Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753097AbbFSApY (ORCPT <rfc822;w@1wt.eu>);
	Thu, 18 Jun 2015 20:45:24 -0400
Received: from szxga03-in.huawei.com ([119.145.14.66]:38353 "EHLO
	szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752236AbbFSApQ (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 18 Jun 2015 20:45:16 -0400
Message-ID: <55836604.1050807@huawei.com>
Date: Fri, 19 Jun 2015 08:44:52 +0800
From: "Wangnan (F)" <wangnan0@huawei.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
CC: <ast@kernel.org>, <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <lizefan@huawei.com>, <pi3orama@163.com>
Subject: Re: [PATCH v2] bpf: fix a bug in verification logic when SUB operation
 taken on FRAME_PTR
References: <1434615176-96706-1-git-send-email-wangnan0@huawei.com> <1434616305-97746-1-git-send-email-wangnan0@huawei.com> <20150618160018.GA13470@Alexeis-MBP.westell.com>
In-Reply-To: <20150618160018.GA13470@Alexeis-MBP.westell.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.111.66.109]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A020202.55836616.014B,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
	ip=0.0.0.0,
	so=2013-05-26 15:14:31,
	dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4d040a25a86ba7398dc625f4b8616610
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1468
Lines: 39



On 2015/6/19 0:00, Alexei Starovoitov wrote:
> On Thu, Jun 18, 2015 at 08:31:45AM +0000, Wang Nan wrote:
>> Original code has a problem, cause following code failed to pass verifier:
>>
>>   r1 <- r10
>>   r1 -= 8
>>   r2 = 8
>>   r3 = unsafe pointer
>>   call BPF_FUNC_probe_read  <-- R1 type=inv expected=fp
>>
>> However, by replacing 'r1 -= 8' to 'r1 += -8' the above program can be
>> loaded successfully.
>>
>> This is because the verifier allows only BPF_ADD instruction on a
>> FRAME_PTR reigster to forge PTR_TO_STACK register, but makes BPF_SUB
>> on FRAME_PTR reigster to get a UNKNOWN_VALUE register.
>>
>> This patch fix it by adding BPF_SUB in stack_relative checking.
> It's not a bug. It's catching ADD only by design.
> If we let it recognize SUB then one might argue we should let it
> recognize multiply, shifts and all other arithmetic on pointers.
> verifier will be getting bigger and bigger. Where do we stop?
> llvm only emits canonical ADD. If you've seen llvm doing SUB,
> let's fix it there.
> So what piece generated this 'r1 -= 8' ?
>

I hit this problem when writing code of automatical parameter generator. The
instruction is generated by myself. Now I have corrected my code.

Thank you.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/