J... |
2747 2748 2749 2750 2751 2752 2753 2754 |
case BPF_JLT: true_reg->umin_value = max(true_reg->umin_value, val + 1); false_reg->umax_value = min(false_reg->umax_value, val); break; case BPF_JSLT: true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1); false_reg->smax_value = min_t(s64, false_reg->smax_value, val); break; |
484611357 bpf: allow access... |
2755 |
case BPF_JGE: |
b03c9f9fd bpf/verifier: tra... |
2756 2757 2758 |
true_reg->umax_value = min(true_reg->umax_value, val); false_reg->umin_value = max(false_reg->umin_value, val + 1); break; |
484611357 bpf: allow access... |
2759 |
case BPF_JSGE: |
b03c9f9fd bpf/verifier: tra... |
2760 2761 |
true_reg->smax_value = min_t(s64, true_reg->smax_value, val); false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1); |
484611357 bpf: allow access... |
2762 |
break; |
b4e432f10 bpf: enable BPF_J... |
2763 2764 2765 2766 2767 2768 2769 2770 |
case BPF_JLE: true_reg->umin_value = max(true_reg->umin_value, val); false_reg->umax_value = min(false_reg->umax_value, val - 1); break; case BPF_JSLE: true_reg->smin_value = max_t(s64, true_reg->smin_value, val); false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1); break; |
484611357 bpf: allow access... |
2771 2772 2773 |
default: break; } |
b03c9f9fd bpf/verifier: tra... |
2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 |
__reg_deduce_bounds(false_reg); __reg_deduce_bounds(true_reg); /* We might have learned some bits from the bounds. */ __reg_bound_offset(false_reg); __reg_bound_offset(true_reg); /* Intersecting with the old var_off might have improved our bounds * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), * then new var_off is (0; 0x7f...fc) which improves our umax. */ __update_reg_bounds(false_reg); __update_reg_bounds(true_reg); |
f1174f77b bpf/verifier: rew... |
2785 2786 2787 2788 2789 2790 |
} /* Regs are known to be equal, so intersect their min/max/var_off */ static void __reg_combine_min_max(struct bpf_reg_state *src_reg, struct bpf_reg_state *dst_reg) { |
b03c9f9fd bpf/verifier: tra... |
2791 2792 2793 2794 2795 2796 2797 2798 |
src_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value, dst_reg->umin_value); src_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value, dst_reg->umax_value); src_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value, dst_reg->smin_value); src_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value, dst_reg->smax_value); |
f1174f77b bpf/verifier: rew... |
2799 2800 |
src_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off, dst_reg->var_off); |
b03c9f9fd bpf/verifier: tra... |
2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 |
/* We might have learned new bounds from the var_off. */ __update_reg_bounds(src_reg); __update_reg_bounds(dst_reg); /* We might have learned something about the sign bit. */ __reg_deduce_bounds(src_reg); __reg_deduce_bounds(dst_reg); /* We might have learned some bits from the bounds. */ __reg_bound_offset(src_reg); __reg_bound_offset(dst_reg); /* Intersecting with the old var_off might have improved our bounds * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), * then new var_off is (0; 0x7f...fc) which improves our umax. */ __update_reg_bounds(src_reg); __update_reg_bounds(dst_reg); |
f1174f77b bpf/verifier: rew... |
2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 |
} static void reg_combine_min_max(struct bpf_reg_state *true_src, struct bpf_reg_state *true_dst, struct bpf_reg_state *false_src, struct bpf_reg_state *false_dst, u8 opcode) { switch (opcode) { case BPF_JEQ: __reg_combine_min_max(true_src, true_dst); break; case BPF_JNE: __reg_combine_min_max(false_src, false_dst); |
b03c9f9fd bpf/verifier: tra... |
2830 |
break; |
4cabc5b18 bpf: fix mixed si... |
2831 |
} |
484611357 bpf: allow access... |
2832 |
} |
57a09bf0a bpf: Detect ident... |
2833 |
static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id, |
f1174f77b bpf/verifier: rew... |
2834 |
bool is_null) |
57a09bf0a bpf: Detect ident... |
2835 2836 2837 2838 |
{ struct bpf_reg_state *reg = ®s[regno]; if (reg->type == PTR_TO_MAP_VALUE_OR_NULL && reg->id == id) { |
f1174f77b bpf/verifier: rew... |
2839 2840 2841 2842 |
/* Old offset (both fixed and variable parts) should * have been known-zero, because we don't allow pointer * arithmetic on pointers that might be NULL. */ |
b03c9f9fd bpf/verifier: tra... |
2843 2844 |
if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || !tnum_equals_const(reg->var_off, 0) || |
f1174f77b bpf/verifier: rew... |
2845 |
reg->off)) { |
b03c9f9fd bpf/verifier: tra... |
2846 2847 |
__mark_reg_known_zero(reg); reg->off = 0; |
f1174f77b bpf/verifier: rew... |
2848 2849 2850 |
} if (is_null) { reg->type = SCALAR_VALUE; |
56f668dfe bpf: Add array of... |
2851 2852 2853 2854 |
} else if (reg->map_ptr->inner_map_meta) { reg->type = CONST_PTR_TO_MAP; reg->map_ptr = reg->map_ptr->inner_map_meta; } else { |
f1174f77b bpf/verifier: rew... |
2855 |
reg->type = PTR_TO_MAP_VALUE; |
56f668dfe bpf: Add array of... |
2856 |
} |
a08dd0da5 bpf: fix regressi... |
2857 2858 2859 2860 2861 |
/* We don't need id from this point onwards anymore, thus we * should better reset it, so that state pruning has chances * to take effect. */ reg->id = 0; |
57a09bf0a bpf: Detect ident... |
2862 2863 2864 2865 2866 2867 2868 |
} } /* The logic is similar to find_good_pkt_pointers(), both could eventually * be folded together at some point. */ static void mark_map_regs(struct bpf_verifier_state *state, u32 regno, |
f1174f77b bpf/verifier: rew... |
2869 |
bool is_null) |
57a09bf0a bpf: Detect ident... |
2870 2871 |
{ struct bpf_reg_state *regs = state->regs; |
a08dd0da5 bpf: fix regressi... |
2872 |
u32 id = regs[regno].id; |
57a09bf0a bpf: Detect ident... |
2873 2874 2875 |
int i; for (i = 0; i < MAX_BPF_REG; i++) |
f1174f77b bpf/verifier: rew... |
2876 |
mark_map_reg(regs, i, id, is_null); |
57a09bf0a bpf: Detect ident... |
2877 2878 2879 2880 |
for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { if (state->stack_slot_type[i] != STACK_SPILL) continue; |
f1174f77b bpf/verifier: rew... |
2881 |
mark_map_reg(state->spilled_regs, i / BPF_REG_SIZE, id, is_null); |
57a09bf0a bpf: Detect ident... |
2882 2883 |
} } |
58e2af8b3 bpf: expose inter... |
2884 |
static int check_cond_jmp_op(struct bpf_verifier_env *env, |
17a526706 bpf: verifier (ad... |
2885 2886 |
struct bpf_insn *insn, int *insn_idx) { |
58e2af8b3 bpf: expose inter... |
2887 2888 |
struct bpf_verifier_state *other_branch, *this_branch = &env->cur_state; struct bpf_reg_state *regs = this_branch->regs, *dst_reg; |
17a526706 bpf: verifier (ad... |
2889 2890 |
u8 opcode = BPF_OP(insn->code); int err; |
b4e432f10 bpf: enable BPF_J... |
2891 |
if (opcode > BPF_JSLE) { |
17a526706 bpf: verifier (ad... |
2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 |
verbose("invalid BPF_JMP opcode %x ", opcode); return -EINVAL; } if (BPF_SRC(insn->code) == BPF_X) { if (insn->imm != 0) { verbose("BPF_JMP uses reserved fields "); return -EINVAL; } /* check src1 operand */ |
dc503a8ad bpf/verifier: tra... |
2905 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2906 2907 |
if (err) return err; |
1be7f75d1 bpf: enable non-r... |
2908 2909 2910 2911 2912 2913 2914 |
if (is_pointer_value(env, insn->src_reg)) { verbose("R%d pointer comparison prohibited ", insn->src_reg); return -EACCES; } |
17a526706 bpf: verifier (ad... |
2915 2916 2917 2918 2919 2920 2921 2922 2923 |
} else { if (insn->src_reg != BPF_REG_0) { verbose("BPF_JMP uses reserved fields "); return -EINVAL; } } /* check src2 operand */ |
dc503a8ad bpf/verifier: tra... |
2924 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
2925 2926 |
if (err) return err; |
1a0dc1ac1 bpf: cleanup veri... |
2927 |
dst_reg = ®s[insn->dst_reg]; |
17a526706 bpf: verifier (ad... |
2928 2929 2930 |
/* detect if R == 0 where R was initialized to zero earlier */ if (BPF_SRC(insn->code) == BPF_K && (opcode == BPF_JEQ || opcode == BPF_JNE) && |
f1174f77b bpf/verifier: rew... |
2931 2932 |
dst_reg->type == SCALAR_VALUE && tnum_equals_const(dst_reg->var_off, insn->imm)) { |
17a526706 bpf: verifier (ad... |
2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 |
if (opcode == BPF_JEQ) { /* if (imm == imm) goto pc+off; * only follow the goto, ignore fall-through */ *insn_idx += insn->off; return 0; } else { /* if (imm != imm) goto pc+off; * only follow fall-through branch, since * that's where the program will go */ return 0; } } other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx); if (!other_branch) return -EFAULT; |
484611357 bpf: allow access... |
2951 2952 |
/* detect if we are comparing against a constant value so we can adjust * our min/max values for our dst register. |
f1174f77b bpf/verifier: rew... |
2953 2954 2955 2956 |
* this is only legit if both are scalars (or pointers to the same * object, I suppose, but we don't support that right now), because * otherwise the different base pointers mean the offsets aren't * comparable. |
484611357 bpf: allow access... |
2957 2958 |
*/ if (BPF_SRC(insn->code) == BPF_X) { |
f1174f77b bpf/verifier: rew... |
2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 |
if (dst_reg->type == SCALAR_VALUE && regs[insn->src_reg].type == SCALAR_VALUE) { if (tnum_is_const(regs[insn->src_reg].var_off)) reg_set_min_max(&other_branch->regs[insn->dst_reg], dst_reg, regs[insn->src_reg].var_off.value, opcode); else if (tnum_is_const(dst_reg->var_off)) reg_set_min_max_inv(&other_branch->regs[insn->src_reg], ®s[insn->src_reg], dst_reg->var_off.value, opcode); else if (opcode == BPF_JEQ || opcode == BPF_JNE) /* Comparing for equality, we can combine knowledge */ reg_combine_min_max(&other_branch->regs[insn->src_reg], &other_branch->regs[insn->dst_reg], ®s[insn->src_reg], ®s[insn->dst_reg], opcode); } } else if (dst_reg->type == SCALAR_VALUE) { |
484611357 bpf: allow access... |
2977 2978 2979 |
reg_set_min_max(&other_branch->regs[insn->dst_reg], dst_reg, insn->imm, opcode); } |
58e2af8b3 bpf: expose inter... |
2980 |
/* detect if R == 0 where R is returned from bpf_map_lookup_elem() */ |
17a526706 bpf: verifier (ad... |
2981 |
if (BPF_SRC(insn->code) == BPF_K && |
1a0dc1ac1 bpf: cleanup veri... |
2982 2983 |
insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && dst_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
57a09bf0a bpf: Detect ident... |
2984 2985 2986 |
/* Mark all identical map registers in each branch as either * safe or unknown depending R == 0 or R != 0 conditional. */ |
f1174f77b bpf/verifier: rew... |
2987 2988 |
mark_map_regs(this_branch, insn->dst_reg, opcode == BPF_JNE); mark_map_regs(other_branch, insn->dst_reg, opcode == BPF_JEQ); |
969bf05eb bpf: direct packe... |
2989 2990 2991 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT && dst_reg->type == PTR_TO_PACKET && regs[insn->src_reg].type == PTR_TO_PACKET_END) { |
0fd4759c5 bpf: fix pattern ... |
2992 |
/* pkt_data' > pkt_end */ |
fb2a311a3 bpf: fix off by o... |
2993 |
find_good_pkt_pointers(this_branch, dst_reg, false); |
0fd4759c5 bpf: fix pattern ... |
2994 2995 2996 2997 2998 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT && dst_reg->type == PTR_TO_PACKET_END && regs[insn->src_reg].type == PTR_TO_PACKET) { /* pkt_end > pkt_data' */ find_good_pkt_pointers(other_branch, ®s[insn->src_reg], true); |
b4e432f10 bpf: enable BPF_J... |
2999 3000 3001 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLT && dst_reg->type == PTR_TO_PACKET && regs[insn->src_reg].type == PTR_TO_PACKET_END) { |
0fd4759c5 bpf: fix pattern ... |
3002 |
/* pkt_data' < pkt_end */ |
fb2a311a3 bpf: fix off by o... |
3003 |
find_good_pkt_pointers(other_branch, dst_reg, true); |
0fd4759c5 bpf: fix pattern ... |
3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLT && dst_reg->type == PTR_TO_PACKET_END && regs[insn->src_reg].type == PTR_TO_PACKET) { /* pkt_end < pkt_data' */ find_good_pkt_pointers(this_branch, ®s[insn->src_reg], false); } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE && dst_reg->type == PTR_TO_PACKET && regs[insn->src_reg].type == PTR_TO_PACKET_END) { /* pkt_data' >= pkt_end */ find_good_pkt_pointers(this_branch, dst_reg, true); |
2d2be8cab bpf: fix range pr... |
3014 3015 3016 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE && dst_reg->type == PTR_TO_PACKET_END && regs[insn->src_reg].type == PTR_TO_PACKET) { |
0fd4759c5 bpf: fix pattern ... |
3017 |
/* pkt_end >= pkt_data' */ |
fb2a311a3 bpf: fix off by o... |
3018 |
find_good_pkt_pointers(other_branch, ®s[insn->src_reg], false); |
b4e432f10 bpf: enable BPF_J... |
3019 |
} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLE && |
0fd4759c5 bpf: fix pattern ... |
3020 3021 3022 3023 3024 |
dst_reg->type == PTR_TO_PACKET && regs[insn->src_reg].type == PTR_TO_PACKET_END) { /* pkt_data' <= pkt_end */ find_good_pkt_pointers(other_branch, dst_reg, false); } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLE && |
b4e432f10 bpf: enable BPF_J... |
3025 3026 |
dst_reg->type == PTR_TO_PACKET_END && regs[insn->src_reg].type == PTR_TO_PACKET) { |
0fd4759c5 bpf: fix pattern ... |
3027 |
/* pkt_end <= pkt_data' */ |
fb2a311a3 bpf: fix off by o... |
3028 |
find_good_pkt_pointers(this_branch, ®s[insn->src_reg], true); |
1be7f75d1 bpf: enable non-r... |
3029 3030 3031 3032 |
} else if (is_pointer_value(env, insn->dst_reg)) { verbose("R%d pointer comparison prohibited ", insn->dst_reg); return -EACCES; |
17a526706 bpf: verifier (ad... |
3033 3034 |
} if (log_level) |
2d2be8cab bpf: fix range pr... |
3035 |
print_verifier_state(this_branch); |
17a526706 bpf: verifier (ad... |
3036 3037 |
return 0; } |
0246e64d9 bpf: handle pseud... |
3038 3039 3040 3041 3042 3043 3044 |
/* return the map pointer stored inside BPF_LD_IMM64 instruction */ static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn) { u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32; return (struct bpf_map *) (unsigned long) imm64; } |
17a526706 bpf: verifier (ad... |
3045 |
/* verify BPF_LD_IMM64 instruction */ |
58e2af8b3 bpf: expose inter... |
3046 |
static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a526706 bpf: verifier (ad... |
3047 |
{ |
58e2af8b3 bpf: expose inter... |
3048 |
struct bpf_reg_state *regs = env->cur_state.regs; |
17a526706 bpf: verifier (ad... |
3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 |
int err; if (BPF_SIZE(insn->code) != BPF_DW) { verbose("invalid BPF_LD_IMM insn "); return -EINVAL; } if (insn->off != 0) { verbose("BPF_LD_IMM64 uses reserved fields "); return -EINVAL; } |
dc503a8ad bpf/verifier: tra... |
3061 |
err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a526706 bpf: verifier (ad... |
3062 3063 |
if (err) return err; |
6b1738730 bpf: recognize 64... |
3064 |
if (insn->src_reg == 0) { |
6b1738730 bpf: recognize 64... |
3065 |
u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; |
f1174f77b bpf/verifier: rew... |
3066 |
regs[insn->dst_reg].type = SCALAR_VALUE; |
b03c9f9fd bpf/verifier: tra... |
3067 |
__mark_reg_known(®s[insn->dst_reg], imm); |
17a526706 bpf: verifier (ad... |
3068 |
return 0; |
6b1738730 bpf: recognize 64... |
3069 |
} |
17a526706 bpf: verifier (ad... |
3070 3071 3072 3073 3074 3075 3076 3077 |
/* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */ BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD); regs[insn->dst_reg].type = CONST_PTR_TO_MAP; regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn); return 0; } |
96be4325f ebpf: add sched_c... |
3078 3079 3080 3081 3082 |
static bool may_access_skb(enum bpf_prog_type type) { switch (type) { case BPF_PROG_TYPE_SOCKET_FILTER: case BPF_PROG_TYPE_SCHED_CLS: |
94caee8c3 ebpf: add sched_a... |
3083 |
case BPF_PROG_TYPE_SCHED_ACT: |
96be4325f ebpf: add sched_c... |
3084 3085 3086 3087 3088 |
return true; default: return false; } } |
ddd872bc3 bpf: verifier: ad... |
3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 |
/* verify safety of LD_ABS|LD_IND instructions: * - they can only appear in the programs where ctx == skb * - since they are wrappers of function calls, they scratch R1-R5 registers, * preserve R6-R9, and store return value into R0 * * Implicit input: * ctx == skb == R6 == CTX * * Explicit input: * SRC == any register * IMM == 32-bit immediate * * Output: * R0 - 8/16/32-bit skb data converted to cpu endianness */ |
58e2af8b3 bpf: expose inter... |
3104 |
static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) |
ddd872bc3 bpf: verifier: ad... |
3105 |
{ |
58e2af8b3 bpf: expose inter... |
3106 |
struct bpf_reg_state *regs = env->cur_state.regs; |
ddd872bc3 bpf: verifier: ad... |
3107 |
u8 mode = BPF_MODE(insn->code); |
ddd872bc3 bpf: verifier: ad... |
3108 |
int i, err; |
24701ecea ebpf: move read-o... |
3109 |
if (!may_access_skb(env->prog->type)) { |
1a0dc1ac1 bpf: cleanup veri... |
3110 3111 |
verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type "); |
ddd872bc3 bpf: verifier: ad... |
3112 3113 3114 3115 |
return -EINVAL; } if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || |
d82bccc69 bpf/verifier: rej... |
3116 |
BPF_SIZE(insn->code) == BPF_DW || |
ddd872bc3 bpf: verifier: ad... |
3117 |
(mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { |
1a0dc1ac1 bpf: cleanup veri... |
3118 3119 |
verbose("BPF_LD_[ABS|IND] uses reserved fields "); |
ddd872bc3 bpf: verifier: ad... |
3120 3121 3122 3123 |
return -EINVAL; } /* check whether implicit source operand (register R6) is readable */ |
dc503a8ad bpf/verifier: tra... |
3124 |
err = check_reg_arg(env, BPF_REG_6, SRC_OP); |
ddd872bc3 bpf: verifier: ad... |
3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 |
if (err) return err; if (regs[BPF_REG_6].type != PTR_TO_CTX) { verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb "); return -EINVAL; } if (mode == BPF_IND) { /* check explicit source operand */ |
dc503a8ad bpf/verifier: tra... |
3136 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
ddd872bc3 bpf: verifier: ad... |
3137 3138 3139 3140 3141 |
if (err) return err; } /* reset caller saved regs to unreadable */ |
dc503a8ad bpf/verifier: tra... |
3142 |
for (i = 0; i < CALLER_SAVED_REGS; i++) { |
a9789ef9a bpf: properly res... |
3143 |
mark_reg_not_init(regs, caller_saved[i]); |
dc503a8ad bpf/verifier: tra... |
3144 3145 |
check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); } |
ddd872bc3 bpf: verifier: ad... |
3146 3147 |
/* mark destination R0 register as readable, since it contains |
dc503a8ad bpf/verifier: tra... |
3148 3149 |
* the value fetched from the packet. * Already marked as written above. |
ddd872bc3 bpf: verifier: ad... |
3150 |
*/ |
f1174f77b bpf/verifier: rew... |
3151 |
mark_reg_unknown(regs, BPF_REG_0); |
ddd872bc3 bpf: verifier: ad... |
3152 3153 |
return 0; } |
475fb78fb bpf: verifier (ad... |
3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 |
/* non-recursive DFS pseudo code * 1 procedure DFS-iterative(G,v): * 2 label v as discovered * 3 let S be a stack * 4 S.push(v) * 5 while S is not empty * 6 t <- S.pop() * 7 if t is what we're looking for: * 8 return t * 9 for all edges e in G.adjacentEdges(t) do * 10 if edge e is already labelled * 11 continue with the next edge * 12 w <- G.adjacentVertex(t,e) * 13 if vertex w is not discovered and not explored * 14 label e as tree-edge * 15 label w as discovered * 16 S.push(w) * 17 continue at 5 * 18 else if vertex w is discovered * 19 label e as back-edge * 20 else * 21 // vertex w is explored * 22 label e as forward- or cross-edge * 23 label t as explored * 24 S.pop() * * convention: * 0x10 - discovered * 0x11 - discovered and fall-through edge labelled * 0x12 - discovered and fall-through and branch edges labelled * 0x20 - explored */ enum { DISCOVERED = 0x10, EXPLORED = 0x20, FALLTHROUGH = 1, BRANCH = 2, }; |
58e2af8b3 bpf: expose inter... |
3193 |
#define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L) |
f1bca824d bpf: add search p... |
3194 |
|
475fb78fb bpf: verifier (ad... |
3195 3196 3197 3198 3199 3200 3201 3202 3203 |
static int *insn_stack; /* stack of insns to process */ static int cur_stack; /* current stack index */ static int *insn_state; /* t, w, e - match pseudo-code above: * t - index of current instruction * w - next instruction * e - edge */ |
58e2af8b3 bpf: expose inter... |
3204 |
static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) |
475fb78fb bpf: verifier (ad... |
3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 |
{ if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH)) return 0; if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH)) return 0; if (w < 0 || w >= env->prog->len) { verbose("jump out of range from insn %d to %d ", t, w); return -EINVAL; } |
f1bca824d bpf: add search p... |
3217 3218 3219 |
if (e == BRANCH) /* mark branch target for state pruning */ env->explored_states[w] = STATE_LIST_MARK; |
475fb78fb bpf: verifier (ad... |
3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 |
if (insn_state[w] == 0) { /* tree-edge */ insn_state[t] = DISCOVERED | e; insn_state[w] = DISCOVERED; if (cur_stack >= env->prog->len) return -E2BIG; insn_stack[cur_stack++] = w; return 1; } else if ((insn_state[w] & 0xF0) == DISCOVERED) { verbose("back-edge from insn %d to %d ", t, w); return -EINVAL; } else if (insn_state[w] == EXPLORED) { /* forward- or cross-edge */ insn_state[t] = DISCOVERED | e; } else { verbose("insn state internal bug "); return -EFAULT; } return 0; } /* non-recursive depth-first-search to detect loops in BPF program * loop == back-edge in directed graph */ |
58e2af8b3 bpf: expose inter... |
3246 |
static int check_cfg(struct bpf_verifier_env *env) |
475fb78fb bpf: verifier (ad... |
3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 |
{ struct bpf_insn *insns = env->prog->insnsi; int insn_cnt = env->prog->len; int ret = 0; int i, t; insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); if (!insn_state) return -ENOMEM; insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); if (!insn_stack) { kfree(insn_state); return -ENOMEM; } insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */ insn_stack[0] = 0; /* 0 is the first instruction */ cur_stack = 1; peek_stack: if (cur_stack == 0) goto check_state; t = insn_stack[cur_stack - 1]; if (BPF_CLASS(insns[t].code) == BPF_JMP) { u8 opcode = BPF_OP(insns[t].code); if (opcode == BPF_EXIT) { goto mark_explored; } else if (opcode == BPF_CALL) { ret = push_insn(t, t + 1, FALLTHROUGH, env); if (ret == 1) goto peek_stack; else if (ret < 0) goto err_free; |
07016151a bpf, verifier: fu... |
3283 3284 |
if (t + 1 < insn_cnt) env->explored_states[t + 1] = STATE_LIST_MARK; |
475fb78fb bpf: verifier (ad... |
3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 |
} else if (opcode == BPF_JA) { if (BPF_SRC(insns[t].code) != BPF_K) { ret = -EINVAL; goto err_free; } /* unconditional jump with single edge */ ret = push_insn(t, t + insns[t].off + 1, FALLTHROUGH, env); if (ret == 1) goto peek_stack; else if (ret < 0) goto err_free; |
f1bca824d bpf: add search p... |
3297 3298 3299 |
/* tell verifier to check for equivalent states * after every call and jump */ |
c3de6317d bpf: fix verifier... |
3300 3301 |
if (t + 1 < insn_cnt) env->explored_states[t + 1] = STATE_LIST_MARK; |
475fb78fb bpf: verifier (ad... |
3302 3303 |
} else { /* conditional jump with two edges */ |
3c2ce60bd bpf: adjust verif... |
3304 |
env->explored_states[t] = STATE_LIST_MARK; |
475fb78fb bpf: verifier (ad... |
3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 |
ret = push_insn(t, t + 1, FALLTHROUGH, env); if (ret == 1) goto peek_stack; else if (ret < 0) goto err_free; ret = push_insn(t, t + insns[t].off + 1, BRANCH, env); if (ret == 1) goto peek_stack; else if (ret < 0) goto err_free; } } else { /* all other non-branch instructions with single * fall-through edge */ ret = push_insn(t, t + 1, FALLTHROUGH, env); if (ret == 1) goto peek_stack; else if (ret < 0) goto err_free; } mark_explored: insn_state[t] = EXPLORED; if (cur_stack-- <= 0) { verbose("pop stack internal bug "); ret = -EFAULT; goto err_free; } goto peek_stack; check_state: for (i = 0; i < insn_cnt; i++) { if (insn_state[i] != EXPLORED) { verbose("unreachable insn %d ", i); ret = -EINVAL; goto err_free; } } ret = 0; /* cfg looks good */ err_free: kfree(insn_state); kfree(insn_stack); return ret; } |
f1174f77b bpf/verifier: rew... |
3354 3355 3356 3357 |
/* check %cur's range satisfies %old's */ static bool range_within(struct bpf_reg_state *old, struct bpf_reg_state *cur) { |
b03c9f9fd bpf/verifier: tra... |
3358 3359 3360 3361 |
return old->umin_value <= cur->umin_value && old->umax_value >= cur->umax_value && old->smin_value <= cur->smin_value && old->smax_value >= cur->smax_value; |
f1174f77b bpf/verifier: rew... |
3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 |
} /* Maximum number of register states that can exist at once */ #define ID_MAP_SIZE (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) struct idpair { u32 old; u32 cur; }; /* If in the old state two registers had the same id, then they need to have * the same id in the new state as well. But that id could be different from * the old state, so we need to track the mapping from old to new ids. * Once we have seen that, say, a reg with old id 5 had new id 9, any subsequent * regs with old id 5 must also have new id 9 for the new state to be safe. But * regs with a different old id could still have new id 9, we don't care about * that. * So we look through our idmap to see if this old id has been seen before. If * so, we require the new id to match; otherwise, we add the id pair to the map. |
969bf05eb bpf: direct packe... |
3380 |
*/ |
f1174f77b bpf/verifier: rew... |
3381 |
static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap) |
969bf05eb bpf: direct packe... |
3382 |
{ |
f1174f77b bpf/verifier: rew... |
3383 |
unsigned int i; |
969bf05eb bpf: direct packe... |
3384 |
|
f1174f77b bpf/verifier: rew... |
3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 |
for (i = 0; i < ID_MAP_SIZE; i++) { if (!idmap[i].old) { /* Reached an empty slot; haven't seen this id before */ idmap[i].old = old_id; idmap[i].cur = cur_id; return true; } if (idmap[i].old == old_id) return idmap[i].cur == cur_id; } /* We ran out of idmap slots, which should be impossible */ WARN_ON_ONCE(1); return false; } /* Returns true if (rold safe implies rcur safe) */ |
1b688a19a bpf/verifier: rem... |
3401 3402 |
static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, struct idpair *idmap) |
f1174f77b bpf/verifier: rew... |
3403 |
{ |
dc503a8ad bpf/verifier: tra... |
3404 3405 3406 3407 3408 |
if (!(rold->live & REG_LIVE_READ)) /* explored state didn't use this */ return true; if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, live)) == 0) |
969bf05eb bpf: direct packe... |
3409 |
return true; |
f1174f77b bpf/verifier: rew... |
3410 3411 |
if (rold->type == NOT_INIT) /* explored state can't have used this */ |
969bf05eb bpf: direct packe... |
3412 |
return true; |
f1174f77b bpf/verifier: rew... |
3413 3414 3415 3416 3417 3418 3419 3420 3421 |
if (rcur->type == NOT_INIT) return false; switch (rold->type) { case SCALAR_VALUE: if (rcur->type == SCALAR_VALUE) { /* new val must satisfy old val knowledge */ return range_within(rold, rcur) && tnum_in(rold->var_off, rcur->var_off); } else { |
cb56cc1b2 bpf: don't prune ... |
3422 3423 3424 3425 3426 3427 |
/* We're trying to use a pointer in place of a scalar. * Even if the scalar was unbounded, this could lead to * pointer leaks because scalars are allowed to leak * while pointers are not. We could make this safe in * special cases if root is calling us, but it's * probably not worth the hassle. |
f1174f77b bpf/verifier: rew... |
3428 |
*/ |
cb56cc1b2 bpf: don't prune ... |
3429 |
return false; |
f1174f77b bpf/verifier: rew... |
3430 3431 |
} case PTR_TO_MAP_VALUE: |
1b688a19a bpf/verifier: rem... |
3432 3433 3434 3435 3436 3437 3438 3439 |
/* If the new min/max/var_off satisfy the old ones and * everything else matches, we are OK. * We don't care about the 'id' value, because nothing * uses it for PTR_TO_MAP_VALUE (only for ..._OR_NULL) */ return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 && range_within(rold, rcur) && tnum_in(rold->var_off, rcur->var_off); |
f1174f77b bpf/verifier: rew... |
3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 |
case PTR_TO_MAP_VALUE_OR_NULL: /* a PTR_TO_MAP_VALUE could be safe to use as a * PTR_TO_MAP_VALUE_OR_NULL into the same map. * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL- * checked, doing so could have affected others with the same * id, and we can't check for that because we lost the id when * we converted to a PTR_TO_MAP_VALUE. */ if (rcur->type != PTR_TO_MAP_VALUE_OR_NULL) return false; if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id))) return false; /* Check our ids match any regs they're supposed to */ return check_ids(rold->id, rcur->id, idmap); case PTR_TO_PACKET: if (rcur->type != PTR_TO_PACKET) return false; /* We must have at least as much range as the old ptr * did, so that any accesses which were safe before are * still safe. This is true even if old range < old off, * since someone could have accessed through (ptr - k), or * even done ptr -= k in a register, to get a safe access. */ if (rold->range > rcur->range) return false; /* If the offsets don't match, we can't trust our alignment; * nor can we be sure that we won't fall out of range. */ if (rold->off != rcur->off) return false; /* id relations must be preserved */ if (rold->id && !check_ids(rold->id, rcur->id, idmap)) return false; /* new val must satisfy old val knowledge */ return range_within(rold, rcur) && tnum_in(rold->var_off, rcur->var_off); case PTR_TO_CTX: case CONST_PTR_TO_MAP: case PTR_TO_STACK: case PTR_TO_PACKET_END: /* Only valid matches are exact, which memcmp() above * would have accepted */ default: /* Don't know what's going on, just say it's not safe */ return false; } |
969bf05eb bpf: direct packe... |
3487 |
|
f1174f77b bpf/verifier: rew... |
3488 3489 |
/* Shouldn't get here; if we do, say it's not safe */ WARN_ON_ONCE(1); |
969bf05eb bpf: direct packe... |
3490 3491 |
return false; } |
f1bca824d bpf: add search p... |
3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 |
/* compare two verifier states * * all states stored in state_list are known to be valid, since * verifier reached 'bpf_exit' instruction through them * * this function is called when verifier exploring different branches of * execution popped from the state stack. If it sees an old state that has * more strict register state and more strict stack state then this execution * branch doesn't need to be explored further, since verifier already * concluded that more strict state leads to valid finish. * * Therefore two states are equivalent if register state is more conservative * and explored stack state is more conservative than the current one. * Example: * explored current * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC) * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC) * * In other words if current stack state (one being explored) has more * valid slots than old one that already passed validation, it means * the verifier can stop exploring and conclude that current state is valid too * * Similarly with registers. If explored state has register type as invalid * whereas register type in current state is meaningful, it means that * the current state will reach 'bpf_exit' instruction safely */ |
484611357 bpf: allow access... |
3518 3519 |
static bool states_equal(struct bpf_verifier_env *env, struct bpf_verifier_state *old, |
58e2af8b3 bpf: expose inter... |
3520 |
struct bpf_verifier_state *cur) |
f1bca824d bpf: add search p... |
3521 |
{ |
f1174f77b bpf/verifier: rew... |
3522 3523 |
struct idpair *idmap; bool ret = false; |
f1bca824d bpf: add search p... |
3524 |
int i; |
f1174f77b bpf/verifier: rew... |
3525 3526 3527 |
idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL); /* If we failed to allocate the idmap, just say it's not safe */ if (!idmap) |
1a0dc1ac1 bpf: cleanup veri... |
3528 |
return false; |
f1174f77b bpf/verifier: rew... |
3529 3530 |
for (i = 0; i < MAX_BPF_REG; i++) { |
1b688a19a bpf/verifier: rem... |
3531 |
if (!regsafe(&old->regs[i], &cur->regs[i], idmap)) |
f1174f77b bpf/verifier: rew... |
3532 |
goto out_free; |
f1bca824d bpf: add search p... |
3533 3534 3535 |
} for (i = 0; i < MAX_BPF_STACK; i++) { |
9c3997601 bpf: reduce verif... |
3536 3537 3538 3539 3540 3541 3542 3543 |
if (old->stack_slot_type[i] == STACK_INVALID) continue; if (old->stack_slot_type[i] != cur->stack_slot_type[i]) /* Ex: old explored (safe) state has STACK_SPILL in * this stack slot, but current has has STACK_MISC -> * this verifier states are not equivalent, * return false to continue verification of this path */ |
f1174f77b bpf/verifier: rew... |
3544 |
goto out_free; |
9c3997601 bpf: reduce verif... |
3545 3546 |
if (i % BPF_REG_SIZE) continue; |
d25da6caa bpf: don't check ... |
3547 3548 |
if (old->stack_slot_type[i] != STACK_SPILL) continue; |
f1174f77b bpf/verifier: rew... |
3549 3550 |
if (!regsafe(&old->spilled_regs[i / BPF_REG_SIZE], &cur->spilled_regs[i / BPF_REG_SIZE], |
1b688a19a bpf/verifier: rem... |
3551 |
idmap)) |
f1174f77b bpf/verifier: rew... |
3552 3553 |
/* when explored and current stack slot are both storing * spilled registers, check that stored pointers types |
9c3997601 bpf: reduce verif... |
3554 3555 |
* are the same as well. * Ex: explored safe path could have stored |
f1174f77b bpf/verifier: rew... |
3556 |
* (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8} |
9c3997601 bpf: reduce verif... |
3557 |
* but current path has stored: |
f1174f77b bpf/verifier: rew... |
3558 |
* (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16} |
9c3997601 bpf: reduce verif... |
3559 3560 3561 |
* such verifier states are not equivalent. * return false to continue verification of this path */ |
f1174f77b bpf/verifier: rew... |
3562 |
goto out_free; |
9c3997601 bpf: reduce verif... |
3563 3564 |
else continue; |
f1bca824d bpf: add search p... |
3565 |
} |
f1174f77b bpf/verifier: rew... |
3566 3567 3568 3569 |
ret = true; out_free: kfree(idmap); return ret; |
f1bca824d bpf: add search p... |
3570 |
} |
8e9cd9ce9 bpf/verifier: doc... |
3571 3572 3573 3574 3575 3576 |
/* A write screens off any subsequent reads; but write marks come from the * straight-line code between a state and its parent. When we arrive at a * jump target (in the first iteration of the propagate_liveness() loop), * we didn't arrive by the straight-line code, so read marks in state must * propagate to parent regardless of state's write marks. */ |
dc503a8ad bpf/verifier: tra... |
3577 3578 3579 |
static bool do_propagate_liveness(const struct bpf_verifier_state *state, struct bpf_verifier_state *parent) { |
63f45f840 bpf/verifier: whe... |
3580 |
bool writes = parent == state->parent; /* Observe write marks */ |
dc503a8ad bpf/verifier: tra... |
3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 |
bool touched = false; /* any changes made? */ int i; if (!parent) return touched; /* Propagate read liveness of registers... */ BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG); /* We don't need to worry about FP liveness because it's read-only */ for (i = 0; i < BPF_REG_FP; i++) { if (parent->regs[i].live & REG_LIVE_READ) continue; |
63f45f840 bpf/verifier: whe... |
3592 3593 3594 |
if (writes && (state->regs[i].live & REG_LIVE_WRITTEN)) continue; if (state->regs[i].live & REG_LIVE_READ) { |
dc503a8ad bpf/verifier: tra... |
3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 |
parent->regs[i].live |= REG_LIVE_READ; touched = true; } } /* ... and stack slots */ for (i = 0; i < MAX_BPF_STACK / BPF_REG_SIZE; i++) { if (parent->stack_slot_type[i * BPF_REG_SIZE] != STACK_SPILL) continue; if (state->stack_slot_type[i * BPF_REG_SIZE] != STACK_SPILL) continue; if (parent->spilled_regs[i].live & REG_LIVE_READ) continue; |
63f45f840 bpf/verifier: whe... |
3607 3608 3609 |
if (writes && (state->spilled_regs[i].live & REG_LIVE_WRITTEN)) continue; if (state->spilled_regs[i].live & REG_LIVE_READ) { |
1ab2de2bf bpf: fix liveness... |
3610 |
parent->spilled_regs[i].live |= REG_LIVE_READ; |
dc503a8ad bpf/verifier: tra... |
3611 3612 3613 3614 3615 |
touched = true; } } return touched; } |
8e9cd9ce9 bpf/verifier: doc... |
3616 3617 3618 3619 3620 3621 3622 3623 3624 |
/* "parent" is "a state from which we reach the current state", but initially * it is not the state->parent (i.e. "the state whose straight-line code leads * to the current state"), instead it is the state that happened to arrive at * a (prunable) equivalent of the current state. See comment above * do_propagate_liveness() for consequences of this. * This function is just a more efficient way of calling mark_reg_read() or * mark_stack_slot_read() on each reg in "parent" that is read in "state", * though it requires that parent != state->parent in the call arguments. */ |
dc503a8ad bpf/verifier: tra... |
3625 3626 3627 3628 3629 3630 3631 3632 3633 |
static void propagate_liveness(const struct bpf_verifier_state *state, struct bpf_verifier_state *parent) { while (do_propagate_liveness(state, parent)) { /* Something changed, so we need to feed those changes onward */ state = parent; parent = state->parent; } } |
58e2af8b3 bpf: expose inter... |
3634 |
static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) |
f1bca824d bpf: add search p... |
3635 |
{ |
58e2af8b3 bpf: expose inter... |
3636 3637 |
struct bpf_verifier_state_list *new_sl; struct bpf_verifier_state_list *sl; |
dc503a8ad bpf/verifier: tra... |
3638 |
int i; |
f1bca824d bpf: add search p... |
3639 3640 3641 3642 3643 3644 3645 3646 3647 |
sl = env->explored_states[insn_idx]; if (!sl) /* this 'insn_idx' instruction wasn't marked, so we will not * be doing state search here */ return 0; while (sl != STATE_LIST_MARK) { |
dc503a8ad bpf/verifier: tra... |
3648 |
if (states_equal(env, &sl->state, &env->cur_state)) { |
f1bca824d bpf: add search p... |
3649 |
/* reached equivalent register/stack state, |
dc503a8ad bpf/verifier: tra... |
3650 3651 |
* prune the search. * Registers read by the continuation are read by us. |
8e9cd9ce9 bpf/verifier: doc... |
3652 3653 3654 3655 3656 3657 |
* If we have any write marks in env->cur_state, they * will prevent corresponding reads in the continuation * from reaching our parent (an explored_state). Our * own state will get the read marks recorded, but * they'll be immediately forgotten as we're pruning * this state and will pop a new one. |
f1bca824d bpf: add search p... |
3658 |
*/ |
dc503a8ad bpf/verifier: tra... |
3659 |
propagate_liveness(&sl->state, &env->cur_state); |
f1bca824d bpf: add search p... |
3660 |
return 1; |
dc503a8ad bpf/verifier: tra... |
3661 |
} |
f1bca824d bpf: add search p... |
3662 3663 3664 3665 3666 3667 3668 3669 3670 |
sl = sl->next; } /* there were no equivalent states, remember current one. * technically the current state is not proven to be safe yet, * but it will either reach bpf_exit (which means it's safe) or * it will be rejected. Since there are no loops, we won't be * seeing this 'insn_idx' instruction again on the way to bpf_exit */ |
58e2af8b3 bpf: expose inter... |
3671 |
new_sl = kmalloc(sizeof(struct bpf_verifier_state_list), GFP_USER); |
f1bca824d bpf: add search p... |
3672 3673 3674 3675 3676 3677 3678 |
if (!new_sl) return -ENOMEM; /* add new state to the head of linked list */ memcpy(&new_sl->state, &env->cur_state, sizeof(env->cur_state)); new_sl->next = env->explored_states[insn_idx]; env->explored_states[insn_idx] = new_sl; |
dc503a8ad bpf/verifier: tra... |
3679 3680 |
/* connect new state to parentage chain */ env->cur_state.parent = &new_sl->state; |
8e9cd9ce9 bpf/verifier: doc... |
3681 3682 3683 3684 3685 3686 |
/* clear write marks in current state: the writes we did are not writes * our child did, so they don't screen off its reads from us. * (There are no read marks in current state, because reads always mark * their parent and current state never has children yet. Only * explored_states can get read marks.) */ |
dc503a8ad bpf/verifier: tra... |
3687 3688 3689 3690 3691 |
for (i = 0; i < BPF_REG_FP; i++) env->cur_state.regs[i].live = REG_LIVE_NONE; for (i = 0; i < MAX_BPF_STACK / BPF_REG_SIZE; i++) if (env->cur_state.stack_slot_type[i * BPF_REG_SIZE] == STACK_SPILL) env->cur_state.spilled_regs[i].live = REG_LIVE_NONE; |
f1bca824d bpf: add search p... |
3692 3693 |
return 0; } |
13a27dfc6 bpf: enable non-c... |
3694 3695 3696 3697 3698 3699 3700 3701 |
static int ext_analyzer_insn_hook(struct bpf_verifier_env *env, int insn_idx, int prev_insn_idx) { if (!env->analyzer_ops || !env->analyzer_ops->insn_hook) return 0; return env->analyzer_ops->insn_hook(env, insn_idx, prev_insn_idx); } |
58e2af8b3 bpf: expose inter... |
3702 |
static int do_check(struct bpf_verifier_env *env) |
17a526706 bpf: verifier (ad... |
3703 |
{ |
58e2af8b3 bpf: expose inter... |
3704 |
struct bpf_verifier_state *state = &env->cur_state; |
17a526706 bpf: verifier (ad... |
3705 |
struct bpf_insn *insns = env->prog->insnsi; |
58e2af8b3 bpf: expose inter... |
3706 |
struct bpf_reg_state *regs = state->regs; |
17a526706 bpf: verifier (ad... |
3707 3708 3709 3710 3711 3712 |
int insn_cnt = env->prog->len; int insn_idx, prev_insn_idx = 0; int insn_processed = 0; bool do_print_state = false; init_reg_state(regs); |
dc503a8ad bpf/verifier: tra... |
3713 |
state->parent = NULL; |
17a526706 bpf: verifier (ad... |
3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 |
insn_idx = 0; for (;;) { struct bpf_insn *insn; u8 class; int err; if (insn_idx >= insn_cnt) { verbose("invalid insn idx %d insn_cnt %d ", insn_idx, insn_cnt); return -EFAULT; } insn = &insns[insn_idx]; class = BPF_CLASS(insn->code); |
07016151a bpf, verifier: fu... |
3729 |
if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { |
bc1750f36 bpf: fix spelling... |
3730 3731 |
verbose("BPF program is too large. Processed %d insn ", |
17a526706 bpf: verifier (ad... |
3732 3733 3734 |
insn_processed); return -E2BIG; } |
f1bca824d bpf: add search p... |
3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 |
err = is_state_visited(env, insn_idx); if (err < 0) return err; if (err == 1) { /* found equivalent state, can prune the search */ if (log_level) { if (do_print_state) verbose(" from %d to %d: safe ", prev_insn_idx, insn_idx); else verbose("%d: safe ", insn_idx); } goto process_bpf_exit; } |
3c2ce60bd bpf: adjust verif... |
3752 3753 |
if (need_resched()) cond_resched(); |
c5fc9692d bpf: Do per-instr... |
3754 3755 3756 3757 3758 3759 3760 |
if (log_level > 1 || (log_level && do_print_state)) { if (log_level > 1) verbose("%d:", insn_idx); else verbose(" from %d to %d:", prev_insn_idx, insn_idx); |
1a0dc1ac1 bpf: cleanup veri... |
3761 |
print_verifier_state(&env->cur_state); |
17a526706 bpf: verifier (ad... |
3762 3763 3764 3765 3766 |
do_print_state = false; } if (log_level) { verbose("%d: ", insn_idx); |
0d0e57697 bpf: don't let ld... |
3767 |
print_bpf_insn(env, insn); |
17a526706 bpf: verifier (ad... |
3768 |
} |
13a27dfc6 bpf: enable non-c... |
3769 3770 3771 |
err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx); if (err) return err; |
2b3ea8ceb bpf: fix branch p... |
3772 |
env->insn_aux_data[insn_idx].seen = true; |
17a526706 bpf: verifier (ad... |
3773 |
if (class == BPF_ALU || class == BPF_ALU64) { |
1be7f75d1 bpf: enable non-r... |
3774 |
err = check_alu_op(env, insn); |
17a526706 bpf: verifier (ad... |
3775 3776 3777 3778 |
if (err) return err; } else if (class == BPF_LDX) { |
3df126f35 bpf: don't (ab)us... |
3779 |
enum bpf_reg_type *prev_src_type, src_reg_type; |
9bac3d6d5 bpf: allow extend... |
3780 3781 |
/* check for reserved fields is already done */ |
17a526706 bpf: verifier (ad... |
3782 |
/* check src operand */ |
dc503a8ad bpf/verifier: tra... |
3783 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
3784 3785 |
if (err) return err; |
dc503a8ad bpf/verifier: tra... |
3786 |
err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
17a526706 bpf: verifier (ad... |
3787 3788 |
if (err) return err; |
725f9dcd5 bpf: fix two bugs... |
3789 |
src_reg_type = regs[insn->src_reg].type; |
17a526706 bpf: verifier (ad... |
3790 3791 3792 |
/* check that memory (src_reg + off) is readable, * the state of dst_reg will be updated by this func */ |
31fd85816 bpf: permits narr... |
3793 |
err = check_mem_access(env, insn_idx, insn->src_reg, insn->off, |
17a526706 bpf: verifier (ad... |
3794 |
BPF_SIZE(insn->code), BPF_READ, |
3e272a8cd bpf: allow xadd o... |
3795 |
insn->dst_reg, false); |
17a526706 bpf: verifier (ad... |
3796 3797 |
if (err) return err; |
3df126f35 bpf: don't (ab)us... |
3798 3799 3800 |
prev_src_type = &env->insn_aux_data[insn_idx].ptr_type; if (*prev_src_type == NOT_INIT) { |
9bac3d6d5 bpf: allow extend... |
3801 3802 |
/* saw a valid insn * dst_reg = *(u32 *)(src_reg + off) |
3df126f35 bpf: don't (ab)us... |
3803 |
* save type to validate intersecting paths |
9bac3d6d5 bpf: allow extend... |
3804 |
*/ |
3df126f35 bpf: don't (ab)us... |
3805 |
*prev_src_type = src_reg_type; |
9bac3d6d5 bpf: allow extend... |
3806 |
|
3df126f35 bpf: don't (ab)us... |
3807 |
} else if (src_reg_type != *prev_src_type && |
9bac3d6d5 bpf: allow extend... |
3808 |
(src_reg_type == PTR_TO_CTX || |
3df126f35 bpf: don't (ab)us... |
3809 |
*prev_src_type == PTR_TO_CTX)) { |
9bac3d6d5 bpf: allow extend... |
3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 |
/* ABuser program is trying to use the same insn * dst_reg = *(u32*) (src_reg + off) * with different pointer types: * src_reg == ctx in one branch and * src_reg == stack|map in some other branch. * Reject it. */ verbose("same insn cannot be used with different pointers "); return -EINVAL; } |
17a526706 bpf: verifier (ad... |
3821 |
} else if (class == BPF_STX) { |
3df126f35 bpf: don't (ab)us... |
3822 |
enum bpf_reg_type *prev_dst_type, dst_reg_type; |
d691f9e8d bpf: allow progra... |
3823 |
|
17a526706 bpf: verifier (ad... |
3824 |
if (BPF_MODE(insn->code) == BPF_XADD) { |
31fd85816 bpf: permits narr... |
3825 |
err = check_xadd(env, insn_idx, insn); |
17a526706 bpf: verifier (ad... |
3826 3827 3828 3829 3830 |
if (err) return err; insn_idx++; continue; } |
17a526706 bpf: verifier (ad... |
3831 |
/* check src1 operand */ |
dc503a8ad bpf/verifier: tra... |
3832 |
err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
3833 3834 3835 |
if (err) return err; /* check src2 operand */ |
dc503a8ad bpf/verifier: tra... |
3836 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
3837 3838 |
if (err) return err; |
d691f9e8d bpf: allow progra... |
3839 |
dst_reg_type = regs[insn->dst_reg].type; |
17a526706 bpf: verifier (ad... |
3840 |
/* check that memory (dst_reg + off) is writeable */ |
31fd85816 bpf: permits narr... |
3841 |
err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
17a526706 bpf: verifier (ad... |
3842 |
BPF_SIZE(insn->code), BPF_WRITE, |
3e272a8cd bpf: allow xadd o... |
3843 |
insn->src_reg, false); |
17a526706 bpf: verifier (ad... |
3844 3845 |
if (err) return err; |
3df126f35 bpf: don't (ab)us... |
3846 3847 3848 3849 3850 |
prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type; if (*prev_dst_type == NOT_INIT) { *prev_dst_type = dst_reg_type; } else if (dst_reg_type != *prev_dst_type && |
d691f9e8d bpf: allow progra... |
3851 |
(dst_reg_type == PTR_TO_CTX || |
3df126f35 bpf: don't (ab)us... |
3852 |
*prev_dst_type == PTR_TO_CTX)) { |
d691f9e8d bpf: allow progra... |
3853 3854 3855 3856 |
verbose("same insn cannot be used with different pointers "); return -EINVAL; } |
17a526706 bpf: verifier (ad... |
3857 3858 3859 3860 3861 3862 3863 3864 |
} else if (class == BPF_ST) { if (BPF_MODE(insn->code) != BPF_MEM || insn->src_reg != BPF_REG_0) { verbose("BPF_ST uses reserved fields "); return -EINVAL; } /* check src operand */ |
dc503a8ad bpf/verifier: tra... |
3865 |
err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a526706 bpf: verifier (ad... |
3866 3867 |
if (err) return err; |
a17536742 bpf: reject store... |
3868 3869 3870 3871 3872 3873 |
if (is_ctx_reg(env, insn->dst_reg)) { verbose("BPF_ST stores into R%d context is not allowed ", insn->dst_reg); return -EACCES; } |
17a526706 bpf: verifier (ad... |
3874 |
/* check that memory (dst_reg + off) is writeable */ |
31fd85816 bpf: permits narr... |
3875 |
err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
17a526706 bpf: verifier (ad... |
3876 |
BPF_SIZE(insn->code), BPF_WRITE, |
3e272a8cd bpf: allow xadd o... |
3877 |
-1, false); |
17a526706 bpf: verifier (ad... |
3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 |
if (err) return err; } else if (class == BPF_JMP) { u8 opcode = BPF_OP(insn->code); if (opcode == BPF_CALL) { if (BPF_SRC(insn->code) != BPF_K || insn->off != 0 || insn->src_reg != BPF_REG_0 || insn->dst_reg != BPF_REG_0) { verbose("BPF_CALL uses reserved fields "); return -EINVAL; } |
81ed18ab3 bpf: add helper i... |
3893 |
err = check_call(env, insn->imm, insn_idx); |
17a526706 bpf: verifier (ad... |
3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 |
if (err) return err; } else if (opcode == BPF_JA) { if (BPF_SRC(insn->code) != BPF_K || insn->imm != 0 || insn->src_reg != BPF_REG_0 || insn->dst_reg != BPF_REG_0) { verbose("BPF_JA uses reserved fields "); return -EINVAL; } insn_idx += insn->off + 1; continue; } else if (opcode == BPF_EXIT) { if (BPF_SRC(insn->code) != BPF_K || insn->imm != 0 || insn->src_reg != BPF_REG_0 || insn->dst_reg != BPF_REG_0) { verbose("BPF_EXIT uses reserved fields "); return -EINVAL; } /* eBPF calling convetion is such that R0 is used * to return the value from eBPF program. * Make sure that it's readable at this time * of bpf_exit, which means that program wrote * something into it earlier */ |
dc503a8ad bpf/verifier: tra... |
3926 |
err = check_reg_arg(env, BPF_REG_0, SRC_OP); |
17a526706 bpf: verifier (ad... |
3927 3928 |
if (err) return err; |
1be7f75d1 bpf: enable non-r... |
3929 3930 3931 3932 3933 |
if (is_pointer_value(env, BPF_REG_0)) { verbose("R0 leaks addr as return value "); return -EACCES; } |
f1bca824d bpf: add search p... |
3934 |
process_bpf_exit: |
17a526706 bpf: verifier (ad... |
3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 |
insn_idx = pop_stack(env, &prev_insn_idx); if (insn_idx < 0) { break; } else { do_print_state = true; continue; } } else { err = check_cond_jmp_op(env, insn, &insn_idx); if (err) return err; } } else if (class == BPF_LD) { u8 mode = BPF_MODE(insn->code); if (mode == BPF_ABS || mode == BPF_IND) { |
ddd872bc3 bpf: verifier: ad... |
3951 3952 3953 |
err = check_ld_abs(env, insn); if (err) return err; |
17a526706 bpf: verifier (ad... |
3954 3955 3956 3957 3958 3959 |
} else if (mode == BPF_IMM) { err = check_ld_imm(env, insn); if (err) return err; insn_idx++; |
2b3ea8ceb bpf: fix branch p... |
3960 |
env->insn_aux_data[insn_idx].seen = true; |
17a526706 bpf: verifier (ad... |
3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 |
} else { verbose("invalid BPF_LD mode "); return -EINVAL; } } else { verbose("unknown insn class %d ", class); return -EINVAL; } insn_idx++; } |
8726679a0 bpf: teach verifi... |
3974 3975 3976 |
verbose("processed %d insns, stack depth %d ", insn_processed, env->prog->aux->stack_depth); |
17a526706 bpf: verifier (ad... |
3977 3978 |
return 0; } |
56f668dfe bpf: Add array of... |
3979 3980 3981 |
static int check_map_prealloc(struct bpf_map *map) { return (map->map_type != BPF_MAP_TYPE_HASH && |
bcc6b1b7e bpf: Add hash of ... |
3982 3983 |
map->map_type != BPF_MAP_TYPE_PERCPU_HASH && map->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) || |
56f668dfe bpf: Add array of... |
3984 3985 |
!(map->map_flags & BPF_F_NO_PREALLOC); } |
fdc15d388 bpf: perf_event p... |
3986 3987 3988 3989 |
static int check_map_prog_compatibility(struct bpf_map *map, struct bpf_prog *prog) { |
56f668dfe bpf: Add array of... |
3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 |
/* Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use * preallocated hash maps, since doing memory allocation * in overflow_handler can crash depending on where nmi got * triggered. */ if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { if (!check_map_prealloc(map)) { verbose("perf_event programs can only use preallocated hash map "); return -EINVAL; } if (map->inner_map_meta && !check_map_prealloc(map->inner_map_meta)) { verbose("perf_event programs can only use preallocated inner hash map "); return -EINVAL; } |
fdc15d388 bpf: perf_event p... |
4007 4008 4009 |
} return 0; } |
0246e64d9 bpf: handle pseud... |
4010 4011 4012 |
/* look for pseudo eBPF instructions that access map FDs and * replace them with actual map pointers */ |
58e2af8b3 bpf: expose inter... |
4013 |
static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) |
0246e64d9 bpf: handle pseud... |
4014 4015 4016 |
{ struct bpf_insn *insn = env->prog->insnsi; int insn_cnt = env->prog->len; |
fdc15d388 bpf: perf_event p... |
4017 |
int i, j, err; |
0246e64d9 bpf: handle pseud... |
4018 |
|
f1f7714ea bpf: rework prog_... |
4019 |
err = bpf_prog_calc_tag(env->prog); |
aafe6ae9c bpf: dynamically ... |
4020 4021 |
if (err) return err; |
0246e64d9 bpf: handle pseud... |
4022 |
for (i = 0; i < insn_cnt; i++, insn++) { |
9bac3d6d5 bpf: allow extend... |
4023 |
if (BPF_CLASS(insn->code) == BPF_LDX && |
d691f9e8d bpf: allow progra... |
4024 |
(BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { |
9bac3d6d5 bpf: allow extend... |
4025 4026 4027 4028 |
verbose("BPF_LDX uses reserved fields "); return -EINVAL; } |
d691f9e8d bpf: allow progra... |
4029 4030 4031 4032 4033 4034 4035 |
if (BPF_CLASS(insn->code) == BPF_STX && ((BPF_MODE(insn->code) != BPF_MEM && BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { verbose("BPF_STX uses reserved fields "); return -EINVAL; } |
0246e64d9 bpf: handle pseud... |
4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 |
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { struct bpf_map *map; struct fd f; if (i == insn_cnt - 1 || insn[1].code != 0 || insn[1].dst_reg != 0 || insn[1].src_reg != 0 || insn[1].off != 0) { verbose("invalid bpf_ld_imm64 insn "); return -EINVAL; } if (insn->src_reg == 0) /* valid generic load 64-bit imm */ goto next_insn; if (insn->src_reg != BPF_PSEUDO_MAP_FD) { verbose("unrecognized bpf_ld_imm64 insn "); return -EINVAL; } f = fdget(insn->imm); |
c21012976 bpf: align and cl... |
4059 |
map = __bpf_map_get(f); |
0246e64d9 bpf: handle pseud... |
4060 4061 4062 4063 |
if (IS_ERR(map)) { verbose("fd %d is not pointing to valid bpf_map ", insn->imm); |
0246e64d9 bpf: handle pseud... |
4064 4065 |
return PTR_ERR(map); } |
fdc15d388 bpf: perf_event p... |
4066 4067 4068 4069 4070 |
err = check_map_prog_compatibility(map, env->prog); if (err) { fdput(f); return err; } |
0246e64d9 bpf: handle pseud... |
4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 |
/* store map pointer inside BPF_LD_IMM64 instruction */ insn[0].imm = (u32) (unsigned long) map; insn[1].imm = ((u64) (unsigned long) map) >> 32; /* check whether we recorded this map already */ for (j = 0; j < env->used_map_cnt; j++) if (env->used_maps[j] == map) { fdput(f); goto next_insn; } if (env->used_map_cnt >= MAX_USED_MAPS) { fdput(f); return -E2BIG; } |
0246e64d9 bpf: handle pseud... |
4086 4087 4088 |
/* hold the map. If the program is rejected by verifier, * the map will be released by release_maps() or it * will be used by the valid program until it's unloaded |
15239633d bpf: fix referenc... |
4089 |
* and all maps are released in free_used_maps() |
0246e64d9 bpf: handle pseud... |
4090 |
*/ |
92117d844 bpf: fix refcnt o... |
4091 4092 4093 4094 4095 4096 |
map = bpf_map_inc(map, false); if (IS_ERR(map)) { fdput(f); return PTR_ERR(map); } env->used_maps[env->used_map_cnt++] = map; |
0246e64d9 bpf: handle pseud... |
4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 |
fdput(f); next_insn: insn++; i++; } } /* now all pseudo BPF_LD_IMM64 instructions load valid * 'struct bpf_map *' into a register instead of user map_fd. * These pointers will be used later by verifier to validate map access. */ return 0; } /* drop refcnt of maps used by the rejected program */ |
58e2af8b3 bpf: expose inter... |
4112 |
static void release_maps(struct bpf_verifier_env *env) |
0246e64d9 bpf: handle pseud... |
4113 4114 4115 4116 4117 4118 4119 4120 |
{ int i; for (i = 0; i < env->used_map_cnt; i++) bpf_map_put(env->used_maps[i]); } /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */ |
58e2af8b3 bpf: expose inter... |
4121 |
static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env) |
0246e64d9 bpf: handle pseud... |
4122 4123 4124 4125 4126 4127 4128 4129 4130 |
{ struct bpf_insn *insn = env->prog->insnsi; int insn_cnt = env->prog->len; int i; for (i = 0; i < insn_cnt; i++, insn++) if (insn->code == (BPF_LD | BPF_IMM | BPF_DW)) insn->src_reg = 0; } |
8041902da bpf: adjust insn_... |
4131 4132 4133 4134 4135 4136 4137 4138 |
/* single env->prog->insni[off] instruction was replaced with the range * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying * [0, off) and [off, end) to new locations, so the patched range stays zero */ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, u32 off, u32 cnt) { struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; |
2b3ea8ceb bpf: fix branch p... |
4139 |
int i; |
8041902da bpf: adjust insn_... |
4140 4141 4142 4143 4144 4145 4146 4147 4148 |
if (cnt == 1) return 0; new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len); if (!new_data) return -ENOMEM; memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); memcpy(new_data + off + cnt - 1, old_data + off, sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); |
2b3ea8ceb bpf: fix branch p... |
4149 4150 |
for (i = off; i < off + cnt - 1; i++) new_data[i].seen = true; |
8041902da bpf: adjust insn_... |
4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 |
env->insn_aux_data = new_data; vfree(old_data); return 0; } static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off, const struct bpf_insn *patch, u32 len) { struct bpf_prog *new_prog; new_prog = bpf_patch_insn_single(env->prog, off, patch, len); if (!new_prog) return NULL; if (adjust_insn_aux_data(env, new_prog->len, off, len)) return NULL; return new_prog; } |
2b3ea8ceb bpf: fix branch p... |
4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 |
/* The verifier does more data flow analysis than llvm and will not explore * branches that are dead at run time. Malicious programs can have dead code * too. Therefore replace all dead at-run-time code with nops. */ static void sanitize_dead_code(struct bpf_verifier_env *env) { struct bpf_insn_aux_data *aux_data = env->insn_aux_data; struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0); struct bpf_insn *insn = env->prog->insnsi; const int insn_cnt = env->prog->len; int i; for (i = 0; i < insn_cnt; i++) { if (aux_data[i].seen) continue; memcpy(insn + i, &nop, sizeof(nop)); } } |
9bac3d6d5 bpf: allow extend... |
4186 4187 4188 |
/* convert load instructions that access fields of 'struct __sk_buff' * into sequence of instructions that access fields of 'struct sk_buff' */ |
58e2af8b3 bpf: expose inter... |
4189 |
static int convert_ctx_accesses(struct bpf_verifier_env *env) |
9bac3d6d5 bpf: allow extend... |
4190 |
{ |
36bbef52c bpf: direct packe... |
4191 |
const struct bpf_verifier_ops *ops = env->prog->aux->ops; |
f96da0947 bpf: simplify nar... |
4192 |
int i, cnt, size, ctx_field_size, delta = 0; |
3df126f35 bpf: don't (ab)us... |
4193 |
const int insn_cnt = env->prog->len; |
36bbef52c bpf: direct packe... |
4194 |
struct bpf_insn insn_buf[16], *insn; |
9bac3d6d5 bpf: allow extend... |
4195 |
struct bpf_prog *new_prog; |
d691f9e8d bpf: allow progra... |
4196 |
enum bpf_access_type type; |
f96da0947 bpf: simplify nar... |
4197 4198 |
bool is_narrower_load; u32 target_size; |
9bac3d6d5 bpf: allow extend... |
4199 |
|
36bbef52c bpf: direct packe... |
4200 4201 4202 4203 4204 4205 4206 4207 |
if (ops->gen_prologue) { cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, env->prog); if (cnt >= ARRAY_SIZE(insn_buf)) { verbose("bpf verifier is misconfigured "); return -EINVAL; } else if (cnt) { |
8041902da bpf: adjust insn_... |
4208 |
new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); |
36bbef52c bpf: direct packe... |
4209 4210 |
if (!new_prog) return -ENOMEM; |
8041902da bpf: adjust insn_... |
4211 |
|
36bbef52c bpf: direct packe... |
4212 |
env->prog = new_prog; |
3df126f35 bpf: don't (ab)us... |
4213 |
delta += cnt - 1; |
36bbef52c bpf: direct packe... |
4214 4215 4216 4217 |
} } if (!ops->convert_ctx_access) |
9bac3d6d5 bpf: allow extend... |
4218 |
return 0; |
3df126f35 bpf: don't (ab)us... |
4219 |
insn = env->prog->insnsi + delta; |
36bbef52c bpf: direct packe... |
4220 |
|
9bac3d6d5 bpf: allow extend... |
4221 |
for (i = 0; i < insn_cnt; i++, insn++) { |
62c7989b2 bpf: allow b/h/w/... |
4222 4223 4224 |
if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) || insn->code == (BPF_LDX | BPF_MEM | BPF_H) || insn->code == (BPF_LDX | BPF_MEM | BPF_W) || |
ea2e7ce5d bpf: support 8-by... |
4225 |
insn->code == (BPF_LDX | BPF_MEM | BPF_DW)) |
d691f9e8d bpf: allow progra... |
4226 |
type = BPF_READ; |
62c7989b2 bpf: allow b/h/w/... |
4227 4228 4229 |
else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) || insn->code == (BPF_STX | BPF_MEM | BPF_H) || insn->code == (BPF_STX | BPF_MEM | BPF_W) || |
ea2e7ce5d bpf: support 8-by... |
4230 |
insn->code == (BPF_STX | BPF_MEM | BPF_DW)) |
d691f9e8d bpf: allow progra... |
4231 4232 |
type = BPF_WRITE; else |
9bac3d6d5 bpf: allow extend... |
4233 |
continue; |
8041902da bpf: adjust insn_... |
4234 |
if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX) |
9bac3d6d5 bpf: allow extend... |
4235 |
continue; |
9bac3d6d5 bpf: allow extend... |
4236 |
|
31fd85816 bpf: permits narr... |
4237 |
ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size; |
f96da0947 bpf: simplify nar... |
4238 |
size = BPF_LDST_BYTES(insn); |
31fd85816 bpf: permits narr... |
4239 4240 4241 4242 4243 4244 |
/* If the read access is a narrower load of the field, * convert to a 4/8-byte load, to minimum program type specific * convert_ctx_access changes. If conversion is successful, * we will apply proper mask to the result. */ |
f96da0947 bpf: simplify nar... |
4245 |
is_narrower_load = size < ctx_field_size; |
31fd85816 bpf: permits narr... |
4246 |
if (is_narrower_load) { |
f96da0947 bpf: simplify nar... |
4247 4248 4249 4250 4251 4252 4253 4254 |
u32 off = insn->off; u8 size_code; if (type == BPF_WRITE) { verbose("bpf verifier narrow ctx access misconfigured "); return -EINVAL; } |
31fd85816 bpf: permits narr... |
4255 |
|
f96da0947 bpf: simplify nar... |
4256 |
size_code = BPF_H; |
31fd85816 bpf: permits narr... |
4257 4258 4259 4260 |
if (ctx_field_size == 4) size_code = BPF_W; else if (ctx_field_size == 8) size_code = BPF_DW; |
f96da0947 bpf: simplify nar... |
4261 |
|
31fd85816 bpf: permits narr... |
4262 4263 4264 |
insn->off = off & ~(ctx_field_size - 1); insn->code = BPF_LDX | BPF_MEM | size_code; } |
f96da0947 bpf: simplify nar... |
4265 4266 4267 4268 4269 4270 |
target_size = 0; cnt = ops->convert_ctx_access(type, insn, insn_buf, env->prog, &target_size); if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || (ctx_field_size && !target_size)) { |
9bac3d6d5 bpf: allow extend... |
4271 4272 4273 4274 |
verbose("bpf verifier is misconfigured "); return -EINVAL; } |
f96da0947 bpf: simplify nar... |
4275 4276 |
if (is_narrower_load && size < target_size) { |
31fd85816 bpf: permits narr... |
4277 4278 |
if (ctx_field_size <= 4) insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, |
f96da0947 bpf: simplify nar... |
4279 |
(1 << size * 8) - 1); |
31fd85816 bpf: permits narr... |
4280 4281 |
else insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, |
f96da0947 bpf: simplify nar... |
4282 |
(1 << size * 8) - 1); |
31fd85816 bpf: permits narr... |
4283 |
} |
9bac3d6d5 bpf: allow extend... |
4284 |
|
8041902da bpf: adjust insn_... |
4285 |
new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
9bac3d6d5 bpf: allow extend... |
4286 4287 |
if (!new_prog) return -ENOMEM; |
3df126f35 bpf: don't (ab)us... |
4288 |
delta += cnt - 1; |
9bac3d6d5 bpf: allow extend... |
4289 4290 4291 |
/* keep walking new program and skip insns we just inserted */ env->prog = new_prog; |
3df126f35 bpf: don't (ab)us... |
4292 |
insn = new_prog->insnsi + i + delta; |
9bac3d6d5 bpf: allow extend... |
4293 4294 4295 4296 |
} return 0; } |
79741b3bd bpf: refactor fix... |
4297 |
/* fixup insn->imm field of bpf_call instructions |
81ed18ab3 bpf: add helper i... |
4298 |
* and inline eligible helpers as explicit sequence of BPF instructions |
e245c5c6a bpf: move fixup_b... |
4299 4300 4301 |
* * this function is called after eBPF program passed verification */ |
79741b3bd bpf: refactor fix... |
4302 |
static int fixup_bpf_calls(struct bpf_verifier_env *env) |
e245c5c6a bpf: move fixup_b... |
4303 |
{ |
79741b3bd bpf: refactor fix... |
4304 4305 |
struct bpf_prog *prog = env->prog; struct bpf_insn *insn = prog->insnsi; |
e245c5c6a bpf: move fixup_b... |
4306 |
const struct bpf_func_proto *fn; |
79741b3bd bpf: refactor fix... |
4307 |
const int insn_cnt = prog->len; |
81ed18ab3 bpf: add helper i... |
4308 4309 4310 4311 |
struct bpf_insn insn_buf[16]; struct bpf_prog *new_prog; struct bpf_map *map_ptr; int i, cnt, delta = 0; |
e245c5c6a bpf: move fixup_b... |
4312 |
|
79741b3bd bpf: refactor fix... |
4313 |
for (i = 0; i < insn_cnt; i++, insn++) { |
ca0a09672 bpf: fix 32-bit d... |
4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 |
if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) || insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { /* due to JIT bugs clear upper 32-bits of src register * before div/mod operation */ insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg); insn_buf[1] = *insn; cnt = 2; new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); if (!new_prog) return -ENOMEM; delta += cnt - 1; env->prog = prog = new_prog; insn = new_prog->insnsi + i + delta; continue; } |
79741b3bd bpf: refactor fix... |
4331 4332 |
if (insn->code != (BPF_JMP | BPF_CALL)) continue; |
e245c5c6a bpf: move fixup_b... |
4333 |
|
79741b3bd bpf: refactor fix... |
4334 4335 4336 4337 |
if (insn->imm == BPF_FUNC_get_route_realm) prog->dst_needed = 1; if (insn->imm == BPF_FUNC_get_prandom_u32) bpf_user_rnd_init_once(); |
79741b3bd bpf: refactor fix... |
4338 |
if (insn->imm == BPF_FUNC_tail_call) { |
7b9f6da17 Merge git://git.k... |
4339 4340 4341 4342 4343 4344 |
/* If we tail call into other programs, we * cannot make any assumptions since they can * be replaced dynamically during runtime in * the program array. */ prog->cb_access = 1; |
80a58d025 bpf: reconcile bp... |
4345 |
env->prog->aux->stack_depth = MAX_BPF_STACK; |
7b9f6da17 Merge git://git.k... |
4346 |
|
79741b3bd bpf: refactor fix... |
4347 4348 4349 4350 |
/* mark bpf_tail_call as different opcode to avoid * conditional branch in the interpeter for every normal * call and to prevent accidental JITing by JIT compiler * that doesn't support bpf_tail_call yet |
e245c5c6a bpf: move fixup_b... |
4351 |
*/ |
79741b3bd bpf: refactor fix... |
4352 |
insn->imm = 0; |
71189fa9b bpf: free up BPF_... |
4353 |
insn->code = BPF_JMP | BPF_TAIL_CALL; |
a5dbaf876 bpf: prevent out-... |
4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 |
/* instead of changing every JIT dealing with tail_call * emit two extra insns: * if (index >= max_entries) goto out; * index &= array->index_mask; * to avoid out-of-bounds cpu speculation */ map_ptr = env->insn_aux_data[i + delta].map_ptr; if (map_ptr == BPF_MAP_PTR_POISON) { verbose("tail_call obusing map_ptr "); return -EINVAL; } if (!map_ptr->unpriv_array) continue; insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3, map_ptr->max_entries, 2); insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, container_of(map_ptr, struct bpf_array, map)->index_mask); insn_buf[2] = *insn; cnt = 3; new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); if (!new_prog) return -ENOMEM; delta += cnt - 1; env->prog = prog = new_prog; insn = new_prog->insnsi + i + delta; |
79741b3bd bpf: refactor fix... |
4384 4385 |
continue; } |
e245c5c6a bpf: move fixup_b... |
4386 |
|
89c63074c bpf: make htab in... |
4387 4388 4389 4390 4391 |
/* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup * handlers are currently limited to 64 bit only. */ if (ebpf_jit_enabled() && BITS_PER_LONG == 64 && insn->imm == BPF_FUNC_map_lookup_elem) { |
81ed18ab3 bpf: add helper i... |
4392 |
map_ptr = env->insn_aux_data[i + delta].map_ptr; |
fad73a1a3 bpf: Fix and simp... |
4393 4394 |
if (map_ptr == BPF_MAP_PTR_POISON || !map_ptr->ops->map_gen_lookup) |
81ed18ab3 bpf: add helper i... |
4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 |
goto patch_call_imm; cnt = map_ptr->ops->map_gen_lookup(map_ptr, insn_buf); if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { verbose("bpf verifier is misconfigured "); return -EINVAL; } new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); if (!new_prog) return -ENOMEM; delta += cnt - 1; /* keep walking new program and skip insns we just inserted */ env->prog = prog = new_prog; insn = new_prog->insnsi + i + delta; continue; } |
109980b89 bpf: don't select... |
4416 |
if (insn->imm == BPF_FUNC_redirect_map) { |
7c3001313 bpf: fix ri->map_... |
4417 4418 4419 4420 4421 4422 |
/* Note, we cannot use prog directly as imm as subsequent * rewrites would still change the prog pointer. The only * stable address we can use is aux, which also works with * prog clones during blinding. */ u64 addr = (unsigned long)prog->aux; |
109980b89 bpf: don't select... |
4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 |
struct bpf_insn r4_ld[] = { BPF_LD_IMM64(BPF_REG_4, addr), *insn, }; cnt = ARRAY_SIZE(r4_ld); new_prog = bpf_patch_insn_data(env, i + delta, r4_ld, cnt); if (!new_prog) return -ENOMEM; delta += cnt - 1; env->prog = prog = new_prog; insn = new_prog->insnsi + i + delta; } |
81ed18ab3 bpf: add helper i... |
4437 |
patch_call_imm: |
79741b3bd bpf: refactor fix... |
4438 4439 4440 4441 4442 4443 4444 4445 4446 |
fn = prog->aux->ops->get_func_proto(insn->imm); /* all functions that have prototype and verifier allowed * programs to call them, must be real in-kernel functions */ if (!fn->func) { verbose("kernel subsystem misconfigured func %s#%d ", func_id_name(insn->imm), insn->imm); return -EFAULT; |
e245c5c6a bpf: move fixup_b... |
4447 |
} |
79741b3bd bpf: refactor fix... |
4448 |
insn->imm = fn->func - __bpf_call_base; |
e245c5c6a bpf: move fixup_b... |
4449 |
} |
e245c5c6a bpf: move fixup_b... |
4450 |
|
79741b3bd bpf: refactor fix... |
4451 4452 |
return 0; } |
e245c5c6a bpf: move fixup_b... |
4453 |
|
58e2af8b3 bpf: expose inter... |
4454 |
static void free_states(struct bpf_verifier_env *env) |
f1bca824d bpf: add search p... |
4455 |
{ |
58e2af8b3 bpf: expose inter... |
4456 |
struct bpf_verifier_state_list *sl, *sln; |
f1bca824d bpf: add search p... |
4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 |
int i; if (!env->explored_states) return; for (i = 0; i < env->prog->len; i++) { sl = env->explored_states[i]; if (sl) while (sl != STATE_LIST_MARK) { sln = sl->next; kfree(sl); sl = sln; } } kfree(env->explored_states); } |
9bac3d6d5 bpf: allow extend... |
4475 |
int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) |
51580e798 bpf: verifier (ad... |
4476 |
{ |
cbd357008 bpf: verifier (ad... |
4477 |
char __user *log_ubuf = NULL; |
58e2af8b3 bpf: expose inter... |
4478 |
struct bpf_verifier_env *env; |
51580e798 bpf: verifier (ad... |
4479 |
int ret = -EINVAL; |
58e2af8b3 bpf: expose inter... |
4480 |
/* 'struct bpf_verifier_env' can be global, but since it's not small, |
cbd357008 bpf: verifier (ad... |
4481 4482 |
* allocate/free it every time bpf_check() is called */ |
58e2af8b3 bpf: expose inter... |
4483 |
env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
cbd357008 bpf: verifier (ad... |
4484 4485 |
if (!env) return -ENOMEM; |
3df126f35 bpf: don't (ab)us... |
4486 4487 4488 4489 4490 |
env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * (*prog)->len); ret = -ENOMEM; if (!env->insn_aux_data) goto err_free_env; |
9bac3d6d5 bpf: allow extend... |
4491 |
env->prog = *prog; |
0246e64d9 bpf: handle pseud... |
4492 |
|
cbd357008 bpf: verifier (ad... |
4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 |
/* grab the mutex to protect few globals used by verifier */ mutex_lock(&bpf_verifier_lock); if (attr->log_level || attr->log_buf || attr->log_size) { /* user requested verbose verifier output * and supplied buffer to store the verification trace */ log_level = attr->log_level; log_ubuf = (char __user *) (unsigned long) attr->log_buf; log_size = attr->log_size; log_len = 0; ret = -EINVAL; /* log_* values have to be sane */ if (log_size < 128 || log_size > UINT_MAX >> 8 || log_level == 0 || log_ubuf == NULL) |
3df126f35 bpf: don't (ab)us... |
4509 |
goto err_unlock; |
cbd357008 bpf: verifier (ad... |
4510 4511 4512 4513 |
ret = -ENOMEM; log_buf = vmalloc(log_size); if (!log_buf) |
3df126f35 bpf: don't (ab)us... |
4514 |
goto err_unlock; |
cbd357008 bpf: verifier (ad... |
4515 4516 4517 |
} else { log_level = 0; } |
1ad2f5838 bpf: fix incorrec... |
4518 4519 4520 |
env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) |
e07b98d9b bpf: Add strict a... |
4521 |
env->strict_alignment = true; |
cbd357008 bpf: verifier (ad... |
4522 |
|
0246e64d9 bpf: handle pseud... |
4523 4524 4525 |
ret = replace_map_fd_with_map_ptr(env); if (ret < 0) goto skip_full_check; |
9bac3d6d5 bpf: allow extend... |
4526 |
env->explored_states = kcalloc(env->prog->len, |
58e2af8b3 bpf: expose inter... |
4527 |
sizeof(struct bpf_verifier_state_list *), |
f1bca824d bpf: add search p... |
4528 4529 4530 4531 |
GFP_USER); ret = -ENOMEM; if (!env->explored_states) goto skip_full_check; |
475fb78fb bpf: verifier (ad... |
4532 4533 4534 |
ret = check_cfg(env); if (ret < 0) goto skip_full_check; |
1be7f75d1 bpf: enable non-r... |
4535 |
env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); |
17a526706 bpf: verifier (ad... |
4536 |
ret = do_check(env); |
cbd357008 bpf: verifier (ad... |
4537 |
|
0246e64d9 bpf: handle pseud... |
4538 |
skip_full_check: |
17a526706 bpf: verifier (ad... |
4539 |
while (pop_stack(env, NULL) >= 0); |
f1bca824d bpf: add search p... |
4540 |
free_states(env); |
0246e64d9 bpf: handle pseud... |
4541 |
|
9bac3d6d5 bpf: allow extend... |
4542 |
if (ret == 0) |
2b3ea8ceb bpf: fix branch p... |
4543 4544 4545 |
sanitize_dead_code(env); if (ret == 0) |
9bac3d6d5 bpf: allow extend... |
4546 4547 |
/* program is valid, convert *(u32*)(ctx + off) accesses */ ret = convert_ctx_accesses(env); |
e245c5c6a bpf: move fixup_b... |
4548 |
if (ret == 0) |
79741b3bd bpf: refactor fix... |
4549 |
ret = fixup_bpf_calls(env); |
e245c5c6a bpf: move fixup_b... |
4550 |
|
cbd357008 bpf: verifier (ad... |
4551 4552 4553 4554 4555 4556 4557 4558 4559 4560 4561 4562 |
if (log_level && log_len >= log_size - 1) { BUG_ON(log_len >= log_size); /* verifier log exceeded user supplied buffer */ ret = -ENOSPC; /* fall through to return what was recorded */ } /* copy verifier log back to user space including trailing zero */ if (log_level && copy_to_user(log_ubuf, log_buf, log_len + 1) != 0) { ret = -EFAULT; goto free_log_buf; } |
0246e64d9 bpf: handle pseud... |
4563 4564 |
if (ret == 0 && env->used_map_cnt) { /* if program passed verifier, update used_maps in bpf_prog_info */ |
9bac3d6d5 bpf: allow extend... |
4565 4566 4567 |
env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt, sizeof(env->used_maps[0]), GFP_KERNEL); |
0246e64d9 bpf: handle pseud... |
4568 |
|
9bac3d6d5 bpf: allow extend... |
4569 |
if (!env->prog->aux->used_maps) { |
0246e64d9 bpf: handle pseud... |
4570 4571 4572 |
ret = -ENOMEM; goto free_log_buf; } |
9bac3d6d5 bpf: allow extend... |
4573 |
memcpy(env->prog->aux->used_maps, env->used_maps, |
0246e64d9 bpf: handle pseud... |
4574 |
sizeof(env->used_maps[0]) * env->used_map_cnt); |
9bac3d6d5 bpf: allow extend... |
4575 |
env->prog->aux->used_map_cnt = env->used_map_cnt; |
0246e64d9 bpf: handle pseud... |
4576 4577 4578 4579 4580 4581 |
/* program is valid. Convert pseudo bpf_ld_imm64 into generic * bpf_ld_imm64 instructions */ convert_pseudo_ld_imm64(env); } |
cbd357008 bpf: verifier (ad... |
4582 4583 4584 4585 |
free_log_buf: if (log_level) vfree(log_buf); |
9bac3d6d5 bpf: allow extend... |
4586 |
if (!env->prog->aux->used_maps) |
0246e64d9 bpf: handle pseud... |
4587 |
/* if we didn't copy map pointers into bpf_prog_info, release |
15239633d bpf: fix referenc... |
4588 |
* them now. Otherwise free_used_maps() will release them. |
0246e64d9 bpf: handle pseud... |
4589 4590 |
*/ release_maps(env); |
9bac3d6d5 bpf: allow extend... |
4591 |
*prog = env->prog; |
3df126f35 bpf: don't (ab)us... |
4592 |
err_unlock: |
cbd357008 bpf: verifier (ad... |
4593 |
mutex_unlock(&bpf_verifier_lock); |
3df126f35 bpf: don't (ab)us... |
4594 4595 4596 |
vfree(env->insn_aux_data); err_free_env: kfree(env); |
51580e798 bpf: verifier (ad... |
4597 4598 |
return ret; } |
13a27dfc6 bpf: enable non-c... |
4599 4600 4601 4602 4603 4604 4605 4606 4607 4608 4609 4610 4611 4612 4613 4614 4615 4616 4617 4618 4619 4620 4621 4622 |
int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops, void *priv) { struct bpf_verifier_env *env; int ret; env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); if (!env) return -ENOMEM; env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog->len); ret = -ENOMEM; if (!env->insn_aux_data) goto err_free_env; env->prog = prog; env->analyzer_ops = ops; env->analyzer_priv = priv; /* grab the mutex to protect few globals used by verifier */ mutex_lock(&bpf_verifier_lock); log_level = 0; |
1ad2f5838 bpf: fix incorrec... |
4623 |
|
e07b98d9b bpf: Add strict a... |
4624 |
env->strict_alignment = false; |
1ad2f5838 bpf: fix incorrec... |
4625 4626 |
if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) env->strict_alignment = true; |
13a27dfc6 bpf: enable non-c... |
4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4652 4653 |
env->explored_states = kcalloc(env->prog->len, sizeof(struct bpf_verifier_state_list *), GFP_KERNEL); ret = -ENOMEM; if (!env->explored_states) goto skip_full_check; ret = check_cfg(env); if (ret < 0) goto skip_full_check; env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); ret = do_check(env); skip_full_check: while (pop_stack(env, NULL) >= 0); free_states(env); mutex_unlock(&bpf_verifier_lock); vfree(env->insn_aux_data); err_free_env: kfree(env); return ret; } EXPORT_SYMBOL_GPL(bpf_analyzer); |