From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>, andrii <andrii@kernel.org>,
Nick Zavaritsky <mejedi@gmail.com>,
bpf@vger.kernel.org, memxor@gmail.com
Subject: Re: Packet pointer invalidation and subprograms
Date: Thu, 05 Dec 2024 16:29:08 -0800 [thread overview]
Message-ID: <4bbdf595be6afbe52f44c362be6d7e4f22b8b00f.camel@gmail.com> (raw)
In-Reply-To: <CAEf4BzZBPp40E-_itj1jFT2_+VSL9QcqjK4OQvt6sy5=iJx8Yw@mail.gmail.com>
On Thu, 2024-12-05 at 16:03 -0800, Andrii Nakryiko wrote:
[...]
> > There are several ways to fix this:
> > - The "dumb" way:
> > - forbid calling helpers that bpf_helper_changes_pkt_data()
> > from global functions.
> > - The "simple" way:
> > - at some early stage:
> > - scan all global functions, to see if there are any calls to
> > helpers that bpf_helper_changes_pkt_data(). If there are,
> > remember this as an "effect" of the function;
> > - build a call-graph of global functions and propagate computed
> > effects over this call-graph (if A calls B and B does
> > clear_all_pkt_pointers(), then A also does it).
> > - during main verification phase, if a call to a global function is
> > verified, check it's effects and update state accordingly
> > (e.g. call clear_all_pkt_pointers()).
> > - The "correct" way:
> > - build a call-graph of global functions;
> > - verify these functions in a post-order;
> > - while verifying, collect "effects" information
> > (so far, the single effect is whether or not
> > clear_all_pkt_pointers() had been ever called for the function);
>
> So this is the only "side effect" we have right now? Are there any
> others we have already or can reasonably anticipate? I'm just trying
> to decide if we need to generalize this concept.
Don't have anything to add to Kumar's answer.
> > - if a call to global function is verified, check it's effects and
> > update state accordingly (e.g. call clear_all_pkt_pointers()).
> >
> > "dumb" is probably a no-go as it is too restrictive.
> > The only advantage of "simple" over "correct" that I see is
> > that the logic for clear_all_pkt_pointers() remains confined
> > to check_helper_call() and is not duplicated in a separate pass.
>
> "simple" doesn't take into account dead code elimination, undermining
> BPF CO-RE-based feature detection, so I think this is also a no-go
That's a bummer :)
I takled with Alexei yesterday and he preferred "simple",
so I went ahead and the fix does look simple:
https://github.com/eddyz87/bpf/tree/skb-pull-data-global-func-bug
> > > In theory, this also allows to compute more complex function effects
> > on the main verification pass.
> >
> > I think "simple" is a way to go at the moment.
>
> I think neither of the above are fully valid, tbh. "correct" will do
> eager subprog validation, even if due to dead code elimination that
> global function might not have been called.
>
> From the outset, I think the "right" way to solve this would be to
> start verification from the main program. When we encounter global
> subprog verification, we pause verification for the main program,
> create a new isolated verifier state, proceed with global subprog
> verification, and so on until we check everything. So basically a
> stack of subprogs to validate.
This might be not that hard to do, actually.
If global function had not been verified yet, and a call to such
function is encountered:
- setup arguments as for global function verification;
- keep stack and BPF_EXIT processing as for non-global functions;
> This is PITA, of course, just for this (which is also the question
> about the generalization of the "side effects" concept). So I don't
> know, maybe for now the "dumb" way is the way?
Idk, "dumb" seems too restrictive.
next prev parent reply other threads:[~2024-12-06 0:29 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 16:26 Packet pointer invalidation and subprograms Nick Zavaritsky
2024-12-03 20:19 ` Eduard Zingerman
2024-12-03 21:41 ` Eduard Zingerman
2024-12-06 0:03 ` Andrii Nakryiko
2024-12-06 0:12 ` Kumar Kartikeya Dwivedi
2024-12-06 0:29 ` Eduard Zingerman [this message]
2024-12-06 1:44 ` Alexei Starovoitov
2024-12-06 4:07 ` Eduard Zingerman
2024-12-06 6:22 ` Andrii Nakryiko
2024-12-06 10:44 ` Eduard Zingerman
2024-12-06 16:08 ` Andrii Nakryiko
2024-12-06 17:29 ` Eduard Zingerman
2024-12-06 17:46 ` Andrii Nakryiko
2024-12-06 17:58 ` Eduard Zingerman
2024-12-06 18:10 ` Andrii Nakryiko
2024-12-06 18:29 ` Eduard Zingerman
2024-12-06 16:07 ` Alexei Starovoitov
2024-12-06 16:12 ` Andrii Nakryiko
2024-12-06 16:20 ` Alexei Starovoitov
2024-12-06 17:42 ` Andrii Nakryiko
2024-12-06 18:23 ` Kumar Kartikeya Dwivedi
2024-12-06 18:30 ` Alexei Starovoitov
2024-12-06 19:31 ` Kumar Kartikeya Dwivedi
2024-12-06 18:26 ` Alexei Starovoitov
2024-12-06 18:30 ` Kumar Kartikeya Dwivedi
2024-12-06 18:32 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4bbdf595be6afbe52f44c362be6d7e4f22b8b00f.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=mejedi@gmail.com \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox