From patchwork Thu Aug 5 15:53:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 493357 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75A7BC4338F for ; Thu, 5 Aug 2021 15:54:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4EA1A603E9 for ; Thu, 5 Aug 2021 15:54:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242606AbhHEPyo (ORCPT ); Thu, 5 Aug 2021 11:54:44 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:2700 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242426AbhHEPyo (ORCPT ); Thu, 5 Aug 2021 11:54:44 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175DgFAl013062; Thu, 5 Aug 2021 08:54:05 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=5drvWY7sfCjvwKY5eYRDnvjjF+gJDAGaepUGHICHw1Y=; b=ntOgFunx49wxs09dvDldL89Pg2iqtgCUuHirm0DHCQd3CLim3qN8g6sXOhV/RLQNI+6H U2w1R6FuQlq87PWBdrZ4X8vNdidPJT3jdXqHsxDjXEfSoTwzgr509a+nU8qHVyzN+U/9 bhgXybp9hdQgUUjDezWl6TIZ+tuboiIp7pZw9Fcq9n0VZAr0kRvhpF7g3Q1OoAHOmoO/ KiNflIxlNxEC6cbWSeFW621rg0qFS2rKEbNBYaZuEsTlLATNRweEUvPEbTUBVfYZWZHo YB0433C4IYzGrpy/CGd81wPizPHW9jP/UMBUJ4HOfg7w2F2Ilx8NvSKfS+orYpCgMibe tA== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com with ESMTP id 3a800vrrb8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 08:54:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g6Mk8dV20Ytlhw8ap9MPlB72FILPb18UaUEmLF6L2/DRrcK7Z3wNmcoKoWX3fnZdBJixUATQBokAHk5jeBmfICP27r9V7gnycaDkoEncbrnpykiya5N5QjSHI/RoETLa2u2wWoZhyTZNJg0Y+OrKz2mnsLJrUcxvr2uKl0R5IBFl64ejJPaGjBtB9MqQ/e9GwDwansUovk9OSDorsQIzm9pYW5L77zlHbytxeW1XSUDHpGlBFKOOdcf0C+3FKEobXR6d3KdnRDD0bnZEOnzTiE8oUEIwdgU9uoUr86QtbCR/0qRwVNWKD9ziYsNh4A1W+NME8C4f0l4oA6YyUeU1ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5drvWY7sfCjvwKY5eYRDnvjjF+gJDAGaepUGHICHw1Y=; b=Ke0/P5k7tfQU4yIaS4IMM1vs7Maaj7k1Qlx+8b4IVbg3tpzJKoyAGSKwfANxQBHMi3/a2ppc2Au1L6NR71jtK/Ov9bHIZ+Ls7iStkX1YYW3Sc1dP42t8l4+lvoFXRKt+6InUgslfUER7JZ7d9pn0DCeW3e2lhXfkbitHzOxko/QMM7E6faP/WjF3/i64kN/6HM/GaSwyxGX7iuVSPtWAMnSlZLG8p0GERSYCWSnKXmnNGTW/5oXr3KLo5Gdr6TpeGjpdMSXTb/ldhFSGXnKDb9iDk883If4acQT9xePpqHHmsrddbLG0AjwC6rPN4/7pNOPVGeAazxpfXTIU523ZxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR11MB1722.namprd11.prod.outlook.com (2603:10b6:3:f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15; Thu, 5 Aug 2021 15:54:03 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:03 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 1/6] bpf: Inherit expanded/patched seen count from old aux data Date: Thu, 5 Aug 2021 18:53:38 +0300 Message-Id: <20210805155343.3618696-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: cee0eb06-9f4e-4ea0-0cd7-08d958293f8e X-MS-TrafficTypeDiagnostic: DM5PR11MB1722: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:639; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: JgI39XSHJ+TXmTpC64ZAYTh89cN2T3MFL4R/K/lw1YvzaeiwmClJewgoEbqn8+m4jFt7CvhbohapRzX/u5xu57rw7AXBnFjVuYzNbLKJAWf7T6l+zWFrarQmJZVjnGUCSKYIxQBCGDeEqXdLsMEOK1HoFGc28EY6puTfjQZ3RQzNZqt+EtRler8hSIHQ7Jmi0OaryBn0fM3mGZtIHktkNchv14inOsy0T0uZNFe0KYg0K4xWlEejxvFKpZiGBeTmJNb2xxmT5HP9zdwL1FNX3r7bBrrAJqaDPgO6sU7XpPk5ZHunnWoCXLnn6wGl/vzg/OrBTjhMgIvdPUh+Tp0gQzLPZ2pkLP3wXJB0eadkfC8oZtlDgdc0NPvwNZmsD96QFINkICv2GkZYpk30vyF1F2rMBMRQEf3uWOp2FVqR9A0C18C0LcGU0Dy1gh6IKaYWDQbRFnczXgGosdefoLlbLbJsacPg4u1x/1WaHoCIOV7/wLWUyNktz/HnGmdQrEjTckhkxbOEESljfc7HImsFQxWADKaUTlrqNTcOn4DmTL3KKmNNnr6Dbc+8xasLFXms3INzzpThardUC7/YJWhCM64KFJrSNWrXXbaMSpARD7C02WSrYUYlRmr1ncEJ4O3ISvoAYEbkcgybxHH1He2AsyaQaBCdr1ONcJRYjuh4QQkrCyQGLtEpUJoroCvjW48SP9GRlkax6pfkhBsvnMLa5g== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(376002)(366004)(346002)(136003)(478600001)(6506007)(6486002)(956004)(36756003)(2616005)(186003)(38100700002)(1076003)(8676002)(5660300002)(38350700002)(316002)(6512007)(8936002)(6666004)(2906002)(52116002)(83380400001)(66946007)(44832011)(26005)(4326008)(6916009)(66476007)(66556008)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lWsmXEZyKXCgZa2k1NMsnUNsr1uBWlL70A0BKQ37KrE4t0N5cjbTlW+t+bv4KG58/rOxWiv9HH/TqZD1pblpv0HiH+bnsEtUZlIIKA5H67uMAALlodgnBpFHgiL2pxVuW/GsezwMaarkTZI1xFiNLymgte/cPNSS+MPZhtlSAKMNXhv7WXP5b82vzvRp5Cpqav9Tzu7Jvzp2YtjvMlipkc7L3u2rUMU+9N2i2HzcLv5wRmwvF1oyzSqansapp6ZgcbADl0h4a8Ya1kmpvhNSrS5rDFDzU0twSzFILQNfCrhBwgftiN2o00Roc2JQQg5ZTuHvFmOCZDnpAG8bQ36Z0BZjVDA9sW8JccGYxpRIlhnd8iZBVW6I5xN2YqKZZArLqmtDlnvv4DXk89RBMdxwpK3/9FZYdr5MUMzYPkZsxujFdg1sbq2h7z88dHnLIc+tAAVGJ/Xkej+P39UJxjA7rGT1urzESn1KwDnE1nl4NVlU2uenKtxvxGsP4GgpIB3C4ZacolWfbxCJu5pCWrUWUS8eu5iKsREMgcyDRcOkXhWpVdffssBLi+PWQShNO9Ly8qHPeHAMvOonxYyiHsu5tPBwEaI21VZuc/j6V6HvJ8W1NINyLZKxgNMltnQfxkEeG7CZ7nbm6BdIR23VCdTYfUyC1/HFvns9jAdnoSAyN0sgUkhjCDSkjmnG7bkbFiTSl438BDwYW24xqYPJilRSPqlz9ixbY7NYo+AG59Fva09RG1F6CgAIMo+Lx2FvFRS0EiPoEWMLxLzPbxPZcNlOhN3tbJLOoyPZZ/jNaosMZymlhAAlvtiAnqhIUtktBCweA75RoQVxQf286eo5IdGX4Sx+1qqESn3117lqFyItwezrHnq3o9Zrk3g8rNq910t9kAyxWzsqoD1N2mFqsW4r0wVWtVd3vO5298Mw88MFY46DItwVMZXywMP/+IXC67dt2GfL2cdfUxxj2EdPpGtYDp/1xYein1h//4EKnhZ8DUZQUum4Sy+EBBxL+jNvXxmGY/vje2Ic4y2gIgdicfC5lwx45FBS1vAjKo0HK7Y/zTuuPNghgI1yJjJvy9sLdH+QPelb2rt6NAk5fnDRfVgO63bdAwoRtpUcPQ6jmm2fpVcUXnqIffb/95ZJL6lX7CfuVYc9pbGzYFiL7pQ7vvmKYPgcIetYbMuEn01HH57MpN0DqnoBcR8DpFzX0FYy9Xq+eJ1/y5SKAHpDmPLVE3mjQ9Mo2kB+vuytD2mF5CcGQqghUdQhtoZxIVQi+bG62nS5dyo+HbMang2klYikH1wX+V5JQC73VCR4b2em7GHs4lcZnSCRJI2OuTfAX3ETUPwF X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: cee0eb06-9f4e-4ea0-0cd7-08d958293f8e X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:03.4147 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +Ot+RYZsXTgQSfNIXaG+mFvF2CrBaTXHf90YoQ19j6QySt1MQ7e6pWYz4rVDMjuYzEn9R2EeW7fNvKmxv+1faNQTdqmtZSSK5Ihkh/kJYtE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1722 X-Proofpoint-ORIG-GUID: Xi_H4Ure9pIAXHXWu4pesyJef9elmUrK X-Proofpoint-GUID: Xi_H4Ure9pIAXHXWu4pesyJef9elmUrK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=861 spamscore=0 mlxscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Borkmann commit d203b0fd863a2261e5d00b97f3d060c4c2a6db71 upstream Instead of relying on current env->pass_cnt, use the seen count from the old aux data in adjust_insn_aux_data(), and expand it to the new range of patched instructions. This change is valid given we always expand 1:n with n>=1, so what applies to the old/original instruction needs to apply for the replacement as well. Not relying on env->pass_cnt is a prerequisite for a later change where we want to avoid marking an instruction seen when verified under speculative execution path. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Reviewed-by: Benedict Schlueter Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov [OP: declare old_data as bool instead of u32 (struct bpf_insn_aux_data.seen is bool in 5.4)] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index aefd94794796..526e52f45ab3 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8304,6 +8304,7 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, { struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; struct bpf_insn *insn = new_prog->insnsi; + bool old_seen = old_data[off].seen; u32 prog_len; int i; @@ -8324,7 +8325,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, memcpy(new_data + off + cnt - 1, old_data + off, sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); for (i = off; i < off + cnt - 1; i++) { - new_data[i].seen = true; + /* Expand insni[off]'s seen count to the patched range. */ + new_data[i].seen = old_seen; new_data[i].zext_dst = insn_has_def32(env, insn + i); } env->insn_aux_data = new_data; From patchwork Thu Aug 5 15:53:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 492785 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS,SUBJ_AS_SEEN,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEFA6C00143 for ; Thu, 5 Aug 2021 15:54:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C4D00610FE for ; Thu, 5 Aug 2021 15:54:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242509AbhHEPyq (ORCPT ); Thu, 5 Aug 2021 11:54:46 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:50352 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242533AbhHEPyp (ORCPT ); Thu, 5 Aug 2021 11:54:45 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175E33f2000974; Thu, 5 Aug 2021 15:54:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=/b0L+hGDTaliuoDYr2kRcuOqiUxRCZXrx4bYDdTMhdc=; b=EcRZYRwUlT9KZUmr6+lvxy5G/8bUzq2XtjqpYsm6Ehh8JHRgwSg8EDbxKwK206a2KU/n eXtfBBEKFimAfmwTexSw2fwkYbDa3+TRQOxw6MOqvjY54ssi6z/PVUCvTMVMal50+bvM MJkvTPhR0afyWz8OEokO9jsay+O3gxVyR6lVgSV9RQpIcnxxQieiFl/6JVZACt/fdFgN Ve3zmOpSUDRr3Q6zgZZYmpRJSHa2lMPSF0anZVdqpKpQMtIyekni8w4CGz79mh+w1Yfu 2lAX1cttEmYxReSf67cS8rFRDBx2YAmY4dFBNJ0/BBfprpXCNheKkBJoHyxSicIhcLYK iw== Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2176.outbound.protection.outlook.com [104.47.55.176]) by mx0a-0064b401.pphosted.com with ESMTP id 3a8gny05bn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 15:54:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tw7JOm3LMe7OouQLra19yoWlJ0Xn44ShWh66XXj81viCwcBJ/lQUUlPfoxRX80xXACOTfj4fTEtXSbIBwBYBI9E9s6rib+A4VdgJUL1LOdcuxRfEqEbOeejs1c4pbPocv4FTBUme6Gv45gELx+K+loQifLPDRW5gDD5m6ZyFM3/RMOVexgOdRtjU+gmeDvyLqOzeS7N2gF6pSUFnDp6+lBwHUFvfF2pV+YDZrFGFrL7rfiOcLDt4wfQkVsNHiR0sHJFLBXtS23xErBpVTDJgz6AFG1SaOL1mn0OOEIPDAAHl2tJ0aHKeIzhGsn7DqFoV9Mkiph9T/YtJpf/+hR7nzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/b0L+hGDTaliuoDYr2kRcuOqiUxRCZXrx4bYDdTMhdc=; b=JXyoObc5PPHkFKhHCXFHsfepfO6y+mHelHqeHteMxgH6+1WsbH9IzMM5Ixcr4gcCzsYEsKN+7RQba0CVJ0qojqSF95mz1dxTyfljUC7PhN9Syslg+FDS3vmOb8+oC3llpVhqydqQFBCs8nJ6e3/rrgsmJcssNgDh4R7JR2UIUmfnkzX7IzOuUC9QKCnMa672R5JCjaoHJeUvR+eyxqHu2Qtk3hXSUkwantKfkAbuuisBgg+dCATLDS/PWp2ZaIcQC4MkBwj7z4YVIuxSW1zIl5zQHRG1521DzgVVAkNkpZog8Py9bUFVRKxJ1VZwPbH/3terNKDAEwp1/MIal3U1jg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR11MB1722.namprd11.prod.outlook.com (2603:10b6:3:f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15; Thu, 5 Aug 2021 15:54:05 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:05 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 2/6] bpf: Do not mark insn as seen under speculative path verification Date: Thu, 5 Aug 2021 18:53:39 +0300 Message-Id: <20210805155343.3618696-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:03 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 09af3296-878f-458e-b911-08d9582940ac X-MS-TrafficTypeDiagnostic: DM5PR11MB1722: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2449; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: RJ3RLJOYWck1qvfoRHqobH5m5ao771pFdFNAO6pardIxyG8OKtKwrKtbAJo53A7w24f901p1xZJrQrHPVobS03y2WPHamAKV+S3miXgaxj3WHkv9sQwL3MswpfcYceAHccPvE8lM06AAKfOHI3DBwuepzl+IBDfcBlgeVshYCOqcD2SrsRTWaNRF/Z7vy5o1gBds+AvSdqPFe9wemWvu9wfj8S4Ex2x9lgsqmtzpwzQDQJ3FgiUsffW+vQZor1jRixsUDo7nX7ARhP8Ps48PRzCrQVnB2qFjf9tSZgLpKBeW7TIHFVM/HfYjh/babvmlpuSSaTxiCgqw5aVoByLKkxSWxtVHY/X/36NUHP/mo92O6O3q4Fq8sJtmztNVf+IQ+By93Nnfh/oHWvu5OvLVo8IJbcEEhA3XKShGOJG5U+BMA6sYfb53osNURqjxQfJSdPGSZQZJ79WfglWmh9GV97lgnznZOFdUzTaO1DiAYlGA5ia8FyMDjNXQT1xnSBx7LptXeSw5CsYnTg5CsoIDLRhflKoNg3KLZlhGfExK52RJn2cIOQts4ato4e0wx06woqjLx4wE+bFNCeMOW3Fwb4OcxSBUtzPRwmvkLgEXwA2UVrHAQ1eFzmbPXFoFokl/lR/4HzoMMZ8n4wd/fpk/Rbx6onSAM2rLF7G8Gu/uh4o95QtWrKxIphtAv/1OlwpMMy9yqAE4HKXUexuUVtMOBA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(376002)(366004)(346002)(136003)(478600001)(6506007)(6486002)(956004)(36756003)(2616005)(15650500001)(186003)(38100700002)(1076003)(8676002)(5660300002)(38350700002)(316002)(6512007)(8936002)(6666004)(2906002)(52116002)(83380400001)(66946007)(44832011)(26005)(4326008)(6916009)(66476007)(66556008)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jwSYCW46ar7rq91LHDN2jidEoUZk7MLDy5wdAkyArB+8n6lyns6hBE8xHKZDaqzS2i0M3AT2R3WVnpxqYkoiOJ9YvZkFlE4df1u0oHGGvVwIv4psjTmuPZI4AahgxKquWwL4+eeQGOdIvDI4iG5UMWJYuFeZ/hLSInaDzT8X0guW9/rAonxCp73t/I175y0snsGruZShfo2mV4JMf7hJz28+sa9GzvHyMqMUOW6XIZssFjULXY7SwtPbJbs2BrKUGklwhC8987AJc9ibveury0bWGrvXqQpXjsc1yC/y8NsdoG6PMKGySJ2RCeCIUx+TCRQD+wZV6ex5EE/4cs3YcazhsECgNt26DC/27uRW4G7SJLCN1b9ep1ahaUierHednE1MjbwFOIh+yifiWG6PQ/vqgqdTPxIxvLtTgOwCWIn2rd2TS9fstFMovhCdMjKLyXhk2Uci2Q2Bhtr994TJJk2pqmgxtqzj4c1rRwhIz4EDo9q2S8FhbSDSZRYFrjkOr13biMyUkG6ZBqWpU1peQvQACVDiMGquYN16swD3oQe3MGkKKl1W27MI0fJTcac/yReZndRfnEJZA8VfNh/bTyrzEGBJnmgUZGUGVLFVDbwMsjKaCSHoDJC7H1tBdKvGOngOhiP/P3CZDa9b1Iw4lUSnAjb3nSlUmTCAF2tsnHwYJx2+SCgmuf6AFQ7VdhYn12s+Sz4l1nHH4NeoCHAnrtAEEAwl4zjCXD0UexIM1dGhKGfGlzfr/lAweM+BP8DKaw1vltrhHTSvHOG9ziGm4I2UAQ1aIjvoz09Dq7+m7QVbw0vdsmcstPstOL5B8D0A/KHtm5sYr9qF/i/djulfQM3ImDSZAdu8MnyKAjb6iXCfKx3xWAHbMja99wRqM+d/r28olHY62tn+51wvAGh+wpdnBpbzU0N8d7RibxRAt4Sy7HaLyqd9K8eF/5GjI+hVJYbIMj7fI9Blj8UJUS/9R3cvUYnbilN8QyiRFyrAsN4G/U5pFfo87AJ+zi7WBNnqTptVnqHIZ6CarBWYrtCPyMUrxomqlTSuuh+4KmHFLPFzc3ER74E8DBnMAtlX6RBzULPDNiciDtVdA/JPp//tG4MbMDeMKdjBdn+LY9lFCOHmpl6XNMyGWx3sSCw4zDM20MBwKrQAFElU7uwVWxy5/VxExyM6Vevs4K3MenfCLeh4xnbMR8PeKmGWkSMTl70sS9UK2pSayit7mOAvg4Np1HiGLzYjtUB7uk/WRbLCzsgvCfzriwY+69Vkn78xAN9sIS2YCGdtfX7YxIT1wbYZDHREnPHzddblsOsgPapGv/kSuPtmdKzxMIamB5w3MEXR X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 09af3296-878f-458e-b911-08d9582940ac X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:05.3432 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CratkG7cbEov3v5RbigsR78CjHOrgWtlBwOgTkhQhxzX1hQZuq79wqqqOlT25ruIfzJyuVrYdG0w4XqNdK0xWQv5NQzPqQIigknXQM6A6/I= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1722 X-Proofpoint-GUID: PCfwaX2CaRrD5hLUp-R523TreYuOvYt5 X-Proofpoint-ORIG-GUID: PCfwaX2CaRrD5hLUp-R523TreYuOvYt5 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 priorityscore=1501 suspectscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxlogscore=598 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Borkmann commit fe9a5ca7e370e613a9a75a13008a3845ea759d6e upstream ... in such circumstances, we do not want to mark the instruction as seen given the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable from the non-speculative path verification. We do however want to verify it for safety regardless. With the patch as-is all the insns that have been marked as seen before the patch will also be marked as seen after the patch (just with a potentially different non-zero count). An upcoming patch will also verify paths that are unreachable in the non-speculative domain, hence this extension is needed. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Reviewed-by: Benedict Schlueter Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov [OP: - env->pass_cnt is not used in 5.4, so adjust sanitize_mark_insn_seen() to assign "true" instead - drop sanitize_insn_aux_data() comment changes, as the function is not present in 5.4] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 526e52f45ab3..02a04a30070b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4435,6 +4435,19 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, return !ret ? REASON_STACK : 0; } +static void sanitize_mark_insn_seen(struct bpf_verifier_env *env) +{ + struct bpf_verifier_state *vstate = env->cur_state; + + /* If we simulate paths under speculation, we don't update the + * insn as 'seen' such that when we verify unreachable paths in + * the non-speculative domain, sanitize_dead_code() can still + * rewrite/sanitize them. + */ + if (!vstate->speculative) + env->insn_aux_data[env->insn_idx].seen = true; +} + static int sanitize_err(struct bpf_verifier_env *env, const struct bpf_insn *insn, int reason, const struct bpf_reg_state *off_reg, @@ -7790,7 +7803,7 @@ static int do_check(struct bpf_verifier_env *env) } regs = cur_regs(env); - env->insn_aux_data[env->insn_idx].seen = true; + sanitize_mark_insn_seen(env); prev_insn_idx = env->insn_idx; if (class == BPF_ALU || class == BPF_ALU64) { @@ -8025,7 +8038,7 @@ static int do_check(struct bpf_verifier_env *env) return err; env->insn_idx++; - env->insn_aux_data[env->insn_idx].seen = true; + sanitize_mark_insn_seen(env); } else { verbose(env, "invalid BPF_LD mode\n"); return -EINVAL; From patchwork Thu Aug 5 15:53:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 493354 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9A88C4338F for ; Thu, 5 Aug 2021 15:54:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CBD5D610FB for ; Thu, 5 Aug 2021 15:54:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242696AbhHEPzH (ORCPT ); Thu, 5 Aug 2021 11:55:07 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:19002 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242655AbhHEPzG (ORCPT ); Thu, 5 Aug 2021 11:55:06 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175Ex0KF011530; Thu, 5 Aug 2021 15:54:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=/mGwi6NzSI7Tlkb12OCPR1UbWMIF+pdtna90Yctou+U=; b=LH6mz1SnkxZ/QIIxInbCL1wECxrfQlbqaCdOrv25FkIrB6291+fbTjdWPDj/RlWhkUEd MEmr6YKRoxNk3cQeab/Dp1YVc3YzsnxY0tc7KMfT3FflJJX/w7EeUSxd4BuwgWvVky8q cYaTUZRop79X3V2IhsUvwk6ltpLKLKqjk0CPSJ4mByX6hSGkEbsdIt3QEw32oGKsQgu2 4cNWSbmgmUS1oGbuoXdo6x5NXkNTMoSm/4+mujEje5uguM2OPLzlKGWDAg5PeqJJHNr9 o+yTA+C/smE88NSg4DjkGBfA8zbvTMb5eQJhSMcrNAew5jcjEALUguDY37e7tkx6XRGY Qg== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2043.outbound.protection.outlook.com [104.47.66.43]) by mx0a-0064b401.pphosted.com with ESMTP id 3a8gny05bq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 15:54:09 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DGz98YHxKAU+HSymaJhySJl5GQjzfzKNzPgUcS12FwSoG375YvC1BqvKv4sIguSgXd5LkQRcw66s5A6eweLeW6dQPy3MJfagO0MnvscR4P2idZb8L0BlsdoU+X8/Wb5B472ZckTKUqdFFWAUnaICv7w9OlnNKeTnzB1eGZmOUmUVGg88hkZILz2bCcsA8hpROQQg1IQDWcayRXxJzQ4xbtG1u7YZIQLLikPwwNKUeF8VIKPmyRhpzttx/+sb3CBko4iQL/vy6OUl2+Z7QiK9yFibSMKYJUDL1o9jv5067nQxSmvqdL5QbLlnKL1Rjss6g0nEaCEWE9bT7sLXm+GezQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/mGwi6NzSI7Tlkb12OCPR1UbWMIF+pdtna90Yctou+U=; b=BgUcKYYNAt3LN4qNf+vg39URroUzz9Ea20NiydUrobFhOEBveVe9ZmnH041GelMYfkxWnOghZ1aP7P8zSkID0W8ATdTSKIfwSIZlP+94rXxuR5ZZCIc7jDMDXlBepTH05N0eKT0H1jEA+hr6b7CCx4vjworQXYnv1VUedeaUNTGrJ77wI1klc/6gA2EObte0HpWzcdFHTG1bJVIyExe8FwDQXnUmtRsoploJ9njfsL5SrAV6KmONEiuni0ufS/Kzzb8IRdGvp4X2qDbF7SWBkFcXI2wK+Y8NDySDw/alJZBm3Ql+5uTHAQn1ShOdLn8eoTMmoGUcu+5RsfnjpD1yhw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR1101MB2204.namprd11.prod.outlook.com (2603:10b6:4:58::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.18; Thu, 5 Aug 2021 15:54:07 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:07 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 3/6] bpf: Fix leakage under speculation on mispredicted branches Date: Thu, 5 Aug 2021 18:53:40 +0300 Message-Id: <20210805155343.3618696-4-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d02204dd-30aa-4841-e0c8-08d9582941d5 X-MS-TrafficTypeDiagnostic: DM5PR1101MB2204: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: AjyfOm5Mf8qdo5jKYGEXY8jQnBfsjWcbGJuAk/foOuqSNl5JVJ+ruvPlf27I19J3HCbUIVLPoYzeTwTxC97OYOQuJhfnN1wwG39U/E5TQv3yBY6zHjO7JrMgS8VfRoY+wovOEFLbpsgHsM9HP2SGsL+W1z+bTnJSoLyGwZbKgWcd/Drt09kzU8XTK8XrB9oIci9tMLCJw2KX+KHIwMhi3G7bfUpOmqU0DXCVO7ycNHjV84gDusx5GvysexPRlpNEksQ6jh7rZVyAjrXp8S+WB69lhvCceRmHIcYr2mrRTsk5Ki5huj3Mnwj55uPHb0vlu46u3d4RogiuXOVUeIiprDXG7298ZHwnkPDFkAh/f//3Shf6B5AocVL93MnJNbziIv48TvBYE7ImpKtEUQ4beo6JkKdjs2VTHmqCVSyhfQ4DH7G6PLjDNqKEQqXPVyUQmRiKM+74VsYKjbxIs2udu+w88nv8HpZwXctTwrE8BxUXsjxK517ymhf2Zob8sGYo1QWdDtoLXFJxSjVkjNexNcw8UCb0AH678jPxs/z+hvT8MFA9a6pIcFN9/Vgpk5t4Vvu/HhOS10AzEemV/9jX/9Yx8ATFY4z/6IyohcFK25LnnLl6H/KfDsOUPjXPfistYlvlAAcARwG9GNQul9SuEqzTRrTQvT4U/3IrZMEpkNUDEbeXIUyBPlTwww2XsVG1eunVC4gBcInrJyX+3nWpgA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(4326008)(2616005)(38350700002)(38100700002)(956004)(6916009)(66946007)(66476007)(6512007)(66556008)(316002)(6666004)(52116002)(86362001)(2906002)(5660300002)(8676002)(26005)(8936002)(83380400001)(186003)(1076003)(6506007)(44832011)(478600001)(36756003)(6486002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 7f4RRnj6U1/wRtzODEck8ymAS0svlHYHHgjN27eL5IJzafSuw00KznfuWuNxLOKZ80OyqLqhY43X/MYXag9g/vLv5CGfZPThSiAii7m7itW1obJz/XZtJyKmyzoOBmeRbMH0XcufdkNjp276N+rt0MFJWZNkz59UteIhkZwdj1GyiSD2196TfMC4ZgXEt+pEJFYewwYnlTa2yExcR7Hi3DlElzFbCYM7emaEqnVin1z0mfYOsF7/ivi7y/mnbBTaTK0moljudwRNAmh7FPeiYTig3c63k8TOi7UHcWyUEn2QTtIvs5NfaJ45DirdvD3RtbRNYFYFucfnDPOM70o931hXV9ui0dTJqedAg487fb3TTXMd/WdXq+x31p9fapvzaDBr3PnikBctsmdvRJed3e2zo8Xp7Onf5X+luwxcUvwVQTwSRBqwp09lQr8qcPt1gpZY2SQSDs+DdR4/LcGkH9F0i7620xtHcSxta942svreWa+G9O2HkgkCT0PobZExLs671PN7ZIBfwgBgeDKSz678Bb0lot2P3sllumipGMnEmv/R2i8mRLMb/1zeOfurWZM/yTOlPebN4L6PfpURItxRxlHlh3an87ntRLRUwyzCCKuLhMXcdIiU6gK35rFGQvU6efM4aDCcLqmbF7Bksq4yYcdNoCV2/3dOeY2ySsqThf+JD/OYN05AY8SInABkb2HcnAMZsEzU3QOfp7mlO6Cwj9QgpA+n7uu3AmO9DWEp2+7wnJ026EpdWTy04rMTHyRISAbfZlTbGVL57NDlcBAZrfpOaw0AOw7bD13U/KhsgxWl8gHkWNg0fjVdS2b8OQVqj+j9zYOQ8TVH/UZ3NJBcUlOC36ibGVTZHyLuTcO0dN8Rrk5uCJ0f8K0YndLLAkLb7LrwW09Ho39Yq4EfuoUv3Hs9CGNxh7XjUwJvZXST7wT+RfujDM0Lhla5lUUUVLHPf+th6fy2RK4PpcNM5KIhckgqlFyO6v+KEP01NF0JhtWrIsZrqAo9DsDmQZEBymStWfRu4BIqDJ0rUAOWoRMBbI4dl1thPdVtDhYw9pmoTA454v4A7vWvol6wLWJA5oSJlnmuWSHM7po4fN2QK7d4KkaYm02kvalwoRrm2B6AMmilyuuE0MD0bomj5Y4+GfDySHsdtrj9Yg2DyQH+XZBMh/BWmZpz8KWSaSrCXpbtqv9DRpvAsxqfZQmBBPUifoGodrL9dNmv0ufxhEQX5ItVBCRC5KTmT0FTRIAI9eVStExqCeTNrtf0RmguLkFoNzS0f44eRexl1BQ4YB9DayS/SN9M0t4TMhj1lUgUNiBTCN312kv0EZZpHvNHsv8r X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: d02204dd-30aa-4841-e0c8-08d9582941d5 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:07.2648 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 11qPx8aWWswb/6TOOtf9cqg6+cpCm4WRqH1LZwcYCT8zAfYVAmqrQ68QJAfQvPnmMxye1HCA43TkMFoz07Oc5nK/f1usDKlFOYJCqvJ9fFI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2204 X-Proofpoint-GUID: bTiTn142HcJEZqbywwHQpg_7zk0cRjMW X-Proofpoint-ORIG-GUID: bTiTn142HcJEZqbywwHQpg_7zk0cRjMW X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 priorityscore=1501 suspectscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Borkmann commit 9183671af6dbf60a1219371d4ed73e23f43b49db upstream The verifier only enumerates valid control-flow paths and skips paths that are unreachable in the non-speculative domain. And so it can miss issues under speculative execution on mispredicted branches. For example, a type confusion has been demonstrated with the following crafted program: // r0 = pointer to a map array entry // r6 = pointer to readable stack slot // r9 = scalar controlled by attacker 1: r0 = *(u64 *)(r0) // cache miss 2: if r0 != 0x0 goto line 4 3: r6 = r9 4: if r0 != 0x1 goto line 6 5: r9 = *(u8 *)(r6) 6: // leak r9 Since line 3 runs iff r0 == 0 and line 5 runs iff r0 == 1, the verifier concludes that the pointer dereference on line 5 is safe. But: if the attacker trains both the branches to fall-through, such that the following is speculatively executed ... r6 = r9 r9 = *(u8 *)(r6) // leak r9 ... then the program will dereference an attacker-controlled value and could leak its content under speculative execution via side-channel. This requires to mistrain the branch predictor, which can be rather tricky, because the branches are mutually exclusive. However such training can be done at congruent addresses in user space using different branches that are not mutually exclusive. That is, by training branches in user space ... A: if r0 != 0x0 goto line C B: ... C: if r0 != 0x0 goto line D D: ... ... such that addresses A and C collide to the same CPU branch prediction entries in the PHT (pattern history table) as those of the BPF program's lines 2 and 4, respectively. A non-privileged attacker could simply brute force such collisions in the PHT until observing the attack succeeding. Alternative methods to mistrain the branch predictor are also possible that avoid brute forcing the collisions in the PHT. A reliable attack has been demonstrated, for example, using the following crafted program: // r0 = pointer to a [control] map array entry // r7 = *(u64 *)(r0 + 0), training/attack phase // r8 = *(u64 *)(r0 + 8), oob address // [...] // r0 = pointer to a [data] map array entry 1: if r7 == 0x3 goto line 3 2: r8 = r0 // crafted sequence of conditional jumps to separate the conditional // branch in line 193 from the current execution flow 3: if r0 != 0x0 goto line 5 4: if r0 == 0x0 goto exit 5: if r0 != 0x0 goto line 7 6: if r0 == 0x0 goto exit [...] 187: if r0 != 0x0 goto line 189 188: if r0 == 0x0 goto exit // load any slowly-loaded value (due to cache miss in phase 3) ... 189: r3 = *(u64 *)(r0 + 0x1200) // ... and turn it into known zero for verifier, while preserving slowly- // loaded dependency when executing: 190: r3 &= 1 191: r3 &= 2 // speculatively bypassed phase dependency 192: r7 += r3 193: if r7 == 0x3 goto exit 194: r4 = *(u8 *)(r8 + 0) // leak r4 As can be seen, in training phase (phase != 0x3), the condition in line 1 turns into false and therefore r8 with the oob address is overridden with the valid map value address, which in line 194 we can read out without issues. However, in attack phase, line 2 is skipped, and due to the cache miss in line 189 where the map value is (zeroed and later) added to the phase register, the condition in line 193 takes the fall-through path due to prior branch predictor training, where under speculation, it'll load the byte at oob address r8 (unknown scalar type at that point) which could then be leaked via side-channel. One way to mitigate these is to 'branch off' an unreachable path, meaning, the current verification path keeps following the is_branch_taken() path and we push the other branch to the verification stack. Given this is unreachable from the non-speculative domain, this branch's vstate is explicitly marked as speculative. This is needed for two reasons: i) if this path is solely seen from speculative execution, then we later on still want the dead code elimination to kick in in order to sanitize these instructions with jmp-1s, and ii) to ensure that paths walked in the non-speculative domain are not pruned from earlier walks of paths walked in the speculative domain. Additionally, for robustness, we mark the registers which have been part of the conditional as unknown in the speculative path given there should be no assumptions made on their content. The fix in here mitigates type confusion attacks described earlier due to i) all code paths in the BPF program being explored and ii) existing verifier logic already ensuring that given memory access instruction references one specific data structure. An alternative to this fix that has also been looked at in this scope was to mark aux->alu_state at the jump instruction with a BPF_JMP_TAKEN state as well as direction encoding (always-goto, always-fallthrough, unknown), such that mixing of different always-* directions themselves as well as mixing of always-* with unknown directions would cause a program rejection by the verifier, e.g. programs with constructs like 'if ([...]) { x = 0; } else { x = 1; }' with subsequent 'if (x == 1) { [...] }'. For unprivileged, this would result in only single direction always-* taken paths, and unknown taken paths being allowed, such that the former could be patched from a conditional jump to an unconditional jump (ja). Compared to this approach here, it would have two downsides: i) valid programs that otherwise are not performing any pointer arithmetic, etc, would potentially be rejected/broken, and ii) we are required to turn off path pruning for unprivileged, where both can be avoided in this work through pushing the invalid branch to the verification stack. The issue was originally discovered by Adam and Ofek, and later independently discovered and reported as a result of Benedict and Piotr's research work. Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") Reported-by: Adam Morrison Reported-by: Ofek Kirzner Reported-by: Benedict Schlueter Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Reviewed-by: Benedict Schlueter Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov [OP: use allow_ptr_leaks instead of bypass_spec_v1] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 02a04a30070b..52c2b11a0b47 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4346,6 +4346,27 @@ struct bpf_sanitize_info { bool mask_to_left; }; +static struct bpf_verifier_state * +sanitize_speculative_path(struct bpf_verifier_env *env, + const struct bpf_insn *insn, + u32 next_idx, u32 curr_idx) +{ + struct bpf_verifier_state *branch; + struct bpf_reg_state *regs; + + branch = push_stack(env, next_idx, curr_idx, true); + if (branch && insn) { + regs = branch->frame[branch->curframe]->regs; + if (BPF_SRC(insn->code) == BPF_K) { + mark_reg_unknown(env, regs, insn->dst_reg); + } else if (BPF_SRC(insn->code) == BPF_X) { + mark_reg_unknown(env, regs, insn->dst_reg); + mark_reg_unknown(env, regs, insn->src_reg); + } + } + return branch; +} + static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, @@ -4429,7 +4450,8 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, tmp = *dst_reg; *dst_reg = *ptr_reg; } - ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); + ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, + env->insn_idx); if (!ptr_is_dst_reg && ret) *dst_reg = tmp; return !ret ? REASON_STACK : 0; @@ -6079,14 +6101,28 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, if (err) return err; } + if (pred == 1) { - /* only follow the goto, ignore fall-through */ + /* Only follow the goto, ignore fall-through. If needed, push + * the fall-through branch for simulation under speculative + * execution. + */ + if (!env->allow_ptr_leaks && + !sanitize_speculative_path(env, insn, *insn_idx + 1, + *insn_idx)) + return -EFAULT; *insn_idx += insn->off; return 0; } else if (pred == 0) { - /* only follow fall-through branch, since - * that's where the program will go + /* Only follow the fall-through branch, since that's where the + * program will go. If needed, push the goto branch for + * simulation under speculative execution. */ + if (!env->allow_ptr_leaks && + !sanitize_speculative_path(env, insn, + *insn_idx + insn->off + 1, + *insn_idx)) + return -EFAULT; return 0; } From patchwork Thu Aug 5 15:53:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 493356 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70FE2C43214 for ; Thu, 5 Aug 2021 15:54:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 567D7603E9 for ; Thu, 5 Aug 2021 15:54:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235472AbhHEPyp (ORCPT ); Thu, 5 Aug 2021 11:54:45 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:49512 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242509AbhHEPyo (ORCPT ); Thu, 5 Aug 2021 11:54:44 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175Ex0KG011530; Thu, 5 Aug 2021 15:54:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=G4eAT1QX7/68lF7Iq23jbKj45whhoedMVpvnJRhvClI=; b=RVugGiNRzHLGBaZ2ggUxY4OGf7f3K5L9P0NVGrDNKv2J45+R4StSIOV+fwo+aqK+Z+C5 RvtkpojCutKRByyqpCIDkvy+z/ew6MT+KCGhK+6uX7z8ts/+yVJdcTVvksUwSDhOA0rn E+E2VGaxB5H6+JE2bGbglyttD72gA84abYbZhkXR3EN7JBi+sE61vnH/bda7zElAVoBg ByNZnq30L3n0dfxeeSp01+gk30G2B2HscbZYbKtyjHpFIeXl2zoChz64vKPoz2SiqA7g HULJZO2xxzXH0gQeS9Pdk2IzYwamzNd0da1ZidUK0VExJ3Cpc0+D4EH9XIAOSY1Ng8e8 ZQ== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2043.outbound.protection.outlook.com [104.47.66.43]) by mx0a-0064b401.pphosted.com with ESMTP id 3a8gny05bq-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 15:54:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NSs26j5+iZN81DPlZI7dV5RpXRvJYObYqKz4lFgmP1TPnGfyK9iLi53WUek8BScN0Ix7+0oYmlCMOoKtnAzHUS+KC9BUHEqByM6Umkn5YXFS6PtNg1DgEpbsS9LKlZe3Y9wrsdAIc5IFMexX/URUlfZQa4QDn+Ek3nfFIXWeRotiWgIQaB1tM5QQa0/rUorsqFaZqKiXbdVjGSC4+z5EbzqDtfyZvBYL36QwQWZ8FNuRSM+PaqxVf4nwwYzwYeZm06w9oS6zhWzFfDfD1mUp9H/GQKZ34lwOyqVBONrzFBXHR3L3yNZAamAiuez5KxgilGJ9U339TDtQroSdI/qz/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G4eAT1QX7/68lF7Iq23jbKj45whhoedMVpvnJRhvClI=; b=LoCkLdSR7iLKbEo2909akHzJ8wzSt0Wepd+M/4mNIDCjAcHtx8VDd7JO8NpClT0THZAt8n1jSBfif+jF4C5+hWvOBKzO/+VgLsaFNXHaH7+vubxjK1Hs9YNip2CKlf8D46fR/VgGA6X76s7jgJ0IbE9w0avRdbbMdxeTBB4CkuXuuYdwmmhygzI0qEwDTZ9LIM5PmLOFCXxghIFxYlhawPfggkDwWUbiZfI0hOfmW80/upu9r8Ah8LtZzTMMgWFb4QCss1nZLwrC319vkbgdrH5ZzKWPLwYvfKPh9IHe5Ee55ILJqTmXhhB9vIavXwAfUKeitz2SZ33CJwmSZY3+Fg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR1101MB2204.namprd11.prod.outlook.com (2603:10b6:4:58::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.18; Thu, 5 Aug 2021 15:54:09 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:09 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 4/6] bpf: Test_verifier, add alu32 bounds tracking tests Date: Thu, 5 Aug 2021 18:53:41 +0300 Message-Id: <20210805155343.3618696-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:07 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f0c102ae-5453-47a2-a3a2-08d9582942f3 X-MS-TrafficTypeDiagnostic: DM5PR1101MB2204: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1148; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: CSEKjmCkbCalCG5LPLSkjJar7QtN2ulfWtqOOvw4nHVYklXd65Bqi85AYDmLOCJnPwfOcVl9wHBKXkQNbE5hDL2h0xsvKE3rQJlVaryuy9gE3aMgYEu/mq2JMY/LW41M20TT+WNnWtTLFzTzHaFk5xWPNE90RLZiIjR7RNGjSjvokIFE1P6sg0bLLDqK9k0AbWC08gx7P7gjmGcG14ouUCpv29OA6kqNv/5nQDZLak4XMEX7NeQJv88+UaB07aggsds/c5pNNEqQTH9yhEUaj/9M7Xzsx7xd7+mC5FcxdTmNyr4JpK/dkj0/6zwRCPEwplX1f7vKDR5ifja8kCqmaKNopgbBhZUsm+jLOyr+t8W1CgxM5JAQKtxlQ6OQUD6xXJyFRert3DtTpfRaa3YRjpKtlMdQhzGuDRzFHn2zKU4uZh0+9OrVCnQ2GK+L4ww8RJYcrwds/0jsNGCa4lJxPkqLFv5tq6rY+NL7ewW1/iPCQqr2FPyiGcg5MXv6SdFAUMD2tScSRPJAUQYcokRA2eCuVDe0I/DQmXaAyN7XDb8RBxHYrjCyqthFlN8KXuaa9m2snycWJlV0stiAw0dO8yTW9D2/tqlHce9yBmyJNh/oGqL7o2pYk5k2GbxDmHdQG+o9HeI8IxxejU3UWAMQ1r3wjcpRBIsvbT8+7pjdAKj23oHk9EO0K0ny2JD6g75qrnkWl8fOIMRBbDnQdXVNHt9Byj+NoXdO5ZpRnumFmclvDMIwtop9VwFyHBZ/fY/JACECuktMFe2tVo0CY++qpTtftvtrFLc2dGge6FYZlwY= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(4326008)(2616005)(38350700002)(38100700002)(956004)(6916009)(66946007)(66476007)(6512007)(66556008)(316002)(6666004)(52116002)(86362001)(2906002)(5660300002)(8676002)(26005)(8936002)(186003)(1076003)(6506007)(44832011)(478600001)(36756003)(966005)(6486002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: e3Q0Q0j5QHsOep5fSHbb5/xchV/7eVQU076tmMqeWwGsU5ucsUbDeCAu3kVXrm0KBSSgxFJjq6Ie1+XFWZ4YxPqGZs4ibXC2FNrj6ztqyCLudQq+Qi9EqJc5lH+7v4+S6wpE8+lDTsWMMHdQ5a2k082EWhuksyltsBU77+1eFS5TXNGCxBt/qVWS8TsZHKDouJ9B5QpcqBI70at7U3UGGqnOwMzLSsrzEipXGSLYbOLxDZ6fcg8IDDi6lV5bqndohqpnR1y3feS6aWiYgRRgu0hzlOIhMP0ylWTeYCkhCDbqV1qi1TEPB2t5ZIxEmUlG6oxcTa8ZxLiJqZ3/Fm8bxdj+XQzO6GhMkrJOV3TAfEyoOkIdM4Z1tjRKciAhfCh4ydYVj8HqVXrCyMG12EP5vieBMO9xFCUAbg7SnqMyar3K93XsscAvOH7cLpoloVY1keyvzQRIavxOevHUbvVKmpy5bE3KzGai70UUGsQ76r9EAVfztRvCxBSPu2J4p28No3SkbGW/Pwx8AIKK/0honZ3/ENGX/ogPkFJu4ptvvTEcJDFnkIynzfxG+jTo7CDiHqnoCu56Bm+JlmLmG1Slse1Ct43jikhOTAmQhU2ErGhYQ68wQdk1V9bPyWOvCkkcZbjcpD3thHs8zfSzONEyc7zs9/YH1rKN1n9F3lsGsf5CkeUoSe0FZgMirh1RqEYlOjbBe1Vu8QqDNuN+jrRIkgI1JPFJKXbqP+cN+uRfdnfjyl3uVB/fjyynWHK+rEfK6VuYP5DPhC/GzCt0tSOrvUAJhH0kjETA0uQ7875kCu7oIRc9Ep/p/J6ihNy7poW6QAru8doODO0hpm+wxXV1HI0L7J1D3EbOFCR7HjbGpDhy6HG6oEDGrqKWR7UBmCWHAvjtq27j1ZvIaFiTvr2gO7V69DtaT5+NXTqlho+V6QaKm3Kz1HfhD+w7+Krfoa6N7sqh1jVUEInhbb5HZJbML85RrSg+B+b96VDLjWa2j2fnAbk5EFowBhsdL3ahItYNS2RjLD+ODmezb9Aq/Ze/y+M2Et3q3gKQpcsz4ueVOK7cSfpAWwRx/AJBPWpEemDTjZrrbQbjqpt/ZxxkWlOHN0r1wqBMHB0AnR55lrkrb2cVG1rKZg5wQLch3zqwlE4DV+lbyGvbYJ2o83+k6Zvge1n8YqbPdnHcgAOTF4sBQnbc48I8v3/eKYijKYe7Iwd2v8fCg4S/+fZte+snWV81XUWzChYvL3rV/XmLkY6oaTmL+D61ZdrXvObaOqYXIJstF1Qr80mRCRyvloiQKrG5GSD7lVodRsBEoznw3bIVpcRiNygrSdf0Y2UH6j/gRU3J X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: f0c102ae-5453-47a2-a3a2-08d9582942f3 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:09.1355 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FXAGHr1ViXnMXtKqAGoMeFqboTBpRdtLiV3GpdJSkXLxmVhRQ/k57sJ0+vPLCW8m+6O5uO5JM/yxZPcJyOXZcX+lRbGUyb3vo2zRTrbg6+w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2204 X-Proofpoint-GUID: vV9leNOetGJress7o2l2EIUKjrTBTzxy X-Proofpoint-ORIG-GUID: vV9leNOetGJress7o2l2EIUKjrTBTzxy X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 priorityscore=1501 suspectscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: John Fastabend commit 41f70fe0649dddf02046315dc566e06da5a2dc91 upstream Its possible to have divergent ALU32 and ALU64 bounds when using JMP32 instructins and ALU64 arithmatic operations. Sometimes the clang will even generate this code. Because the case is a bit tricky lets add a specific test for it. Here is pseudocode asm version to illustrate the idea, 1 r0 = 0xffffffff00000001; 2 if w0 > 1 goto %l[fail]; 3 r0 += 1 5 if w0 > 2 goto %l[fail] 6 exit The intent here is the verifier will fail the load if the 32bit bounds are not tracked correctly through ALU64 op. Similarly we can check the 64bit bounds are correctly zero extended after ALU32 ops. 1 r0 = 0xffffffff00000001; 2 w0 += 1 2 if r0 > 3 goto %l[fail]; 6 exit The above will fail if we do not correctly zero extend 64bit bounds after 32bit op. Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/158560430155.10843.514209255758200922.stgit@john-Precision-5820-Tower Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/verifier/bounds.c | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c index d55f476f2237..d8e5388c9ba7 100644 --- a/tools/testing/selftests/bpf/verifier/bounds.c +++ b/tools/testing/selftests/bpf/verifier/bounds.c @@ -506,3 +506,42 @@ .errstr = "map_value pointer and 1000000000000", .result = REJECT }, +{ + "bounds check mixed 32bit and 64bit arithmatic. test1", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_1, -1), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), + /* r1 = 0xffffFFFF00000001 */ + BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 1, 3), + /* check ALU64 op keeps 32bit bounds */ + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), + BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 2, 1), + BPF_JMP_A(1), + /* invalid ldx if bounds are lost above */ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), + BPF_EXIT_INSN(), + }, + .result = ACCEPT +}, +{ + "bounds check mixed 32bit and 64bit arithmatic. test2", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_1, -1), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), + /* r1 = 0xffffFFFF00000001 */ + BPF_MOV64_IMM(BPF_REG_2, 3), + /* r1 = 0x2 */ + BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), + /* check ALU32 op zero extends 64bit bounds */ + BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1), + BPF_JMP_A(1), + /* invalid ldx if bounds are lost above */ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), + BPF_EXIT_INSN(), + }, + .result = ACCEPT +}, From patchwork Thu Aug 5 15:53:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 493355 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8052BC4338F for ; Thu, 5 Aug 2021 15:54:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 69F91603E9 for ; Thu, 5 Aug 2021 15:54:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242656AbhHEPys (ORCPT ); Thu, 5 Aug 2021 11:54:48 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:9340 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242533AbhHEPys (ORCPT ); Thu, 5 Aug 2021 11:54:48 -0400 Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175Dic6S032453; Thu, 5 Aug 2021 08:54:13 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=FCfqUZsPS2ifpqoupsJ1L+ZnwqAlzS81J8jaVkgiCaw=; b=efEdnQ/N26tkwCd/+SU/ILbkilKs2nuynOpTVYOwGrcp+rzeNKmHjC4HVrDROc56FVGw gcvwyfVHKxSUf04VbjrlcsQHWgnFeE3twLwBQ46PYE+/h+yMYMkj0pIb4x29KJ++FghR YJUI4Ey1IBwtQ7+89BjeBRfhCtSGfrJrK461froM8zBPW+wL6GlNhcD1acR7EpPmvHLr TjAq5Vukl28Vc8QGfw25JmOlz2JqEPPOHTmdHkckbvNQCITd0QQWozM8mmuVfTRGjY8m 27RIZmXmpvPAmKfrF+mIepR2BMTUDHWZG5h1bi3OXX0LGUz13z5LN/4vf5lyy5laPveL KA== Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2177.outbound.protection.outlook.com [104.47.58.177]) by mx0a-0064b401.pphosted.com with ESMTP id 3a7vt6rx0s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 08:54:12 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MlcLomj9bn2NZGq0CvJy3bVWaNEtFIt0AJRs6/z6GaPT1dsvTdUpGbYyZnYcgJt8eyTMg6aPchb86+sbxpnFGLYXFgldifqIKKzHmXF9qtxM/sqo10ZaRAiuc2YShovba/8LsdH8KXIKd1t8qeQ6/C8HGsflzGctXnmkB3XzNAemaaxKNnr910FOT2kVF2KONBuJVV/XWAPCge2KhMxtGxRty2p/JeSsY2hUJsW76x33okW2knEIw3u+/FpSLjIMndf/EEXwsT1xI+y0b93Q6xd31neslc/fs79O/T/lyTZUG9jfy4Z8O6B9R2Th6TAzOIYc1PkFo1spHYUhNzHNfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FCfqUZsPS2ifpqoupsJ1L+ZnwqAlzS81J8jaVkgiCaw=; b=Bd2wHuy8sN9BjDexDQDjPJk/HGnHy5Axt/pA0apsZKeWqgQJcMqyXouRmnZYmm3KcG+q2aJNTw+G4hv2VRSPOSy+z2VFvaUngc7AFxYPDbnr3eKmkSvc5llu5chXshe53iFzWMTUMeam6zHaDRzfEho47G3kTvqJuAJZjOjWMqy/IFPI9fmGbmHMqzr7bcLY5mEXyNEzFfL13HJb5rV6q8OsAY8YGHkAQhKGVxeLMlXhlvU3Trv2V/r8LbeMjK+qJr2kWMQ+ACay0Q8ugRaHcoYZZ/XT7uKbWyJedK77POgvIB0Sx/zcKkoFNSfpZTImUHknZmU180CXvAvmn2ze0g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR1101MB2204.namprd11.prod.outlook.com (2603:10b6:4:58::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.18; Thu, 5 Aug 2021 15:54:11 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:11 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 5/6] bpf, selftests: Add a verifier test for assigning 32bit reg states to 64bit ones Date: Thu, 5 Aug 2021 18:53:42 +0300 Message-Id: <20210805155343.3618696-6-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5a91a253-d64d-4f05-83f9-08d95829441a X-MS-TrafficTypeDiagnostic: DM5PR1101MB2204: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:370; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: jHeMfmkZEIrvCj6oVXONKu05RixL4Watm4Y5ef9CkeXI+bsI4hqKYdBHQm78k2IhZu6quBmjtPrACRbPOAFZ0f/li+eTB29xh+E4TsMZ8hzQBA8rfKsEbcSxG2Y7jGtFXRKNZoJckCasdb9Ht2nPlou1+Q84h/usMWculfV3TBDeSvVjfPO21P1fvNnEPjn2QcmRWKLM3e6SioxgsVuzaVi57yIIuiv/IIOhF7j5s83epZe7a4MEcZplHtbgcpjYQwzIbSukv+LwbHZE4m98+kWOF0lFEzZZu6kAFPXFCJq0gvhjCwTFrqaUEL6Bx9a0TTBO18w+Ij2jry9/APAAVf4YvaCCU5jyaVmUQDaLvxkfpFXRBLImGUQyM5kblal+Ko2RojFRKmHta5eg2AsutN9Lc1QvCT1UeXQETOOiifKmvENJkI8FWlg8sMNEhivLGDSTKhoCaUa72zd8N5bDHsqvTNh46DBEgVI6UjZgJzhUtySsdOd++jcBi4JrqbFjupDJh+iLsuA4cT+1Po51aDddetNX4WS+l+xXe3Hl4+2l2FIVcR1dNQDa/HRK7yiHYwWBTYRV6HNQARjNjokfJFKnOlwKJXRSDaM3CFCplluPTFQ5be+FJ8UOe2aOvIvq7n91M9VXlax7vCBBP411E3h6h2S9xCalzrw1Bgv4jUUpAGxxX2AYO6EaqizOj7bkliZuo7BEd2LcZDFI2iaLsU8+sbUFHZrG7wTXKnVGj3R9tWuZKHsK0T/EWtEfczg98GvVjeCOWAnnbkMwr6YWIQUQOk2Kol/YOaoyaKpbLJE= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(4326008)(2616005)(38350700002)(38100700002)(956004)(6916009)(66946007)(66476007)(6512007)(66556008)(316002)(6666004)(52116002)(86362001)(2906002)(5660300002)(8676002)(26005)(8936002)(83380400001)(186003)(1076003)(6506007)(44832011)(478600001)(36756003)(966005)(6486002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: H9rMqBuBvnuuclEBEJ/0jW1FN7oirGRCLEKxU/lJiUl9PcSd8e/WEsc+4fUAL1VOIE2riP8yUiVAj8cuE6MAKY/Awxe7SBGVrAywEbbMt7DRqxLFQVXYg/EWwEfpY/EAIU+funs9XvBpM9dAdK+DFhDMCO+P5IDRJ+3e5PS/yDkDDVhSH+8Sn1s+t2HRGJnSUk9v6rKjUaGRVtBvSpCCjH7F1QONBj0rNFDwFj/Rbqz9loR5OF25QvUu6aQAOiFIwztE9FYGCoh+bYWpwjvauwnZQlc99ErZXGuHodrSB9ntvFv0F5FbOIGjRnOW9Y4PykSU0crc1Its4Vzumn/xG6m6hjGmb6BN+cwq6g/gnq6ji2xxvJ6NaNGFg6SnxTzYS+xXwDxRo7964BCGeXrgnULeZbqI7hMX6jCPqfic70M2ph6fZtgrAk6qsQ9tEBMEGPkNcn73hpdbNbbW+cv6p4JDiNwLJYaEuSy/b8QUMIiHJelGfBJfPzqpC4xXbi9wpttaLp2ftGtB2PJso0AXhFFxjawDkShu5P/TdLrXH248QuNxtdCZl7RdF41UZDIxHb8Ov/1OmH7d2gsWSwt2gA+KWq1hWd63JV3fcRKT+9mYnLC8Gjk9n84W8yyoZqVafUrBZhKkD1qtYoeAFkqvYpnRiDRlONM/Hb+ZYUvmwa+0v9ylTwFf1OQhkR1Z5LTH+IHF3g0QY7emL2qoug865iOMNUF+aAwSGUupjuRGl3ku794hX/f18rYIi3PgSi0cCpQf8mXZHxs/HF5CGPvzbFaCz66ovfOOXm/kZjRge3uxk8Hnxteb5lrYwacntQz3vtokDn0/sP9+Bfx+lwHOcETWweTtOcQh5YbHU3cefhezEk/mKM2ioSjWhNlsbFsj+tJuXqDnkRV6fjG9HoQR3WBUPWPfQ36HddUiEOStjbKSMzZBtoQvy1t+mEMIwKWtVqlhAolPHffeJrG+jRA6PBFkqjfQVIzz/1smfa1PkeXdauYY+Uf3ZI008ddUDMXiYNtln2OmdG9jnUIEd4QjfgDAnZmdzoeJ4A7LdRWriBkzhI7jGMf/4cNDFxrgcON0aAw7MplasfVopdPwzLvDmAk9IjiszJ8khYcx2YyOa9XMOS9622UbOL1gfPY6JDJcc4X5A3vk9u5FC5zSWOdre41DTRWkYSmpQShJmADUG1divPRdsRPKzzYSJefcmqH7jS25ttlWTrYPiH/rZEPiScRYnPJTJ0H7p5/s0lcVjsMtnK4nyWIeao3v6YNksCM8aYG9wZ2H+Y/bVonDKza6urgaDTe0bnx3cdsX3E+Rj+ZTPD1Y5ALFOkRxinuWwn/A X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5a91a253-d64d-4f05-83f9-08d95829441a X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:11.0481 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /csgaP3uDZC6OPLhqS5KEQgydiIf3UF9fsEuBGt13+kO/m/wHM0HsLzqsaL9GJVYSxIK7vSWSEqIyBFn2AsNennGwR/6rVPt4xX+P3vZbJA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2204 X-Proofpoint-GUID: ekoyp5-AgOMoS-Efx4LdMKm9L2dphYO3 X-Proofpoint-ORIG-GUID: ekoyp5-AgOMoS-Efx4LdMKm9L2dphYO3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxlogscore=727 mlxscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 phishscore=0 clxscore=1015 spamscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: John Fastabend commit cf66c29bd7534813d2e1971fab71e25fe87c7e0a upstream Added a verifier test for assigning 32bit reg states to 64bit where 32bit reg holds a constant value of 0. Without previous kernel verifier.c fix, the test in this patch will fail. Signed-off-by: Yonghong Song Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/159077335867.6014.2075350327073125374.stgit@john-Precision-5820-Tower Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/verifier/bounds.c | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c index d8e5388c9ba7..c42ce135786a 100644 --- a/tools/testing/selftests/bpf/verifier/bounds.c +++ b/tools/testing/selftests/bpf/verifier/bounds.c @@ -545,3 +545,25 @@ }, .result = ACCEPT }, +{ + "assigning 32bit bounds to 64bit for wA = 0, wB = wA", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_MOV32_IMM(BPF_REG_9, 0), + BPF_MOV32_REG(BPF_REG_2, BPF_REG_9), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), + BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_2), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), + BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_8, 1), + BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_6, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .result = ACCEPT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, +}, From patchwork Thu Aug 5 15:53:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 492784 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC677C432BE for ; Thu, 5 Aug 2021 15:54:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8D4C8603E9 for ; Thu, 5 Aug 2021 15:54:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242592AbhHEPyu (ORCPT ); Thu, 5 Aug 2021 11:54:50 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:10636 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242533AbhHEPyt (ORCPT ); Thu, 5 Aug 2021 11:54:49 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 175DmQql022022; Thu, 5 Aug 2021 08:54:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=p0Klk/qRshMyCt+0KA1h9mJQvMOs4I4kxBn2yHwaHCU=; b=ACgP0m2SoezMUsx+Kg/1s438sfpCC3rruM+Oq6q27wK5kyTMnFhIwBsXTmFDGKjJ62e1 bUGRjWPzKRJyIdubs05aMTCddt5r9TBfMs7vqxXK6XrjPelMJGYtpq33Ro4ZtJox/5JB fNXsVr3ByOnqL11Crx8ZGdtVHR8LrnYt28AkPw5VbIiOHkCBIUn95d/SWZ/SPXcK3+ZA avI4UOmBjFHEiwK2+68UKqKLKV/e/yDUU0pjZFAqsJQMy4Rd2hWNEiWwz/Zn4bxBbx73 sWV+NEKK7Cdo+85LPNjh+FIImNNGrC8eW3PzhiezkrFeBxiwW52YsJo4hGFbUlB7m0Dm XA== Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2175.outbound.protection.outlook.com [104.47.58.175]) by mx0a-0064b401.pphosted.com with ESMTP id 3a800vrrbf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Aug 2021 08:54:15 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KWBFj4iDsjjznkelj9n7i9Pigvq/IgCzDlPvTGzXRmlcqsLbUKTwuu7Duag+LeTrJngTQjEUGcRK902ONDzdQ8lfl3p5gktAno86Ijk6rxcINhGL89PoJyGPrLPHt0b7z2n4ITBIwk9is9Aq9eFuZqY8zR6bauyfkFX2Z6A2BPS/lsZzsIeveplLgud6nUTbiqG87Zp0+93BQ0IY9DQIAKAhSw/SVQ3DmW+7+Am9vJZEoEMcXsFtDvOIuI/cFHhoirK958KSYXgxE6QrGsNi64tC9F/A3LX+zuMgdKP0+EK6a66nebYYcE81CVEAbMAs88AjrdEHulDaGFXE79tEzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p0Klk/qRshMyCt+0KA1h9mJQvMOs4I4kxBn2yHwaHCU=; b=WPi7kBmd6kjx+tteGEzSFXC9TZVYycGMAEViRM/GnusJodonYRrtn7dstxahoahJU/V9iHvI3zgAIn2SRU5tHv7xVOJAD+ZFn1PZyzKhlElyAhvUf3u/V1drGGpO0xxvTjV6cNocpT0cbPURXzf5Chto8G5oz75c3c8ey+btYNQdmCcimiHz9qbNL/M5epXgWTmjT6If1FN4BA0VOpF07hhx/SKPD2KkxbB5lfM0TVjvlotRmJzXbrRc/6aEwFVpEKji9ZJNgN0yygR3n9/H1vUa+WSrQdG++lY+p+ASbxHHk1w5QkK8RBsJJTJ9PvAReuSrURa3X268Z3HVBeLIrg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM5PR1101MB2204.namprd11.prod.outlook.com (2603:10b6:4:58::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.18; Thu, 5 Aug 2021 15:54:13 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::ccb:2bce:6896:a0c3%7]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 15:54:13 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com, benedict.schlueter@rub.de, piotras@gmail.com Subject: [PATCH 5.4 6/6] bpf, selftests: Adjust few selftest outcomes wrt unreachable code Date: Thu, 5 Aug 2021 18:53:43 +0300 Message-Id: <20210805155343.3618696-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210805155343.3618696-1-ovidiu.panait@windriver.com> References: <20210805155343.3618696-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux03.wrs.com (46.97.150.20) by VI1PR0501CA0002.eurprd05.prod.outlook.com (2603:10a6:800:92::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15 via Frontend Transport; Thu, 5 Aug 2021 15:54:11 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a71ae07d-b031-4e36-949d-08d958294538 X-MS-TrafficTypeDiagnostic: DM5PR1101MB2204: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: FMF7Ih9dR/VRVzlOVPz7Pq34LTV385zgO3oCJsEzzFhjGp4KAhfPwKaXnvXtr9EdtM3oP50JJaAwBqBKrDvvHthci72OEwpcWXSDQgR0/6KfQ5384hOgvQNvWaSnWNmarVc7vd+crGNP2Hw6/nT96Ujjqc+lKx34kEUeyWivegjYkb62+/vBFFjDLFoJKxgGmH3bT8Q+8bnE08cScZPyAaLmYIr1NX+5d1fC6869qCjWH0RkfCG1+pbhFstjy6+wtq77+UB12UnQiX00aLxFjTba8l82RT2D06gsu6DJ/j2jMP276PLy/tGXKxUu9Z7UmbHK42Sn/1N7K14pkU+UNV2odHMqKQrr4BDPN3ScP9lbDiGJojSQtWmpSv4NB/gJccmSfZx7hLjYosw4XNjkKHpatgiYRuTUFa+HqRs/6URj8nAZyiiibTDYRTHnANZV/JPBUwaREbqNrZMKJ44CaWbBXBYWus7qCsZsbtRp6vsrOrF23AZ1lyYa0n9iVqGs37hkT87ZhLaE01Xq10zFOKS0bvlcsA8Vxhmu/dPXzre+609UfnQwKeDnGte8mqxs9OfhGvgzRYeFwoSzqdjqG1och1EzqHBO5n2MCizz4b7AIWgk1t6KFdkQFfTgLK8KzPhq1Qm+HTtIHKF8yQsn7sQWePYsL0u1cLXcaEjZ5rx2zUDkrO1+LBpbuOvGmjZiEfNxkCiP+pauQlTWN8GtXw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(4326008)(2616005)(38350700002)(38100700002)(956004)(6916009)(66946007)(66476007)(6512007)(66556008)(316002)(6666004)(52116002)(86362001)(2906002)(5660300002)(8676002)(26005)(8936002)(83380400001)(186003)(1076003)(6506007)(44832011)(478600001)(36756003)(6486002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4FUuXMmp0R+o3Po+EJQinod/2DSC0TGpqxPQngAspNH5vSYcMeXTXyvCY5VuwM7ewCsuWYzl9v2FXjR34G/S4Ud9xi+9NRcxR6VIA51kMbFZ/ncs/mkPI59rPQPBLDZYLmwl8sQzjg9ilmfYHCME+AtEB1zJjJt6baebIX2W5NJZsM1HfXPthlYBopkHi03zUpKdIUoKDnMHn5PTkPN71gFe+2XReR20Pw8VFtxpxjp8RqByOQZk4MoMUe4pOVeHqHgjEiqU2UjnFIFO8U80ROwU69qu3FRYFtafTps6KRq/P5N7mnMW0cXKPcuPu2B6NpDooCmnN1pkl5t1ZPae2eyKGDIPsxpLNqumQw2uT4IzQBTe//ZTbsYXApD0HmW3/wOOI7iqIDCzhqtMJYbMlZ8wICC1AKQcGyq83DK8FqKSckQ5U5FSmGHQEciThtqjn6bcX+Tx9s0fov0bCoQywcszH2+W895TshMOInlC3uPRUnbnRUe56aEmweLTppyt5biNTGuwt7mRIy/1X8jaW9V/KTfC+W1GCVKPxqMlEqDPGx+TW0B3sBHxxuUlylfeLmrfyXG7lx5zUQwc3nNdOgoQi7PwHoRUUtkvDOJ2eaXu+sNqGWhkPFWrkoERucAmnYAdcSV+uB2w7f4InnjdpblHvPPmvmVSTdiL+JTjyIX6ShphLp62CG2fagM7FQ/2hGkthZRFYm1npkZe/nHT/6wH01Xnf+dJ7rOtbCYuZKPBfUBO1ge2wxQ4Hct9esIMwAVTLtQMhcQNksld4WBEKtQywKq0kG/f9LZg21Gpq4K4TOsASIP7mO/7tcf/B1WDPp2kXuAtM/lB2aOTzNL1i0PBd4ispoOaVG9wD7dm4CxwNbYIAOGFHMrnpSPM2SQrJSiOsvp9AUVbvnkLB2Rc5ruIsr/oPPrjqU97D6FYE0OGXH65G6ubZts7M+1DUvWY7maEcXogG95NXJA4I3r7WK8/2/HTBVeXCj3aMHGrneORdZjkJt/l6Y6FqUXmYLKgtUJ3LxF+1kD/X0DIjYEELMJ9Nx3pV5Pld4WCoSmV33Udsomk7Cmke0LDFIa0jyeirKXTDXFW6vQgkRFCdUDq7qa60XDQXMggHXUL1fb2uz2hjNy4GF5Pwtf5tF/ipm9WrfzHEaok4jvYx3HfgGr46YPRvXdd0BfgahyfOeNx4zWfOdXhg/45MkcfQzvv5UxLD7ncEHsbQqnKpkhT3E5reCmSvMDyrC0K8omebCsa+T+V+J2zaOCh7IYfTJsHX7NPt8nOg75F/yUlzueEteIj3x8SDYgRutuMonDkWO84ldZ1fj7ZyoCz1IkBOfw3Vg9w X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: a71ae07d-b031-4e36-949d-08d958294538 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 15:54:13.1419 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9Y4iJNoENgZK6s5aEJLz++Yx81jgUo+Ro03+5bdpbVlKIMVIuBHk20079RVVDwv3XiP/qpjyxPi2KUgElBkCOax7yT3Z/AabwJ8HWOvyVCo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2204 X-Proofpoint-ORIG-GUID: 3rqEK7h9jonCeUG5GazLPR-fE0BFwqhU X-Proofpoint-GUID: 3rqEK7h9jonCeUG5GazLPR-fE0BFwqhU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-08-05_05,2021-08-05_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=999 spamscore=0 mlxscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108050097 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Borkmann commit 973377ffe8148180b2651825b92ae91988141b05 upstream In almost all cases from test_verifier that have been changed in here, we've had an unreachable path with a load from a register which has an invalid address on purpose. This was basically to make sure that we never walk this path and to have the verifier complain if it would otherwise. Change it to match on the right error for unprivileged given we now test these paths under speculative execution. There's one case where we match on exact # of insns_processed. Due to the extra path, this will of course mismatch on unprivileged. Thus, restrict the test->insn_processed check to privileged-only. In one other case, we result in a 'pointer comparison prohibited' error. This is similarly due to verifying an 'invalid' branch where we end up with a value pointer on one side of the comparison. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [OP: ignore changes to tests that do not exist in 5.4] Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 2 +- tools/testing/selftests/bpf/verifier/bounds.c | 4 ++++ .../selftests/bpf/verifier/dead_code.c | 2 ++ tools/testing/selftests/bpf/verifier/jmp32.c | 22 +++++++++++++++++++ tools/testing/selftests/bpf/verifier/jset.c | 10 +++++---- tools/testing/selftests/bpf/verifier/unpriv.c | 2 ++ .../selftests/bpf/verifier/value_ptr_arith.c | 7 +++--- 7 files changed, 41 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index d27fd929abb9..43224c5ec1e9 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -980,7 +980,7 @@ static void do_test_single(struct bpf_test *test, bool unpriv, } } - if (test->insn_processed) { + if (!unpriv && test->insn_processed) { uint32_t insn_processed; char *proc; diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c index c42ce135786a..92c02e4a1b62 100644 --- a/tools/testing/selftests/bpf/verifier/bounds.c +++ b/tools/testing/selftests/bpf/verifier/bounds.c @@ -523,6 +523,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT }, { @@ -543,6 +545,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT }, { diff --git a/tools/testing/selftests/bpf/verifier/dead_code.c b/tools/testing/selftests/bpf/verifier/dead_code.c index 50a8a63be4ac..a7e60a773da6 100644 --- a/tools/testing/selftests/bpf/verifier/dead_code.c +++ b/tools/testing/selftests/bpf/verifier/dead_code.c @@ -8,6 +8,8 @@ BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, -4), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 7, }, diff --git a/tools/testing/selftests/bpf/verifier/jmp32.c b/tools/testing/selftests/bpf/verifier/jmp32.c index f0961c58581e..f2fabf6ebc61 100644 --- a/tools/testing/selftests/bpf/verifier/jmp32.c +++ b/tools/testing/selftests/bpf/verifier/jmp32.c @@ -72,6 +72,8 @@ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -135,6 +137,8 @@ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -198,6 +202,8 @@ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -265,6 +271,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -333,6 +341,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -401,6 +411,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -469,6 +481,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -537,6 +551,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -605,6 +621,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -673,6 +691,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, @@ -741,6 +761,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R0 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 2, }, diff --git a/tools/testing/selftests/bpf/verifier/jset.c b/tools/testing/selftests/bpf/verifier/jset.c index 8dcd4e0383d5..11fc68da735e 100644 --- a/tools/testing/selftests/bpf/verifier/jset.c +++ b/tools/testing/selftests/bpf/verifier/jset.c @@ -82,8 +82,8 @@ BPF_EXIT_INSN(), }, .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, - .retval_unpriv = 1, - .result_unpriv = ACCEPT, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .retval = 1, .result = ACCEPT, }, @@ -141,7 +141,8 @@ BPF_EXIT_INSN(), }, .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, - .result_unpriv = ACCEPT, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -162,6 +163,7 @@ BPF_EXIT_INSN(), }, .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, - .result_unpriv = ACCEPT, + .errstr_unpriv = "R9 !read_ok", + .result_unpriv = REJECT, .result = ACCEPT, }, diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c index c3f6f650deb7..593f5b586e87 100644 --- a/tools/testing/selftests/bpf/verifier/unpriv.c +++ b/tools/testing/selftests/bpf/verifier/unpriv.c @@ -418,6 +418,8 @@ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R7 invalid mem access 'inv'", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 0, }, diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c index f9c91b95080e..188ac92c56d1 100644 --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c @@ -120,7 +120,7 @@ .fixup_map_array_48b = { 1 }, .result = ACCEPT, .result_unpriv = REJECT, - .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", + .errstr_unpriv = "R2 pointer comparison prohibited", .retval = 0, }, { @@ -159,7 +159,8 @@ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), // fake-dead code; targeted from branch A to - // prevent dead code sanitization + // prevent dead code sanitization, rejected + // via branch B however BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), @@ -167,7 +168,7 @@ .fixup_map_array_48b = { 1 }, .result = ACCEPT, .result_unpriv = REJECT, - .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", + .errstr_unpriv = "R0 invalid mem access 'inv'", .retval = 0, }, {