From: Yonghong Song <yonghong.song@linux.dev>
To: Eduard Zingerman <eddyz87@gmail.com>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kernel Team <kernel-team@fb.com>,
Martin KaFai Lau <martin.lau@kernel.org>,
Daniel Hodges <hodgesd@meta.com>
Subject: Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe()
Date: Mon, 12 Aug 2024 13:02:15 -0700 [thread overview]
Message-ID: <666340c4-daed-4a92-a7eb-b6063b13c345@linux.dev> (raw)
In-Reply-To: <e1700911e1d36c40b471c4ec1b229eee50490949.camel@gmail.com>
On 8/12/24 12:43 PM, Eduard Zingerman wrote:
> On Mon, 2024-08-12 at 12:29 -0700, Alexei Starovoitov wrote:
>
> [...]
>
>>> It does not seem correct to swap the order for these two checks:
>>>
>>> if (exact != NOT_EXACT && i < cur->allocated_stack &&
>>> old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
>>> cur->stack[spi].slot_type[i % BPF_REG_SIZE])
>>> return false;
>>>
>>> if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)
>>> && exact == NOT_EXACT) {
>>> i += BPF_REG_SIZE - 1;
>>> /* explored state didn't use this */
>>> continue;
>>> }
>>>
>>> if we do, 'slot_type' won't be checked for 'cur' when 'old' register is not marked live.
>> I see. This is to compare states in open coded iter loops when liveness
>> is not propagated yet, right?
> Yes
>
>> Then when comparing for exact states we should probably do:
>> if (exact != NOT_EXACT &&
>> (i >= cur->allocated_stack ||
>> old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
>> cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
>> return false;
>>
>> ?
> Hm, right, otherwise the old slots in the interval
> [cur->allocated_stack..old->allocated_stack)
> won't be checked using exact rules.
Okay, for *exact* stack slot_type comparison. Will make the change
and send v2 soon.
next prev parent reply other threads:[~2024-08-12 20:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-12 5:21 [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Yonghong Song
2024-08-12 5:21 ` [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song
2024-08-12 15:07 ` Yonghong Song
2024-08-12 17:38 ` [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Eduard Zingerman
2024-08-12 17:44 ` Alexei Starovoitov
2024-08-12 17:47 ` Eduard Zingerman
2024-08-12 17:50 ` Alexei Starovoitov
2024-08-12 17:57 ` Eduard Zingerman
2024-08-12 19:29 ` Alexei Starovoitov
2024-08-12 19:43 ` Eduard Zingerman
2024-08-12 20:02 ` Yonghong Song [this message]
2024-08-12 18:26 ` Yonghong Song
2024-08-12 18:30 ` Eduard Zingerman
2024-08-12 18:36 ` Yonghong Song
2024-08-12 18:41 ` Eduard Zingerman
2024-08-12 19:21 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=666340c4-daed-4a92-a7eb-b6063b13c345@linux.dev \
--to=yonghong.song@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=hodgesd@meta.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.