From: Daniel Borkmann <daniel@iogearbox.net>
To: Edward Cree <ecree@solarflare.com>,
davem@davemloft.net,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Alexei Starovoitov <ast@fb.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
iovisor-dev <iovisor-dev@lists.iovisor.org>
Subject: Re: [PATCH v3 net-next 02/12] bpf/verifier: rework value tracking
Date: Wed, 28 Jun 2017 19:09:57 +0200 [thread overview]
Message-ID: <5953E2E5.7040106@iogearbox.net> (raw)
In-Reply-To: <2244b48b-f415-3239-6912-cb09f0abc546@solarflare.com>
On 06/27/2017 02:56 PM, Edward Cree wrote:
> Tracks value alignment by means of tracking known & unknown bits.
> Tightens some min/max value checks and fixes a couple of bugs therein.
> If pointer leaks are allowed, and adjust_ptr_min_max_vals returns -EACCES,
> treat the pointer as an unknown scalar and try again, because we might be
> able to conclude something about the result (e.g. pointer & 0x40 is either
> 0 or 0x40).
>
> Signed-off-by: Edward Cree <ecree@solarflare.com>
[...]
> +static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
> + struct bpf_insn *insn)
> +{
> + struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg, *src_reg;
> + struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
> + u8 opcode = BPF_OP(insn->code);
> + int rc;
> +
> + dst_reg = ®s[insn->dst_reg];
> + check_reg_overflow(dst_reg);
> + src_reg = NULL;
> + if (dst_reg->type != SCALAR_VALUE)
> + ptr_reg = dst_reg;
> + if (BPF_SRC(insn->code) == BPF_X) {
> + src_reg = ®s[insn->src_reg];
> + check_reg_overflow(src_reg);
> +
> + if (src_reg->type != SCALAR_VALUE) {
> + if (dst_reg->type != SCALAR_VALUE) {
> + /* Combining two pointers by any ALU op yields
> + * an arbitrary scalar.
> + */
> + if (!env->allow_ptr_leaks) {
> + verbose("R%d pointer %s pointer prohibited\n",
> + insn->dst_reg,
> + bpf_alu_string[opcode >> 4]);
> + return -EACCES;
> + }
> + mark_reg_unknown(regs, insn->dst_reg);
> + return 0;
> + } else {
> + /* scalar += pointer
> + * This is legal, but we have to reverse our
> + * src/dest handling in computing the range
> + */
> + rc = adjust_ptr_min_max_vals(env, insn,
> + src_reg, dst_reg);
> + if (rc == -EACCES && env->allow_ptr_leaks) {
> + /* scalar += unknown scalar */
> + __mark_reg_unknown(&off_reg);
> + return adjust_scalar_min_max_vals(
> + env, insn,
> + dst_reg, &off_reg);
Could you elaborate on this one? If I understand it correctly, then
the scalar += pointer case would mean the following: given I have one
of the allowed pointer types in adjust_ptr_min_max_vals() then the
prior scalar type inherits the ptr type/id. I would then 'destroy' the
pointer value so we get a -EACCES on it. We mark the tmp off_reg as
scalar type, but shouldn't also actual dst_reg be marked as such
like in below pointer += scalar case, such that we undo the prior
ptr_type inheritance?
> + }
> + return rc;
> + }
> + } else if (ptr_reg) {
> + /* pointer += scalar */
> + rc = adjust_ptr_min_max_vals(env, insn,
> + dst_reg, src_reg);
> + if (rc == -EACCES && env->allow_ptr_leaks) {
> + /* unknown scalar += scalar */
> + __mark_reg_unknown(dst_reg);
> + return adjust_scalar_min_max_vals(
> + env, insn, dst_reg, src_reg);
> + }
> + return rc;
> + }
> + } else {
[...]
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann via iovisor-dev <iovisor-dev-9jONkmmOlFHEE9lA1F8Ukti2O/JbrIOy@public.gmane.org>
To: Edward Cree <ecree-s/n/eUQHGBpZroRs9YW3xA@public.gmane.org>,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org,
Alexei Starovoitov
<alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Alexei Starovoitov <ast-b10kYP2dOMg@public.gmane.org>
Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
iovisor-dev
<iovisor-dev-9jONkmmOlFHEE9lA1F8Ukti2O/JbrIOy@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v3 net-next 02/12] bpf/verifier: rework value tracking
Date: Wed, 28 Jun 2017 19:09:57 +0200 [thread overview]
Message-ID: <5953E2E5.7040106@iogearbox.net> (raw)
In-Reply-To: <2244b48b-f415-3239-6912-cb09f0abc546-s/n/eUQHGBpZroRs9YW3xA@public.gmane.org>
On 06/27/2017 02:56 PM, Edward Cree wrote:
> Tracks value alignment by means of tracking known & unknown bits.
> Tightens some min/max value checks and fixes a couple of bugs therein.
> If pointer leaks are allowed, and adjust_ptr_min_max_vals returns -EACCES,
> treat the pointer as an unknown scalar and try again, because we might be
> able to conclude something about the result (e.g. pointer & 0x40 is either
> 0 or 0x40).
>
> Signed-off-by: Edward Cree <ecree-s/n/eUQHGBpZroRs9YW3xA@public.gmane.org>
[...]
> +static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
> + struct bpf_insn *insn)
> +{
> + struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg, *src_reg;
> + struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
> + u8 opcode = BPF_OP(insn->code);
> + int rc;
> +
> + dst_reg = ®s[insn->dst_reg];
> + check_reg_overflow(dst_reg);
> + src_reg = NULL;
> + if (dst_reg->type != SCALAR_VALUE)
> + ptr_reg = dst_reg;
> + if (BPF_SRC(insn->code) == BPF_X) {
> + src_reg = ®s[insn->src_reg];
> + check_reg_overflow(src_reg);
> +
> + if (src_reg->type != SCALAR_VALUE) {
> + if (dst_reg->type != SCALAR_VALUE) {
> + /* Combining two pointers by any ALU op yields
> + * an arbitrary scalar.
> + */
> + if (!env->allow_ptr_leaks) {
> + verbose("R%d pointer %s pointer prohibited\n",
> + insn->dst_reg,
> + bpf_alu_string[opcode >> 4]);
> + return -EACCES;
> + }
> + mark_reg_unknown(regs, insn->dst_reg);
> + return 0;
> + } else {
> + /* scalar += pointer
> + * This is legal, but we have to reverse our
> + * src/dest handling in computing the range
> + */
> + rc = adjust_ptr_min_max_vals(env, insn,
> + src_reg, dst_reg);
> + if (rc == -EACCES && env->allow_ptr_leaks) {
> + /* scalar += unknown scalar */
> + __mark_reg_unknown(&off_reg);
> + return adjust_scalar_min_max_vals(
> + env, insn,
> + dst_reg, &off_reg);
Could you elaborate on this one? If I understand it correctly, then
the scalar += pointer case would mean the following: given I have one
of the allowed pointer types in adjust_ptr_min_max_vals() then the
prior scalar type inherits the ptr type/id. I would then 'destroy' the
pointer value so we get a -EACCES on it. We mark the tmp off_reg as
scalar type, but shouldn't also actual dst_reg be marked as such
like in below pointer += scalar case, such that we undo the prior
ptr_type inheritance?
> + }
> + return rc;
> + }
> + } else if (ptr_reg) {
> + /* pointer += scalar */
> + rc = adjust_ptr_min_max_vals(env, insn,
> + dst_reg, src_reg);
> + if (rc == -EACCES && env->allow_ptr_leaks) {
> + /* unknown scalar += scalar */
> + __mark_reg_unknown(dst_reg);
> + return adjust_scalar_min_max_vals(
> + env, insn, dst_reg, src_reg);
> + }
> + return rc;
> + }
> + } else {
[...]
next prev parent reply other threads:[~2017-06-28 17:10 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-27 12:53 [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Edward Cree
2017-06-27 12:53 ` Edward Cree via iovisor-dev
2017-06-27 12:56 ` [PATCH v3 net-next 01/12] selftests/bpf: add test for mixed signed and unsigned bounds checks Edward Cree
2017-06-27 12:56 ` Edward Cree via iovisor-dev
2017-06-28 13:51 ` Daniel Borkmann
2017-06-28 13:51 ` Daniel Borkmann via iovisor-dev
2017-06-27 12:56 ` [PATCH v3 net-next 02/12] bpf/verifier: rework value tracking Edward Cree
2017-06-27 12:56 ` Edward Cree via iovisor-dev
2017-06-28 15:15 ` Daniel Borkmann
2017-06-28 16:07 ` Edward Cree
2017-06-28 16:07 ` Edward Cree via iovisor-dev
2017-06-28 19:44 ` Daniel Borkmann
2017-06-28 19:44 ` Daniel Borkmann via iovisor-dev
2017-06-28 17:09 ` Daniel Borkmann [this message]
2017-06-28 17:09 ` Daniel Borkmann via iovisor-dev
2017-06-28 18:28 ` Edward Cree
2017-06-28 18:28 ` Edward Cree via iovisor-dev
2017-06-29 7:48 ` kbuild test robot
[not found] ` <2244b48b-f415-3239-6912-cb09f0abc546-s/n/eUQHGBpZroRs9YW3xA@public.gmane.org>
2017-07-06 20:26 ` Nadav Amit via iovisor-dev
2017-07-06 21:21 ` [iovisor-dev] " Nadav Amit
2017-07-06 21:21 ` Nadav Amit via iovisor-dev
2017-07-07 13:48 ` [iovisor-dev] " Edward Cree
2017-07-07 13:48 ` Edward Cree via iovisor-dev
2017-07-07 17:45 ` [iovisor-dev] " Nadav Amit
2017-07-07 17:45 ` Nadav Amit via iovisor-dev
2017-07-08 0:54 ` [iovisor-dev] " Nadav Amit
2017-07-08 0:54 ` Nadav Amit via iovisor-dev
2017-07-12 19:13 ` [iovisor-dev] " Edward Cree
2017-07-12 19:13 ` Edward Cree via iovisor-dev
2017-07-12 22:07 ` [iovisor-dev] " Nadav Amit
2017-07-12 22:07 ` Nadav Amit via iovisor-dev
2017-07-17 17:02 ` [iovisor-dev] " Edward Cree
2017-07-17 17:02 ` Edward Cree via iovisor-dev
2017-06-27 12:57 ` [PATCH v3 net-next 03/12] nfp: change bpf verifier hooks to match new verifier data structures Edward Cree
2017-06-27 12:57 ` Edward Cree via iovisor-dev
2017-06-28 20:47 ` Daniel Borkmann
2017-06-28 20:47 ` Daniel Borkmann via iovisor-dev
2017-06-29 3:47 ` Jakub Kicinski
2017-06-29 3:47 ` Jakub Kicinski via iovisor-dev
2017-06-27 12:57 ` [PATCH v3 net-next 04/12] bpf/verifier: track signed and unsigned min/max values Edward Cree
2017-06-27 12:57 ` Edward Cree via iovisor-dev
2017-06-27 12:58 ` [PATCH v3 net-next 05/12] bpf/verifier: more concise register state logs for constant var_off Edward Cree
2017-06-27 12:58 ` Edward Cree via iovisor-dev
2017-06-27 12:58 ` [PATCH v3 net-next 06/12] selftests/bpf: change test_verifier expectations Edward Cree
2017-06-27 12:58 ` Edward Cree via iovisor-dev
2017-06-27 12:59 ` [PATCH v3 net-next 07/12] selftests/bpf: rewrite test_align Edward Cree
2017-06-27 12:59 ` Edward Cree via iovisor-dev
2017-06-27 12:59 ` [PATCH v3 net-next 08/12] selftests/bpf: add a test to test_align Edward Cree
2017-06-27 12:59 ` Edward Cree via iovisor-dev
2017-06-27 12:59 ` [PATCH v3 net-next 09/12] selftests/bpf: add test for bogus operations on pointers Edward Cree
2017-06-27 12:59 ` Edward Cree via iovisor-dev
2017-06-27 12:59 ` [PATCH v3 net-next 10/12] selftests/bpf: don't try to access past MAX_PACKET_OFF in test_verifier Edward Cree
2017-06-27 12:59 ` Edward Cree via iovisor-dev
2017-06-27 13:00 ` [PATCH v3 net-next 11/12] selftests/bpf: add tests for subtraction & negative numbers Edward Cree
2017-06-27 13:00 ` Edward Cree via iovisor-dev
2017-06-27 13:00 ` [PATCH v3 net-next 12/12] selftests/bpf: variable offset negative tests Edward Cree
2017-06-27 13:00 ` Edward Cree via iovisor-dev
2017-06-28 13:50 ` [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Daniel Borkmann
2017-06-28 14:11 ` Edward Cree
2017-06-28 14:11 ` Edward Cree via iovisor-dev
2017-06-28 20:38 ` Daniel Borkmann
2017-06-28 20:38 ` Daniel Borkmann via iovisor-dev
2017-06-28 21:37 ` Alexei Starovoitov
2017-06-28 21:37 ` Alexei Starovoitov via iovisor-dev
2017-06-30 16:44 ` Edward Cree
2017-06-30 16:44 ` Edward Cree via iovisor-dev
2017-06-30 17:34 ` [TEST PATCH] bpf/verifier: roll back ptr&const handling, and fix signed bounds Edward Cree
2017-06-30 17:34 ` Edward Cree via iovisor-dev
2017-06-30 18:15 ` [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Alexei Starovoitov
2017-06-30 18:15 ` Alexei Starovoitov via iovisor-dev
2017-07-04 19:22 ` Edward Cree
2017-07-04 19:22 ` Edward Cree via iovisor-dev
2017-07-04 22:28 ` Daniel Borkmann
2017-07-04 22:28 ` Daniel Borkmann via iovisor-dev
2017-07-06 18:27 ` Edward Cree
2017-07-07 9:14 ` Daniel Borkmann
2017-07-07 9:14 ` Daniel Borkmann via iovisor-dev
2017-07-07 12:50 ` Edward Cree
2017-07-07 12:50 ` Edward Cree via iovisor-dev
2017-07-07 13:05 ` Daniel Borkmann
2017-07-06 14:07 ` Edward Cree
2017-07-06 14:07 ` Edward Cree via iovisor-dev
2017-07-14 20:03 ` [iovisor-dev] " Y Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5953E2E5.7040106@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=iovisor-dev@lists.iovisor.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.