From: Barret Rhoden <brho@google.com>
To: Yonghong Song <yonghong.song@linux.dev>, Eddy Z <eddyz87@gmail.com>
Cc: Jiri Olsa <olsajiri@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Song Liu <song@kernel.org>,
mattbobrowski@google.com, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly helpers to access array elements
Date: Tue, 9 Jan 2024 20:02:16 -0500 [thread overview]
Message-ID: <781a86b1-c02b-4bb8-bc79-bfbd4f2ff146@google.com> (raw)
In-Reply-To: <e5e52e0a-7494-47bb-8a6a-9819b0c93bd8@google.com>
On 1/4/24 16:30, Barret Rhoden wrote:
[snip]
>>
>> The LLVM bpf backend has made some improvement to handle the case like
>> r1 = ...
>> r2 = r1 + 1
>> if (r2 < num) ...
>> using r1
>> by preventing generating the above code pattern.
>>
>> The implementation is a pattern matching style so surely it won't be
>> able to cover all cases.
>>
>> Do you have specific examples which has verification failure due to
>> false array out of bound access?
>
[ snip ]
>
> I'll play around and see if I can come up with a selftest that can run
> into any of these "you did the check, but threw the check away" scenarios.
I got an example for this, and will include it in my next patch version,
which I'll CC you on.
If we can get the compiler to spill the register r1 to the stack (L11 in
the asm below), it might spill it before doing the bounds check. Then
it checks the register (L12), but the verifier doesn't know that applies
to the stack variable too. Later, we refill r1 from the stack (L21).
The reason for the spill was that I made another bpf_map_lookup_elem()
call (L19), which needed r1 as an argument.
11: (63) *(u32 *)(r10 -8) = r1 ;
R1=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) R10=fp0
fp-8=????scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
12: (35) if r1 >= 0x64 goto pc+13 ;
R1=scalar(smin=smin32=0,smax=umax=smax32=umax32=99,var_off=(0x0; 0x7f))
13: (b4) w1 = 0 ; R1_w=0
14: (63) *(u32 *)(r10 -4) = r1 ; R1_w=0 R10=fp0 fp-8=0000mmmm
15: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
16: (07) r2 += -4 ; R2_w=fp-4
17: (18) r1 = 0xffffc9000011edf0 ;
R1_w=map_ptr(map=arraymap,ks=4,vs=400)
19: (85) call bpf_map_lookup_elem#1 ;
R0_w=map_value_or_null(id=2,map=arraymap,ks=4,vs=400)
20: (15) if r0 == 0x0 goto pc+5 ;
R0_w=map_value(map=arraymap,ks=4,vs=400)
21: (61) r1 = *(u32 *)(r10 -8) ;
R1_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
R10=fp0 fp-8=mmmmmmmm
Thanks,
Barret
next prev parent reply other threads:[~2024-01-10 1:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 18:53 [PATCH v2 bpf-next 0/2] inline asm helpers to access array elements Barret Rhoden
2024-01-03 18:53 ` [PATCH v2 bpf-next 1/2] libbpf: add helpers for mmapping maps Barret Rhoden
2024-01-03 19:42 ` Andrii Nakryiko
2024-01-03 19:45 ` Barret Rhoden
2024-01-03 20:00 ` Andrii Nakryiko
2024-01-03 18:53 ` [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly helpers to access array elements Barret Rhoden
2024-01-04 13:43 ` Jiri Olsa
2024-01-04 17:31 ` Yonghong Song
2024-01-04 21:30 ` Barret Rhoden
2024-01-10 0:42 ` Alexei Starovoitov
2024-01-10 1:02 ` Barret Rhoden [this message]
2024-01-10 1:06 ` Alexei Starovoitov
2024-01-10 1:20 ` Barret Rhoden
2024-01-10 0:26 ` Barret Rhoden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=781a86b1-c02b-4bb8-bc79-bfbd4f2ff146@google.com \
--to=brho@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=olsajiri@gmail.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox