Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751946AbdFGO4f (ORCPT ); Wed, 7 Jun 2017 10:56:35 -0400 Received: from dispatch1-us1.ppe-hosted.com ([67.231.154.164]:56930 "EHLO dispatch1-us1.ppe-hosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751762AbdFGO4b (ORCPT ); Wed, 7 Jun 2017 10:56:31 -0400 From: Edward Cree Subject: [RFC PATCH net-next 0/5] bpf: rewrite value tracking in verifier To: , Alexei Starovoitov , Alexei Starovoitov , Daniel Borkmann CC: , iovisor-dev , LKML Message-ID: <92db9689-af6a-e172-ba57-195e588f9cc0@solarflare.com> Date: Wed, 7 Jun 2017 15:55:57 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.17.20.45] X-ClientProxiedBy: ocex03.SolarFlarecom.com (10.20.40.36) To ukex01.SolarFlarecom.com (10.17.10.4) X-TM-AS-Product-Ver: SMEX-11.0.0.1191-8.100.1062-23116.003 X-TM-AS-Result: No--8.717400-0.000000-31 X-TM-AS-User-Approved-Sender: Yes X-TM-AS-User-Blocked-Sender: No X-MDID: 1496847375-DI+SWc7cHeat Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2570 Lines: 47 This series simplifies alignment tracking, generalises bounds tracking and fixes some bounds-tracking bugs in the BPF verifier. Pointer arithmetic on packet pointers, stack pointers, map value pointers and context pointers has been unified, and bounds on these pointers are only checked when the pointer is dereferenced. Operations on pointers which destroy all relation to the original pointer (such as multiplies and shifts) are disallowed if !env->allow_ptr_leaks, otherwise they convert the pointer to an unknown scalar and feed it to the normal scalar arithmetic handling. Pointer types have been unified with the corresponding adjusted-pointer types where those existed (e.g. PTR_TO_MAP_VALUE[_ADJ] or FRAME_PTR vs PTR_TO_STACK); similarly, CONST_IMM and UNKNOWN_VALUE have been unified into SCALAR_VALUE. Pointer types (except CONST_PTR_TO_MAP, PTR_TO_MAP_VALUE_OR_NULL and PTR_TO_PACKET_END, which do not allow arithmetic) have a 'fixed offset' and a 'variable offset'; the former is used when e.g. adding an immediate or a known-constant register, as long as it does not overflow. Otherwise the latter is used, and any operation creating a new variable offset creates a new 'id' (and, for PTR_TO_PACKET, clears the 'range'). SCALAR_VALUEs use the 'variable offset' fields to track the range of possible values; the 'fixed offset' should never be set on a scalar. Patch 2/5 is rather on the big side, but since it changes the contents and semantics of a fairly central data structure, I'm not really sure how to go about splitting it up further without producing broken intermediate states. With the changes in patch 5/5, all tools/testing/selftests/bpf/test_verifier tests pass. Edward Cree (5): selftests/bpf: add test for mixed signed and unsigned bounds checks bpf/verifier: rework value tracking bpf/verifier: feed pointer-to-unknown-scalar casts into scalar ALU path bpf/verifier: track signed and unsigned min/max values selftests/bpf: change test_verifier expectations include/linux/bpf.h | 34 +- include/linux/bpf_verifier.h | 56 +- include/linux/tnum.h | 58 + kernel/bpf/Makefile | 2 +- kernel/bpf/tnum.c | 163 +++ kernel/bpf/verifier.c | 1852 ++++++++++++++++----------- tools/testing/selftests/bpf/test_verifier.c | 248 ++-- 7 files changed, 1482 insertions(+), 931 deletions(-) create mode 100644 include/linux/tnum.h create mode 100644 kernel/bpf/tnum.c