From: Eduard Zingerman <eddyz87@gmail.com>
To: "Maciej Żenczykowski" <zenczykowski@gmail.com>,
"BPF Mailing List" <bpf@vger.kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>
Subject: Re: Funky verifier packet range error (> check works, != does not).
Date: Tue, 02 Jan 2024 18:39:55 +0200 [thread overview]
Message-ID: <1b75e54f235a7cb510768ca8142f15171024dd78.camel@gmail.com> (raw)
In-Reply-To: <CAHo-Oow5V2u4ZYvzuR8NmJmFDPNYp0pQDJX66rZqUjFHvhx82A@mail.gmail.com>
On Fri, 2023-12-29 at 17:31 -0800, Maciej Żenczykowski wrote:
> I have a relatively complex program that fails to load on 6.5.6 with a
>
> if (data + 98 != data_end) return TC_ACT_SHOT;
>
> check, that loads fine if I change the above != to (a you would think
> weaker) > check.
>
> It's not important, hit this while debugging, and I don't know if the
> cause is the verifier treating != differently than > or the compiler
> optimizing != somehow... but my gut feeling is on the former: some
> verifier logic special cases > without doing something similar for the
> stronger != comparison.
Please note the following comment in verifier.c:find_good_pkt_pointers():
/* Examples for register markings:
*
* pkt_data in dst register:
*
* r2 = r3;
* r2 += 8;
* if (r2 > pkt_end) goto <handle exception>
* <access okay>
*
* r2 = r3;
* r2 += 8;
* if (r2 < pkt_end) goto <access okay>
* <handle exception>
*
* Where:
* r2 == dst_reg, pkt_end == src_reg
* r2=pkt(id=n,off=8,r=0)
* r3=pkt(id=n,off=0,r=0)
*
... a few lines skipped ...
*
* Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
* or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8)
* and [r3, r3 + 8-1) respectively is safe to access depending on
* the check.
*/
In other words, from 'data + 98 > data_end' follows that 'data + 98 <= data_end',
which means that accessible range for 'data' pointer could be incremented by 97 bytes.
However, the 'data + 98 != data_end' is not sufficient to conclude that 98 more bytes
are available, as e.g. the following: 'data + 42 == data_end' could be true at the same time.
Does this makes sense?
Thanks,
Eduard
next prev parent reply other threads:[~2024-01-02 16:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-30 1:31 Funky verifier packet range error (> check works, != does not) Maciej Żenczykowski
2024-01-02 16:39 ` Eduard Zingerman [this message]
2024-01-02 18:30 ` Maciej Żenczykowski
2024-01-02 19:23 ` Eduard Zingerman
2024-01-02 20:36 ` Maciej Żenczykowski
2024-01-02 23:13 ` Eduard Zingerman
2024-01-04 16:41 ` Eduard Zingerman
2024-01-05 0:33 ` Maciej Żenczykowski
2024-01-02 21:45 ` Andrii Nakryiko
2024-01-02 22:45 ` Maciej Żenczykowski
2024-01-02 23:56 ` Yonghong Song
2024-01-03 0:06 ` Andrii Nakryiko
2024-01-03 0:29 ` Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b75e54f235a7cb510768ca8142f15171024dd78.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox