From: "Arthur Fabre" <afabre@cloudflare.com>
To: "Arthur Fabre" <afabre@cloudflare.com>, <bpf@vger.kernel.org>
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"John Fastabend" <john.fastabend@gmail.com>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
<kernel-team@cloudflare.com>
Subject: Re: [PATCH bpf v2 0/2] Don't trust r0 bounds after BPF to BPF calls with abnormal returns
Date: Mon, 16 Dec 2024 18:45:42 +0100 [thread overview]
Message-ID: <D6DB9BMTYRIY.2GQMKAM0R1RPN@bobby> (raw)
In-Reply-To: <20241213212717.1830565-1-afabre@cloudflare.com>
On Fri Dec 13, 2024 at 10:27 PM CET, Arthur Fabre wrote:
> A BPF function can return before its exit instruction: LD_ABS, LD_IND,
> and tail_call() can all cause it to return prematurely.
>
> When such a function is called by another BPF function, the verifier
> doesn't take this into account when calculating the bounds of r0 in the
> caller after the callee returns.
I've just realized r0 isn't he only problem: a caller can pass a
reference to its stack to a callee, and the verifier also tracks the
value of this.
If the callee writes to the caller's stack after the abnormal return
(tail_call, ld_abs), the verifier will also incorrectly assume the
write always happens.
I think we need to treat these abnormal returns as a branch that can
exit. That way the verifier will explore both possibilities, and the
combined result will really reflect what can happen.
I'll try that out for a v3.
next prev parent reply other threads:[~2024-12-16 17:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 21:27 [PATCH bpf v2 0/2] Don't trust r0 bounds after BPF to BPF calls with abnormal returns Arthur Fabre
2024-12-13 21:27 ` [PATCH bpf v2 1/2] bpf: " Arthur Fabre
2024-12-13 23:52 ` Eduard Zingerman
2024-12-13 21:27 ` [PATCH bpf v2 2/2] selftests/bpf: Test r0 bounds after BPF to BPF call with abnormal return Arthur Fabre
2024-12-13 23:55 ` Eduard Zingerman
2024-12-16 17:39 ` Arthur Fabre
2024-12-16 18:05 ` Alexei Starovoitov
2024-12-16 18:50 ` Eduard Zingerman
2024-12-16 19:47 ` Alexei Starovoitov
2024-12-16 20:45 ` Arthur Fabre
2024-12-16 18:50 ` Eduard Zingerman
2024-12-16 17:45 ` Arthur Fabre [this message]
2024-12-16 18:03 ` [PATCH bpf v2 0/2] Don't trust r0 bounds after BPF to BPF calls with abnormal returns Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D6DB9BMTYRIY.2GQMKAM0R1RPN@bobby \
--to=afabre@cloudflare.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.