From: Edward Cree <ecree@solarflare.com>
To: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: <netdev@vger.kernel.org>, <oss-drivers@netronome.com>,
<alexei.starovoitov@gmail.com>, <daniel@iogearbox.net>
Subject: Re: [PATCH net] bpf: disallow arithmetic operations on context pointer
Date: Mon, 16 Oct 2017 17:47:45 +0100 [thread overview]
Message-ID: <e2c4322a-301f-47f9-d102-725138d1bf67@solarflare.com> (raw)
In-Reply-To: <20171016093043.36fcfedc@cakuba.netronome.com>
On 16/10/17 17:30, Jakub Kicinski wrote:
> On Mon, 16 Oct 2017 17:16:24 +0100, Edward Cree wrote:
>> On 16/10/17 16:45, Jakub Kicinski wrote:
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 8b8d6ba39e23..8499759d0c7a 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -1116,7 +1116,12 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>>> /* ctx accesses must be at a fixed offset, so that we can
>>> * determine what type of data were returned.
>>> */
>>> - if (!tnum_is_const(reg->var_off)) {
>>> + if (reg->off) {
>>> + verbose("derefence of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not\n",
>> This is slightly unclear, it's not that two adds is bad (e.g. r1 += 8;
>> r0 = *(u32 *)r1 is bad too), it's that the offset must be in the load,
>> not the register; your message might be accurate for some compilers but
>> not in full generality (especially for assemblers without compiling).
> I'm happy to hear better suggestions :) I've spent quite a bit of time
> scratching my head thinking how to phrase this best. The first
> part of the message is general enough IMHO, the second is targeted
> mostly at C developers.
Hmm, what really bugs me is that if e.g. the compiler turned
*(ctx + 4 + 4)
or
ctx[4 + 4]
or even
ctx->arraymemb[4]
into this kind of arithmetic on ctx, arguably that would be a bug in the
compiler — if it's doing proper constexpr folding on its IR (or something
along those lines) it should be able to turn them all into good LDX. The
same even goes for if (ctx + 4) got stored in a local, because there's no
reason that has to map to a register.
So it's not even that "your C source breaks the rules", it's that "your C
compiler did something silly that we don't handle".
Maybe the message should be "compiler maybe mishandled ctx+const+const"?
-Ed
next prev parent reply other threads:[~2017-10-16 16:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 15:45 [PATCH net] bpf: disallow arithmetic operations on context pointer Jakub Kicinski
2017-10-16 16:16 ` Edward Cree
2017-10-16 16:30 ` Jakub Kicinski
2017-10-16 16:47 ` Edward Cree [this message]
2017-10-16 17:06 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2c4322a-301f-47f9-d102-725138d1bf67@solarflare.com \
--to=ecree@solarflare.com \
--cc=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=jakub.kicinski@netronome.com \
--cc=netdev@vger.kernel.org \
--cc=oss-drivers@netronome.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox