* [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe()
@ 2024-08-12 5:21 Yonghong Song
2024-08-12 5:21 ` [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song
2024-08-12 17:38 ` [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Eduard Zingerman
0 siblings, 2 replies; 16+ messages in thread
From: Yonghong Song @ 2024-08-12 5:21 UTC (permalink / raw)
To: bpf
Cc: Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, kernel-team,
Martin KaFai Lau, Eduard Zingerman, Daniel Hodges
Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
The crash dump looks like below:
[ 65.874474] BUG: kernel NULL pointer dereference, address: 0000000000000088
[ 65.888406] #PF: supervisor read access in kernel mode
[ 65.898682] #PF: error_code(0x0000) - not-present page
[ 65.908957] PGD 0 P4D 0
[ 65.914020] Oops: 0000 [#1] SMP
[ 65.920300] CPU: 19 PID: 9364 Comm: scx_layered Kdump: loaded Tainted: G S E 6.9.5-g93cea04637ea-dirty #7
[ 65.941874] Hardware name: Quanta Delta Lake MP 29F0EMA01D0/Delta Lake-Class1, BIOS F0E_3A19 04/27/2023
[ 65.960664] RIP: 0010:states_equal+0x3ee/0x770
[ 65.969559] Code: 33 85 ed 89 e8 41 0f 48 c7 83 e0 f8 89 e9 29 c1 48 63 c1 4c 89 e9 48 c1 e1 07 49 8d 14 08 0f
b6 54 10 78 49 03 8a 58 05 00 00 <3a> 54 08 78 0f 85 60 03 00 00 49 c1 e5 07 43 8b 44 28 70 83 e0 03
[ 66.007120] RSP: 0018:ffffc9000ebeb8b8 EFLAGS: 00010202
[ 66.017570] RAX: 0000000000000000 RBX: ffff888149719680 RCX: 0000000000000010
[ 66.031843] RDX: 0000000000000000 RSI: ffff88907f4e0c08 RDI: ffff8881572f0000
[ 66.046115] RBP: 0000000000000000 R08: ffff8883d5014000 R09: ffffffff83065d50
[ 66.060386] R10: ffff8881bf9a1800 R11: 0000000000000002 R12: 0000000000000000
[ 66.074659] R13: 0000000000000000 R14: ffff888149719a40 R15: 0000000000000007
[ 66.088932] FS: 00007f5d5da96800(0000) GS:ffff88907f4c0000(0000) knlGS:0000000000000000
[ 66.105114] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 66.116606] CR2: 0000000000000088 CR3: 0000000388261001 CR4: 00000000007706f0
[ 66.130873] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 66.145145] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 66.159416] PKRU: 55555554
[ 66.164823] Call Trace:
[ 66.169709] <TASK>
[ 66.173906] ? __die_body+0x66/0xb0
[ 66.180890] ? page_fault_oops+0x370/0x3d0
[ 66.189082] ? console_unlock+0xb5/0x140
[ 66.196926] ? exc_page_fault+0x4f/0xb0
[ 66.204597] ? asm_exc_page_fault+0x22/0x30
[ 66.212974] ? states_equal+0x3ee/0x770
[ 66.220643] ? states_equal+0x529/0x770
[ 66.228312] do_check+0x60f/0x5240
[ 66.235114] do_check_common+0x388/0x840
[ 66.242960] do_check_subprogs+0x101/0x150
[ 66.251150] bpf_check+0x5d5/0x4b60
[ 66.258134] ? __mod_memcg_state+0x79/0x110
[ 66.266506] ? pcpu_alloc+0x892/0xba0
[ 66.273829] bpf_prog_load+0x5bb/0x660
[ 66.281324] ? bpf_prog_bind_map+0x1e1/0x290
[ 66.289862] __sys_bpf+0x29d/0x3a0
[ 66.296664] __x64_sys_bpf+0x18/0x20
[ 66.303811] do_syscall_64+0x6a/0x140
[ 66.311133] entry_SYSCALL_64_after_hwframe+0x4b/0x53
Forther investigation shows that the crash is due to invalid memory access in stacksafe().
More specifically, it is the following code:
if (exact != NOT_EXACT &&
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
return false;
If cur->allocated_stack is 0, cur->stack will be a ZERO_SIZE_PTR. If this happens,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] will crash the kernel as the memory
address is illegal. This is exactly what happened in the above crash dump.
If cur->allocated_stack is not 0, the above code could trigger array out-of-bound
access.
The patch added a condition 'i < cur->allocated_stack' to ensure
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access always legal.
Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Daniel Hodges <hodgesd@meta.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4cb5441ad75f..1e3d7794bf13 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16883,7 +16883,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
spi = i / BPF_REG_SIZE;
- if (exact != NOT_EXACT &&
+ if (exact != NOT_EXACT && i < cur->allocated_stack &&
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
return false;
--
2.43.5
^ permalink raw reply related [flat|nested] 16+ messages in thread* [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix 2024-08-12 5:21 [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Yonghong Song @ 2024-08-12 5:21 ` Yonghong Song 2024-08-12 15:07 ` Yonghong Song 2024-08-12 17:38 ` [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Eduard Zingerman 1 sibling, 1 reply; 16+ messages in thread From: Yonghong Song @ 2024-08-12 5:21 UTC (permalink / raw) To: bpf Cc: Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, kernel-team, Martin KaFai Lau A selftest is added such that without the previous patch, a crash can happen. With the previous patch, the test can run successfully. The new test is written in a way which mimics original crash case: main_prog static_prog_1 static_prog_2 where static_prog_1 has different paths to static_prog_2 and some path has stack allocated and some other path does not. A stacksafe() checking in static_prog_2() triggered the crash. Signed-off-by: Yonghong Song <yonghong.song@linux.dev> --- tools/testing/selftests/bpf/progs/iters.c | 54 +++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/iters.c b/tools/testing/selftests/bpf/progs/iters.c index 16bdc3e25591..8d3b75147617 100644 --- a/tools/testing/selftests/bpf/progs/iters.c +++ b/tools/testing/selftests/bpf/progs/iters.c @@ -1432,4 +1432,58 @@ int iter_arr_with_actual_elem_count(const void *ctx) return sum; } +__u32 upper, select_n, result; +__u64 global; + +static __noinline bool nest_2(char *str, int len) +{ + /* some insns (including branch insns) to ensure stacksafe() is triggered + * in nest_2(). This way, stacksafe() can compare frame associated with nest_1(). + */ + if (str[0] == 't') + return true; + if (str[1] == 'e') + return true; + if (str[2] == 's') + return true; + if (str[3] == 't') + return true; + return false; +} + +static __noinline bool nest_1(int n) +{ + /* case 0: allocate stack, case 1: no allocate stack */ + switch (n) { + case 0: { + char comm[16]; + + if (bpf_get_current_comm(comm, 16)) + return false; + return nest_2(comm, 16); + } + case 1: + return nest_2((char *)&global, sizeof(global)); + default: + return false; + } +} + +SEC("raw_tp") +__success +int iter_subprog_check_stacksafe(const void *ctx) +{ + long i; + + bpf_for(i, 0, upper) { + if (!nest_1(select_n)) { + result = 1; + return 0; + } + } + + result = 2; + return 0; +} + char _license[] SEC("license") = "GPL"; -- 2.43.5 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix 2024-08-12 5:21 ` [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song @ 2024-08-12 15:07 ` Yonghong Song 0 siblings, 0 replies; 16+ messages in thread From: Yonghong Song @ 2024-08-12 15:07 UTC (permalink / raw) To: bpf Cc: Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, kernel-team, Martin KaFai Lau On 8/11/24 10:21 PM, Yonghong Song wrote: > A selftest is added such that without the previous patch, > a crash can happen. With the previous patch, the test can > run successfully. The new test is written in a way which > mimics original crash case: > main_prog > static_prog_1 > static_prog_2 > where static_prog_1 has different paths to static_prog_2 > and some path has stack allocated and some other path > does not. A stacksafe() checking in static_prog_2() > triggered the crash. > > Signed-off-by: Yonghong Song <yonghong.song@linux.dev> > --- > tools/testing/selftests/bpf/progs/iters.c | 54 +++++++++++++++++++++++ > 1 file changed, 54 insertions(+) > > diff --git a/tools/testing/selftests/bpf/progs/iters.c b/tools/testing/selftests/bpf/progs/iters.c > index 16bdc3e25591..8d3b75147617 100644 > --- a/tools/testing/selftests/bpf/progs/iters.c > +++ b/tools/testing/selftests/bpf/progs/iters.c > @@ -1432,4 +1432,58 @@ int iter_arr_with_actual_elem_count(const void *ctx) > return sum; > } > > +__u32 upper, select_n, result; > +__u64 global; > + > +static __noinline bool nest_2(char *str, int len) Argument 'len' is not needed here. I can make the change after some additional comments. > +{ > + /* some insns (including branch insns) to ensure stacksafe() is triggered > + * in nest_2(). This way, stacksafe() can compare frame associated with nest_1(). > + */ > + if (str[0] == 't') > + return true; > + if (str[1] == 'e') > + return true; > + if (str[2] == 's') > + return true; > + if (str[3] == 't') > + return true; > + return false; > +} > + > +static __noinline bool nest_1(int n) > +{ > + /* case 0: allocate stack, case 1: no allocate stack */ > + switch (n) { > + case 0: { > + char comm[16]; > + > + if (bpf_get_current_comm(comm, 16)) > + return false; > + return nest_2(comm, 16); > + } > + case 1: > + return nest_2((char *)&global, sizeof(global)); > + default: > + return false; > + } To triger the failure, we rely on 'case 0' is explored by the verifier first and 'case 1' is explored later. This seems the case for llvm18 and llvm20. > +} > + > +SEC("raw_tp") > +__success > +int iter_subprog_check_stacksafe(const void *ctx) > +{ > + long i; > + > + bpf_for(i, 0, upper) { > + if (!nest_1(select_n)) { > + result = 1; > + return 0; > + } > + } > + > + result = 2; > + return 0; > +} > + > char _license[] SEC("license") = "GPL"; ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 5:21 [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Yonghong Song 2024-08-12 5:21 ` [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song @ 2024-08-12 17:38 ` Eduard Zingerman 2024-08-12 17:44 ` Alexei Starovoitov 1 sibling, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 17:38 UTC (permalink / raw) To: Yonghong Song, bpf Cc: Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, kernel-team, Martin KaFai Lau, Daniel Hodges On Sun, 2024-08-11 at 22:21 -0700, Yonghong Song wrote: > Daniel Hodges reported a kernel verifier crash when playing with sched-ext. > The crash dump looks like below: > > [ 65.874474] BUG: kernel NULL pointer dereference, address: 0000000000000088 > [ 65.888406] #PF: supervisor read access in kernel mode > [ 65.898682] #PF: error_code(0x0000) - not-present page > [ 65.908957] PGD 0 P4D 0 > [ 65.914020] Oops: 0000 [#1] SMP > [ 65.920300] CPU: 19 PID: 9364 Comm: scx_layered Kdump: loaded Tainted: G S E 6.9.5-g93cea04637ea-dirty #7 > [ 65.941874] Hardware name: Quanta Delta Lake MP 29F0EMA01D0/Delta Lake-Class1, BIOS F0E_3A19 04/27/2023 > [ 65.960664] RIP: 0010:states_equal+0x3ee/0x770 > [ 65.969559] Code: 33 85 ed 89 e8 41 0f 48 c7 83 e0 f8 89 e9 29 c1 48 63 c1 4c 89 e9 48 c1 e1 07 49 8d 14 08 0f > b6 54 10 78 49 03 8a 58 05 00 00 <3a> 54 08 78 0f 85 60 03 00 00 49 c1 e5 07 43 8b 44 28 70 83 e0 03 > [ 66.007120] RSP: 0018:ffffc9000ebeb8b8 EFLAGS: 00010202 > [ 66.017570] RAX: 0000000000000000 RBX: ffff888149719680 RCX: 0000000000000010 > [ 66.031843] RDX: 0000000000000000 RSI: ffff88907f4e0c08 RDI: ffff8881572f0000 > [ 66.046115] RBP: 0000000000000000 R08: ffff8883d5014000 R09: ffffffff83065d50 > [ 66.060386] R10: ffff8881bf9a1800 R11: 0000000000000002 R12: 0000000000000000 > [ 66.074659] R13: 0000000000000000 R14: ffff888149719a40 R15: 0000000000000007 > [ 66.088932] FS: 00007f5d5da96800(0000) GS:ffff88907f4c0000(0000) knlGS:0000000000000000 > [ 66.105114] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 66.116606] CR2: 0000000000000088 CR3: 0000000388261001 CR4: 00000000007706f0 > [ 66.130873] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 66.145145] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 66.159416] PKRU: 55555554 > [ 66.164823] Call Trace: > [ 66.169709] <TASK> > [ 66.173906] ? __die_body+0x66/0xb0 > [ 66.180890] ? page_fault_oops+0x370/0x3d0 > [ 66.189082] ? console_unlock+0xb5/0x140 > [ 66.196926] ? exc_page_fault+0x4f/0xb0 > [ 66.204597] ? asm_exc_page_fault+0x22/0x30 > [ 66.212974] ? states_equal+0x3ee/0x770 > [ 66.220643] ? states_equal+0x529/0x770 > [ 66.228312] do_check+0x60f/0x5240 > [ 66.235114] do_check_common+0x388/0x840 > [ 66.242960] do_check_subprogs+0x101/0x150 > [ 66.251150] bpf_check+0x5d5/0x4b60 > [ 66.258134] ? __mod_memcg_state+0x79/0x110 > [ 66.266506] ? pcpu_alloc+0x892/0xba0 > [ 66.273829] bpf_prog_load+0x5bb/0x660 > [ 66.281324] ? bpf_prog_bind_map+0x1e1/0x290 > [ 66.289862] __sys_bpf+0x29d/0x3a0 > [ 66.296664] __x64_sys_bpf+0x18/0x20 > [ 66.303811] do_syscall_64+0x6a/0x140 > [ 66.311133] entry_SYSCALL_64_after_hwframe+0x4b/0x53 > > Forther investigation shows that the crash is due to invalid memory access in stacksafe(). > More specifically, it is the following code: > > if (exact != NOT_EXACT && > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) > return false; > > If cur->allocated_stack is 0, cur->stack will be a ZERO_SIZE_PTR. If this happens, > cur->stack[spi].slot_type[i % BPF_REG_SIZE] will crash the kernel as the memory > address is illegal. This is exactly what happened in the above crash dump. > If cur->allocated_stack is not 0, the above code could trigger array out-of-bound > access. > > The patch added a condition 'i < cur->allocated_stack' to ensure > cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access always legal. > > Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") > Cc: Eduard Zingerman <eddyz87@gmail.com> > Reported-by: Daniel Hodges <hodgesd@meta.com> > Signed-off-by: Yonghong Song <yonghong.song@linux.dev> > --- My bad, for some reason I thought that 'if (i >= cur->allocated_stack) return false;' check below would be sufficient. (Which is obviously not true, sigh...). Acked-by: Eduard Zingerman <eddyz87@gmail.com> [...] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:38 ` [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Eduard Zingerman @ 2024-08-12 17:44 ` Alexei Starovoitov 2024-08-12 17:47 ` Eduard Zingerman 0 siblings, 1 reply; 16+ messages in thread From: Alexei Starovoitov @ 2024-08-12 17:44 UTC (permalink / raw) To: Eduard Zingerman Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, Aug 12, 2024 at 10:38 AM Eduard Zingerman <eddyz87@gmail.com> wrote: > > On Sun, 2024-08-11 at 22:21 -0700, Yonghong Song wrote: > > Daniel Hodges reported a kernel verifier crash when playing with sched-ext. > > The crash dump looks like below: > > > > [ 65.874474] BUG: kernel NULL pointer dereference, address: 0000000000000088 > > [ 65.888406] #PF: supervisor read access in kernel mode > > [ 65.898682] #PF: error_code(0x0000) - not-present page > > [ 65.908957] PGD 0 P4D 0 > > [ 65.914020] Oops: 0000 [#1] SMP > > [ 65.920300] CPU: 19 PID: 9364 Comm: scx_layered Kdump: loaded Tainted: G S E 6.9.5-g93cea04637ea-dirty #7 > > [ 65.941874] Hardware name: Quanta Delta Lake MP 29F0EMA01D0/Delta Lake-Class1, BIOS F0E_3A19 04/27/2023 > > [ 65.960664] RIP: 0010:states_equal+0x3ee/0x770 > > [ 65.969559] Code: 33 85 ed 89 e8 41 0f 48 c7 83 e0 f8 89 e9 29 c1 48 63 c1 4c 89 e9 48 c1 e1 07 49 8d 14 08 0f > > b6 54 10 78 49 03 8a 58 05 00 00 <3a> 54 08 78 0f 85 60 03 00 00 49 c1 e5 07 43 8b 44 28 70 83 e0 03 > > [ 66.007120] RSP: 0018:ffffc9000ebeb8b8 EFLAGS: 00010202 > > [ 66.017570] RAX: 0000000000000000 RBX: ffff888149719680 RCX: 0000000000000010 > > [ 66.031843] RDX: 0000000000000000 RSI: ffff88907f4e0c08 RDI: ffff8881572f0000 > > [ 66.046115] RBP: 0000000000000000 R08: ffff8883d5014000 R09: ffffffff83065d50 > > [ 66.060386] R10: ffff8881bf9a1800 R11: 0000000000000002 R12: 0000000000000000 > > [ 66.074659] R13: 0000000000000000 R14: ffff888149719a40 R15: 0000000000000007 > > [ 66.088932] FS: 00007f5d5da96800(0000) GS:ffff88907f4c0000(0000) knlGS:0000000000000000 > > [ 66.105114] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > [ 66.116606] CR2: 0000000000000088 CR3: 0000000388261001 CR4: 00000000007706f0 > > [ 66.130873] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > [ 66.145145] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > [ 66.159416] PKRU: 55555554 > > [ 66.164823] Call Trace: > > [ 66.169709] <TASK> > > [ 66.173906] ? __die_body+0x66/0xb0 > > [ 66.180890] ? page_fault_oops+0x370/0x3d0 > > [ 66.189082] ? console_unlock+0xb5/0x140 > > [ 66.196926] ? exc_page_fault+0x4f/0xb0 > > [ 66.204597] ? asm_exc_page_fault+0x22/0x30 > > [ 66.212974] ? states_equal+0x3ee/0x770 > > [ 66.220643] ? states_equal+0x529/0x770 > > [ 66.228312] do_check+0x60f/0x5240 > > [ 66.235114] do_check_common+0x388/0x840 > > [ 66.242960] do_check_subprogs+0x101/0x150 > > [ 66.251150] bpf_check+0x5d5/0x4b60 > > [ 66.258134] ? __mod_memcg_state+0x79/0x110 > > [ 66.266506] ? pcpu_alloc+0x892/0xba0 > > [ 66.273829] bpf_prog_load+0x5bb/0x660 > > [ 66.281324] ? bpf_prog_bind_map+0x1e1/0x290 > > [ 66.289862] __sys_bpf+0x29d/0x3a0 > > [ 66.296664] __x64_sys_bpf+0x18/0x20 > > [ 66.303811] do_syscall_64+0x6a/0x140 > > [ 66.311133] entry_SYSCALL_64_after_hwframe+0x4b/0x53 > > > > Forther investigation shows that the crash is due to invalid memory access in stacksafe(). > > More specifically, it is the following code: > > > > if (exact != NOT_EXACT && > > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) > > return false; > > > > If cur->allocated_stack is 0, cur->stack will be a ZERO_SIZE_PTR. If this happens, > > cur->stack[spi].slot_type[i % BPF_REG_SIZE] will crash the kernel as the memory > > address is illegal. This is exactly what happened in the above crash dump. > > If cur->allocated_stack is not 0, the above code could trigger array out-of-bound > > access. > > > > The patch added a condition 'i < cur->allocated_stack' to ensure > > cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access always legal. > > > > Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") > > Cc: Eduard Zingerman <eddyz87@gmail.com> > > Reported-by: Daniel Hodges <hodgesd@meta.com> > > Signed-off-by: Yonghong Song <yonghong.song@linux.dev> > > --- > > My bad, for some reason I thought that 'if (i >= cur->allocated_stack) return false;' > check below would be sufficient. (Which is obviously not true, sigh...). > > Acked-by: Eduard Zingerman <eddyz87@gmail.com> Should we move the check up instead? if (i >= cur->allocated_stack) return false; Checking it twice looks odd. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:44 ` Alexei Starovoitov @ 2024-08-12 17:47 ` Eduard Zingerman 2024-08-12 17:50 ` Alexei Starovoitov 0 siblings, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 17:47 UTC (permalink / raw) To: Alexei Starovoitov Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, 2024-08-12 at 10:44 -0700, Alexei Starovoitov wrote: [...] > Should we move the check up instead? > > if (i >= cur->allocated_stack) > return false; > > Checking it twice looks odd. A few checks before that, namely: if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && exact == NOT_EXACT) { i += BPF_REG_SIZE - 1; /* explored state didn't use this */ continue; } if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) continue; if (env->allow_uninit_stack && old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) continue; Should be done regardless cur->allocated_stack. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:47 ` Eduard Zingerman @ 2024-08-12 17:50 ` Alexei Starovoitov 2024-08-12 17:57 ` Eduard Zingerman 2024-08-12 18:26 ` Yonghong Song 0 siblings, 2 replies; 16+ messages in thread From: Alexei Starovoitov @ 2024-08-12 17:50 UTC (permalink / raw) To: Eduard Zingerman Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, Aug 12, 2024 at 10:47 AM Eduard Zingerman <eddyz87@gmail.com> wrote: > > On Mon, 2024-08-12 at 10:44 -0700, Alexei Starovoitov wrote: > > [...] > > > Should we move the check up instead? > > > > if (i >= cur->allocated_stack) > > return false; > > > > Checking it twice looks odd. > > A few checks before that, namely: > > if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) > && exact == NOT_EXACT) { > i += BPF_REG_SIZE - 1; > /* explored state didn't use this */ > continue; > } > > if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) > continue; > > if (env->allow_uninit_stack && > old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) > continue; > > Should be done regardless cur->allocated_stack. Right, but then let's sink old->slot_type != cur->slot_type down? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:50 ` Alexei Starovoitov @ 2024-08-12 17:57 ` Eduard Zingerman 2024-08-12 19:29 ` Alexei Starovoitov 2024-08-12 18:26 ` Yonghong Song 1 sibling, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 17:57 UTC (permalink / raw) To: Alexei Starovoitov Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, 2024-08-12 at 10:50 -0700, Alexei Starovoitov wrote: > On Mon, Aug 12, 2024 at 10:47 AM Eduard Zingerman <eddyz87@gmail.com> wrote: > > > > On Mon, 2024-08-12 at 10:44 -0700, Alexei Starovoitov wrote: > > > > [...] > > > > > Should we move the check up instead? > > > > > > if (i >= cur->allocated_stack) > > > return false; > > > > > > Checking it twice looks odd. > > > > A few checks before that, namely: > > > > if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) > > && exact == NOT_EXACT) { > > i += BPF_REG_SIZE - 1; > > /* explored state didn't use this */ > > continue; > > } > > > > if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) > > continue; > > > > if (env->allow_uninit_stack && > > old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) > > continue; > > > > Should be done regardless cur->allocated_stack. > > Right, but then let's sink old->slot_type != cur->slot_type down? It does not seem correct to swap the order for these two checks: if (exact != NOT_EXACT && i < cur->allocated_stack && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && exact == NOT_EXACT) { i += BPF_REG_SIZE - 1; /* explored state didn't use this */ continue; } if we do, 'slot_type' won't be checked for 'cur' when 'old' register is not marked live. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:57 ` Eduard Zingerman @ 2024-08-12 19:29 ` Alexei Starovoitov 2024-08-12 19:43 ` Eduard Zingerman 0 siblings, 1 reply; 16+ messages in thread From: Alexei Starovoitov @ 2024-08-12 19:29 UTC (permalink / raw) To: Eduard Zingerman Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, Aug 12, 2024 at 10:57 AM Eduard Zingerman <eddyz87@gmail.com> wrote: > > On Mon, 2024-08-12 at 10:50 -0700, Alexei Starovoitov wrote: > > On Mon, Aug 12, 2024 at 10:47 AM Eduard Zingerman <eddyz87@gmail.com> wrote: > > > > > > On Mon, 2024-08-12 at 10:44 -0700, Alexei Starovoitov wrote: > > > > > > [...] > > > > > > > Should we move the check up instead? > > > > > > > > if (i >= cur->allocated_stack) > > > > return false; > > > > > > > > Checking it twice looks odd. > > > > > > A few checks before that, namely: > > > > > > if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) > > > && exact == NOT_EXACT) { > > > i += BPF_REG_SIZE - 1; > > > /* explored state didn't use this */ > > > continue; > > > } > > > > > > if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) > > > continue; > > > > > > if (env->allow_uninit_stack && > > > old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) > > > continue; > > > > > > Should be done regardless cur->allocated_stack. > > > > Right, but then let's sink old->slot_type != cur->slot_type down? > > It does not seem correct to swap the order for these two checks: > > if (exact != NOT_EXACT && i < cur->allocated_stack && > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) > return false; > > if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) > && exact == NOT_EXACT) { > i += BPF_REG_SIZE - 1; > /* explored state didn't use this */ > continue; > } > > if we do, 'slot_type' won't be checked for 'cur' when 'old' register is not marked live. I see. This is to compare states in open coded iter loops when liveness is not propagated yet, right? Then when comparing for exact states we should probably do: if (exact != NOT_EXACT && (i >= cur->allocated_stack || old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; ? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 19:29 ` Alexei Starovoitov @ 2024-08-12 19:43 ` Eduard Zingerman 2024-08-12 20:02 ` Yonghong Song 0 siblings, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 19:43 UTC (permalink / raw) To: Alexei Starovoitov Cc: Yonghong Song, bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, 2024-08-12 at 12:29 -0700, Alexei Starovoitov wrote: [...] > > It does not seem correct to swap the order for these two checks: > > > > if (exact != NOT_EXACT && i < cur->allocated_stack && > > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) > > return false; > > > > if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) > > && exact == NOT_EXACT) { > > i += BPF_REG_SIZE - 1; > > /* explored state didn't use this */ > > continue; > > } > > > > if we do, 'slot_type' won't be checked for 'cur' when 'old' register is not marked live. > > I see. This is to compare states in open coded iter loops when liveness > is not propagated yet, right? Yes > > Then when comparing for exact states we should probably do: > if (exact != NOT_EXACT && > (i >= cur->allocated_stack || > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > cur->stack[spi].slot_type[i % BPF_REG_SIZE])) > return false; > > ? Hm, right, otherwise the old slots in the interval [cur->allocated_stack..old->allocated_stack) won't be checked using exact rules. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 19:43 ` Eduard Zingerman @ 2024-08-12 20:02 ` Yonghong Song 0 siblings, 0 replies; 16+ messages in thread From: Yonghong Song @ 2024-08-12 20:02 UTC (permalink / raw) To: Eduard Zingerman, Alexei Starovoitov Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On 8/12/24 12:43 PM, Eduard Zingerman wrote: > On Mon, 2024-08-12 at 12:29 -0700, Alexei Starovoitov wrote: > > [...] > >>> It does not seem correct to swap the order for these two checks: >>> >>> if (exact != NOT_EXACT && i < cur->allocated_stack && >>> old->stack[spi].slot_type[i % BPF_REG_SIZE] != >>> cur->stack[spi].slot_type[i % BPF_REG_SIZE]) >>> return false; >>> >>> if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) >>> && exact == NOT_EXACT) { >>> i += BPF_REG_SIZE - 1; >>> /* explored state didn't use this */ >>> continue; >>> } >>> >>> if we do, 'slot_type' won't be checked for 'cur' when 'old' register is not marked live. >> I see. This is to compare states in open coded iter loops when liveness >> is not propagated yet, right? > Yes > >> Then when comparing for exact states we should probably do: >> if (exact != NOT_EXACT && >> (i >= cur->allocated_stack || >> old->stack[spi].slot_type[i % BPF_REG_SIZE] != >> cur->stack[spi].slot_type[i % BPF_REG_SIZE])) >> return false; >> >> ? > Hm, right, otherwise the old slots in the interval > [cur->allocated_stack..old->allocated_stack) > won't be checked using exact rules. Okay, for *exact* stack slot_type comparison. Will make the change and send v2 soon. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 17:50 ` Alexei Starovoitov 2024-08-12 17:57 ` Eduard Zingerman @ 2024-08-12 18:26 ` Yonghong Song 2024-08-12 18:30 ` Eduard Zingerman 1 sibling, 1 reply; 16+ messages in thread From: Yonghong Song @ 2024-08-12 18:26 UTC (permalink / raw) To: Alexei Starovoitov, Eduard Zingerman Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On 8/12/24 10:50 AM, Alexei Starovoitov wrote: > On Mon, Aug 12, 2024 at 10:47 AM Eduard Zingerman <eddyz87@gmail.com> wrote: >> On Mon, 2024-08-12 at 10:44 -0700, Alexei Starovoitov wrote: >> >> [...] >> >>> Should we move the check up instead? >>> >>> if (i >= cur->allocated_stack) >>> return false; >>> >>> Checking it twice looks odd. >> A few checks before that, namely: >> >> if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) >> && exact == NOT_EXACT) { >> i += BPF_REG_SIZE - 1; >> /* explored state didn't use this */ >> continue; >> } >> >> if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) >> continue; >> >> if (env->allow_uninit_stack && >> old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) >> continue; >> >> Should be done regardless cur->allocated_stack. > Right, but then let's sink old->slot_type != cur->slot_type down? We could do the following to avoid double comparison: diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index df3be12096cf..1906798f1a3d 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -17338,10 +17338,13 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, */ for (i = 0; i < old->allocated_stack; i++) { struct bpf_reg_state *old_reg, *cur_reg; + bool cur_exceed_bound; spi = i / BPF_REG_SIZE; - if (exact != NOT_EXACT && + cur_exceed_bound = i >= cur->allocated_stack; + + if (exact != NOT_EXACT && !cur_exceed_bound && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; @@ -17363,7 +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, /* explored stack has more populated slots than current stack * and these slots were used */ - if (i >= cur->allocated_stack) + if (cur_exceed_bound) return false; /* 64-bit scalar spill vs all slots MISC and vice versa. WDYT? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 18:26 ` Yonghong Song @ 2024-08-12 18:30 ` Eduard Zingerman 2024-08-12 18:36 ` Yonghong Song 0 siblings, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 18:30 UTC (permalink / raw) To: Yonghong Song, Alexei Starovoitov Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, 2024-08-12 at 11:26 -0700, Yonghong Song wrote: [...] > > We could do the following to avoid double comparison: diff --git > a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index > df3be12096cf..1906798f1a3d 100644 --- a/kernel/bpf/verifier.c +++ > b/kernel/bpf/verifier.c @@ -17338,10 +17338,13 @@ static bool > stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, */ > for (i = 0; i < old->allocated_stack; i++) { struct bpf_reg_state > *old_reg, *cur_reg; + bool cur_exceed_bound; spi = i / BPF_REG_SIZE; - > if (exact != NOT_EXACT && + cur_exceed_bound = i >= > cur->allocated_stack; + + if (exact != NOT_EXACT && !cur_exceed_bound && > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; @@ -17363,7 > +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct > bpf_func_state *old, /* explored stack has more populated slots than > current stack * and these slots were used */ - if (i >= > cur->allocated_stack) + if (cur_exceed_bound) return false; /* 64-bit > scalar spill vs all slots MISC and vice versa. WDYT? > Yonghong, something went wrong with formatting of the above email, could you please resend? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 18:30 ` Eduard Zingerman @ 2024-08-12 18:36 ` Yonghong Song 2024-08-12 18:41 ` Eduard Zingerman 0 siblings, 1 reply; 16+ messages in thread From: Yonghong Song @ 2024-08-12 18:36 UTC (permalink / raw) To: Eduard Zingerman, Alexei Starovoitov Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On 8/12/24 11:30 AM, Eduard Zingerman wrote: > On Mon, 2024-08-12 at 11:26 -0700, Yonghong Song wrote: > > [...] > >> We could do the following to avoid double comparison: diff --git >> a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index >> df3be12096cf..1906798f1a3d 100644 --- a/kernel/bpf/verifier.c +++ >> b/kernel/bpf/verifier.c @@ -17338,10 +17338,13 @@ static bool >> stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, */ >> for (i = 0; i < old->allocated_stack; i++) { struct bpf_reg_state >> *old_reg, *cur_reg; + bool cur_exceed_bound; spi = i / BPF_REG_SIZE; - >> if (exact != NOT_EXACT && + cur_exceed_bound = i >= >> cur->allocated_stack; + + if (exact != NOT_EXACT && !cur_exceed_bound && >> old->stack[spi].slot_type[i % BPF_REG_SIZE] != >> cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; @@ -17363,7 >> +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct >> bpf_func_state *old, /* explored stack has more populated slots than >> current stack * and these slots were used */ - if (i >= >> cur->allocated_stack) + if (cur_exceed_bound) return false; /* 64-bit >> scalar spill vs all slots MISC and vice versa. WDYT? >> > Yonghong, something went wrong with formatting of the above email, > could you please resend? Sorry, I copy-paste from 'git diff' result to my email window. Not sure why it caused the format issue after I sent out. Anyway, the following is the patch I suggested: diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index df3be12096cf..1906798f1a3d 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -17338,10 +17338,13 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, */ for (i = 0; i < old->allocated_stack; i++) { struct bpf_reg_state *old_reg, *cur_reg; + bool cur_exceed_bound; spi = i / BPF_REG_SIZE; - if (exact != NOT_EXACT && + cur_exceed_bound = i >= cur->allocated_stack; + + if (exact != NOT_EXACT && !cur_exceed_bound && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; @@ -17363,7 +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, /* explored stack has more populated slots than current stack * and these slots were used */ - if (i >= cur->allocated_stack) + if (cur_exceed_bound) return false; /* 64-bit scalar spill vs all slots MISC and vice versa. ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 18:36 ` Yonghong Song @ 2024-08-12 18:41 ` Eduard Zingerman 2024-08-12 19:21 ` Yonghong Song 0 siblings, 1 reply; 16+ messages in thread From: Eduard Zingerman @ 2024-08-12 18:41 UTC (permalink / raw) To: Yonghong Song, Alexei Starovoitov Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On Mon, 2024-08-12 at 11:36 -0700, Yonghong Song wrote: [...] > Sorry, I copy-paste from 'git diff' result to my email window. Not sure > why it caused the format issue after I sent out. Sure, no problem > Anyway, the following is the patch I suggested: > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index df3be12096cf..1906798f1a3d 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -17338,10 +17338,13 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, > */ > for (i = 0; i < old->allocated_stack; i++) { > struct bpf_reg_state *old_reg, *cur_reg; > + bool cur_exceed_bound; > > spi = i / BPF_REG_SIZE; > > - if (exact != NOT_EXACT && > + cur_exceed_bound = i >= cur->allocated_stack; idk, I think C compiler would do this anyways, to me the code is fine both with and without this additional variable. > + > + if (exact != NOT_EXACT && !cur_exceed_bound && > old->stack[spi].slot_type[i % BPF_REG_SIZE] != > cur->stack[spi].slot_type[i % BPF_REG_SIZE]) > return false; > @@ -17363,7 +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, > /* explored stack has more populated slots than current stack > * and these slots were used > */ > - if (i >= cur->allocated_stack) > + if (cur_exceed_bound) > return false; > > /* 64-bit scalar spill vs all slots MISC and vice versa. > ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 18:41 ` Eduard Zingerman @ 2024-08-12 19:21 ` Yonghong Song 0 siblings, 0 replies; 16+ messages in thread From: Yonghong Song @ 2024-08-12 19:21 UTC (permalink / raw) To: Eduard Zingerman, Alexei Starovoitov Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann, Kernel Team, Martin KaFai Lau, Daniel Hodges On 8/12/24 11:41 AM, Eduard Zingerman wrote: > On Mon, 2024-08-12 at 11:36 -0700, Yonghong Song wrote: > > [...] > >> Sorry, I copy-paste from 'git diff' result to my email window. Not sure >> why it caused the format issue after I sent out. > Sure, no problem > >> Anyway, the following is the patch I suggested: >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index df3be12096cf..1906798f1a3d 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -17338,10 +17338,13 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, >> */ >> for (i = 0; i < old->allocated_stack; i++) { >> struct bpf_reg_state *old_reg, *cur_reg; >> + bool cur_exceed_bound; >> >> spi = i / BPF_REG_SIZE; >> >> - if (exact != NOT_EXACT && >> + cur_exceed_bound = i >= cur->allocated_stack; > idk, I think C compiler would do this anyways, > to me the code is fine both with and without this additional variable. Okay, I will keep the original (simpler) patch then. > >> + >> + if (exact != NOT_EXACT && !cur_exceed_bound && >> old->stack[spi].slot_type[i % BPF_REG_SIZE] != >> cur->stack[spi].slot_type[i % BPF_REG_SIZE]) >> return false; >> @@ -17363,7 +17366,7 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, >> /* explored stack has more populated slots than current stack >> * and these slots were used >> */ >> - if (i >= cur->allocated_stack) >> + if (cur_exceed_bound) >> return false; >> >> /* 64-bit scalar spill vs all slots MISC and vice versa. >> > ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2024-08-12 20:02 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-08-12 5:21 [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Yonghong Song 2024-08-12 5:21 ` [PATCH bpf 2/2] selftests/bpf: Add a test to verify previous stacksafe() fix Yonghong Song 2024-08-12 15:07 ` Yonghong Song 2024-08-12 17:38 ` [PATCH bpf 1/2] bpf: Fix a kernel verifier crash in stacksafe() Eduard Zingerman 2024-08-12 17:44 ` Alexei Starovoitov 2024-08-12 17:47 ` Eduard Zingerman 2024-08-12 17:50 ` Alexei Starovoitov 2024-08-12 17:57 ` Eduard Zingerman 2024-08-12 19:29 ` Alexei Starovoitov 2024-08-12 19:43 ` Eduard Zingerman 2024-08-12 20:02 ` Yonghong Song 2024-08-12 18:26 ` Yonghong Song 2024-08-12 18:30 ` Eduard Zingerman 2024-08-12 18:36 ` Yonghong Song 2024-08-12 18:41 ` Eduard Zingerman 2024-08-12 19:21 ` Yonghong Song
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox