Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752684AbdL0XHP (ORCPT ); Wed, 27 Dec 2017 18:07:15 -0500 Received: from www62.your-server.de ([213.133.104.62]:40490 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751881AbdL0XHN (ORCPT ); Wed, 27 Dec 2017 18:07:13 -0500 Subject: Re: [PATCH] bpf: selftest for late caller stack size increase To: Jann Horn , Alexei Starovoitov Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20171222181235.158636-1-jannh@google.com> From: Daniel Borkmann Message-ID: <43d7dc08-1c02-cb8c-40bd-14b715e31bba@iogearbox.net> Date: Thu, 28 Dec 2017 00:07:09 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171222181235.158636-1-jannh@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2045 Lines: 62 On 12/22/2017 07:12 PM, Jann Horn wrote: > This checks that it is not possible to bypass the total stack size check in > update_stack_depth() by calling a function that uses a large amount of > stack memory *before* using a large amount of stack memory in the caller. > > Currently, the first added testcase causes a rejection as expected, but > the second testcase is (AFAICS incorrectly) accepted: > > [...] > #483/p calls: stack overflow using two frames (post-call access) FAIL > Unexpected success to load! > 0: (85) call pc+2 > caller: > R10=fp0,call_-1 > callee: > frame1: R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 > 3: (72) *(u8 *)(r10 -300) = 0 > 4: (b7) r0 = 0 > 5: (95) exit > returning from callee: > frame1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 > to caller at 1: > R0_w=inv0 R10=fp0,call_-1 > > from 5 to 1: R0=inv0 R10=fp0,call_-1 > 1: (72) *(u8 *)(r10 -300) = 0 > 2: (95) exit > processed 6 insns, stack depth 300+300 > [...] > Summary: 704 PASSED, 1 FAILED > > AFAICS the JIT-generated code for the second testcase shows that this > really causes the stack pointer to be decremented by 300+300: > > first function: > 00000000 55 push rbp > 00000001 4889E5 mov rbp,rsp > 00000004 4881EC58010000 sub rsp,0x158 > 0000000B 4883ED28 sub rbp,byte +0x28 > [...] > 00000025 E89AB3AFE5 call 0xffffffffe5afb3c4 > 0000002A C685D4FEFFFF00 mov byte [rbp-0x12c],0x0 > [...] > 00000041 4883C528 add rbp,byte +0x28 > 00000045 C9 leave > 00000046 C3 ret > > second function: > 00000000 55 push rbp > 00000001 4889E5 mov rbp,rsp > 00000004 4881EC58010000 sub rsp,0x158 > 0000000B 4883ED28 sub rbp,byte +0x28 > [...] > 00000025 C685D4FEFFFF00 mov byte [rbp-0x12c],0x0 > [...] > 0000003E 4883C528 add rbp,byte +0x28 > 00000042 C9 leave > 00000043 C3 ret > > Signed-off-by: Jann Horn Applied to bpf-next, thanks a lot Jann!