From: Daniel Borkmann <daniel@iogearbox.net>
To: Edward Cree <ecree@solarflare.com>,
davem@davemloft.net,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Alexei Starovoitov <ast@fb.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
iovisor-dev <iovisor-dev@lists.iovisor.org>
Subject: Re: [PATCH v3 net-next 02/12] bpf/verifier: rework value tracking
Date: Wed, 28 Jun 2017 17:15:10 +0200 [thread overview]
Message-ID: <5953C7FE.1050205@iogearbox.net> (raw)
In-Reply-To: <2244b48b-f415-3239-6912-cb09f0abc546@solarflare.com>
On 06/27/2017 02:56 PM, Edward Cree wrote:
> Tracks value alignment by means of tracking known & unknown bits.
> Tightens some min/max value checks and fixes a couple of bugs therein.
You mean the one in relation to patch 1/12? Would be good to elaborate
here since otherwise this gets forgotten few weeks later.
Could you also document all the changes that verifier will then start
allowing for after the patch?
> If pointer leaks are allowed, and adjust_ptr_min_max_vals returns -EACCES,
> treat the pointer as an unknown scalar and try again, because we might be
> able to conclude something about the result (e.g. pointer & 0x40 is either
> 0 or 0x40).
>
> Signed-off-by: Edward Cree <ecree@solarflare.com>
[...]
> /* check whether memory at (regno + off) is accessible for t = (read | write)
> @@ -899,52 +965,79 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
> struct bpf_reg_state *reg = &state->regs[regno];
> int size, err = 0;
>
> - if (reg->type == PTR_TO_STACK)
> - off += reg->imm;
> -
> size = bpf_size_to_bytes(bpf_size);
> if (size < 0)
> return size;
>
[...]
> - if (reg->type == PTR_TO_MAP_VALUE ||
> - reg->type == PTR_TO_MAP_VALUE_ADJ) {
> + /* for access checks, reg->off is just part of off */
> + off += reg->off;
Could you elaborate on why removing the reg->type == PTR_TO_STACK?
Also in context of below PTR_TO_CTX.
[...]
> } else if (reg->type == PTR_TO_CTX) {
> - enum bpf_reg_type reg_type = UNKNOWN_VALUE;
> + enum bpf_reg_type reg_type = SCALAR_VALUE;
>
> if (t == BPF_WRITE && value_regno >= 0 &&
> is_pointer_value(env, value_regno)) {
> verbose("R%d leaks addr into ctx\n", value_regno);
> return -EACCES;
> }
> + /* ctx accesses must be at a fixed offset, so that we can
> + * determine what type of data were returned.
> + */
> + if (!tnum_is_const(reg->var_off)) {
> + char tn_buf[48];
> +
> + tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
> + verbose("variable ctx access var_off=%s off=%d size=%d",
> + tn_buf, off, size);
> + return -EACCES;
> + }
> + off += reg->var_off.value;
... f.e. in PTR_TO_CTX case the only access that is currently
allowed is LDX/STX with fixed offset from insn->off, which is
passed as off param to check_mem_access(). Can you elaborate on
off += reg->var_off.value? Meaning we make this more dynamic
as long as access is known const?
> err = check_ctx_access(env, insn_idx, off, size, t, ®_type);
> if (!err && t == BPF_READ && value_regno >= 0) {
> - mark_reg_unknown_value_and_range(state->regs,
> - value_regno);
> - /* note that reg.[id|off|range] == 0 */
> + /* ctx access returns either a scalar, or a
> + * PTR_TO_PACKET[_END]. In the latter case, we know
> + * the offset is zero.
> + */
> + if (reg_type == SCALAR_VALUE)
> + mark_reg_unknown(state->regs, value_regno);
> + else
> + mark_reg_known_zero(state->regs, value_regno);
> + state->regs[value_regno].id = 0;
> + state->regs[value_regno].off = 0;
> + state->regs[value_regno].range = 0;
> state->regs[value_regno].type = reg_type;
> - state->regs[value_regno].aux_off = 0;
> - state->regs[value_regno].aux_off_align = 0;
> }
>
> - } else if (reg->type == FRAME_PTR || reg->type == PTR_TO_STACK) {
> + } else if (reg->type == PTR_TO_STACK) {
[...]
next prev parent reply other threads:[~2017-06-28 15:15 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-27 12:53 [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Edward Cree
2017-06-27 12:56 ` [PATCH v3 net-next 01/12] selftests/bpf: add test for mixed signed and unsigned bounds checks Edward Cree
2017-06-28 13:51 ` Daniel Borkmann
2017-06-27 12:56 ` [PATCH v3 net-next 02/12] bpf/verifier: rework value tracking Edward Cree
2017-06-28 15:15 ` Daniel Borkmann [this message]
2017-06-28 16:07 ` Edward Cree
2017-06-28 19:44 ` Daniel Borkmann
2017-06-28 17:09 ` Daniel Borkmann
2017-06-28 18:28 ` Edward Cree
2017-06-29 7:48 ` kbuild test robot
2017-07-06 21:21 ` [iovisor-dev] " Nadav Amit
2017-07-07 13:48 ` Edward Cree
2017-07-07 17:45 ` Nadav Amit
2017-07-08 0:54 ` Nadav Amit
2017-07-12 19:13 ` Edward Cree
2017-07-12 22:07 ` Nadav Amit
2017-07-17 17:02 ` Edward Cree
2017-06-27 12:57 ` [PATCH v3 net-next 03/12] nfp: change bpf verifier hooks to match new verifier data structures Edward Cree
2017-06-28 20:47 ` Daniel Borkmann
2017-06-29 3:47 ` Jakub Kicinski
2017-06-27 12:57 ` [PATCH v3 net-next 04/12] bpf/verifier: track signed and unsigned min/max values Edward Cree
2017-06-27 12:58 ` [PATCH v3 net-next 05/12] bpf/verifier: more concise register state logs for constant var_off Edward Cree
2017-06-27 12:58 ` [PATCH v3 net-next 06/12] selftests/bpf: change test_verifier expectations Edward Cree
2017-06-27 12:59 ` [PATCH v3 net-next 07/12] selftests/bpf: rewrite test_align Edward Cree
2017-06-27 12:59 ` [PATCH v3 net-next 08/12] selftests/bpf: add a test to test_align Edward Cree
2017-06-27 12:59 ` [PATCH v3 net-next 09/12] selftests/bpf: add test for bogus operations on pointers Edward Cree
2017-06-27 12:59 ` [PATCH v3 net-next 10/12] selftests/bpf: don't try to access past MAX_PACKET_OFF in test_verifier Edward Cree
2017-06-27 13:00 ` [PATCH v3 net-next 11/12] selftests/bpf: add tests for subtraction & negative numbers Edward Cree
2017-06-27 13:00 ` [PATCH v3 net-next 12/12] selftests/bpf: variable offset negative tests Edward Cree
2017-06-28 13:50 ` [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Daniel Borkmann
2017-06-28 14:11 ` Edward Cree
2017-06-28 20:38 ` Daniel Borkmann
2017-06-28 21:37 ` Alexei Starovoitov
2017-06-30 16:44 ` Edward Cree
2017-06-30 17:34 ` [TEST PATCH] bpf/verifier: roll back ptr&const handling, and fix signed bounds Edward Cree
2017-06-30 18:15 ` [PATCH v3 net-next 00/12] bpf: rewrite value tracking in verifier Alexei Starovoitov
2017-07-04 19:22 ` Edward Cree
2017-07-04 22:28 ` Daniel Borkmann
2017-07-06 18:27 ` Edward Cree
2017-07-07 9:14 ` Daniel Borkmann
2017-07-07 12:50 ` Edward Cree
2017-07-07 13:05 ` Daniel Borkmann
2017-07-06 14:07 ` Edward Cree
2017-07-14 20:03 ` [iovisor-dev] " Y Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5953C7FE.1050205@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=iovisor-dev@lists.iovisor.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox