Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp161643ybl; Wed, 21 Aug 2019 16:48:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqykocu5Fqc4qrqJKUQZyfMw5/FVuSsEtBKkKq9ihaAZRMXJQMceUE3pzrE4Y7uBNMHoXC+N X-Received: by 2002:aa7:8189:: with SMTP id g9mr38933160pfi.143.1566431282949; Wed, 21 Aug 2019 16:48:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566431282; cv=none; d=google.com; s=arc-20160816; b=QsZYvoTzMVFIdEMEkUQoTwRIyOs9pb7+ClO9uUn8lhjAGCXldKw+GUDO+wDEbaCnGZ thHVGBsEjwgiwNrLxe9Tr9XU/tgPeCUXFfvA1n5N+sjF0OUs7ZNR3DYvvySCDasTtsA4 pWarCR+qODQUQ7lYm4GuRos+vu6374aEmCsdIyN+q09LlCSeK7FZT1L7VmNe90w9mYI8 bdE3zXaOOEhlPJ3OpZJfgcL/RIOrg0V6IzoSGge7s/HLy3FHfVMKslXHUUP3oJtVc9LV Z4fdFjgePZfJgsvY8iHXsApdg9UzkMQRhisgu9dNNO7tIz07Oh6SE4fn5Vixv8m911Be QwAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:in-reply-to :subject:cc:to:from:user-agent:references:dkim-signature; bh=tzs0xL7F6e4DYv0KKXWstcIwevn1IeV2WU1eJYUjfUc=; b=O8yJY19hhVJYeM6812vndqeeezk6VBFxSukZLfa3xfzG6rl6v5CokRTPXYzKI6HFcM CJFt41qEzPzUOm3kk7I8AxpLjS+T8TBdtaG/VEioKFKVc1MOBjh4z0mIJuOpOFk292Ui ExjC3cfV5Jjtv4CCLhxtL8K1JDvzav1BtR0pKIpeuhxs/SJGiCbXlp5RRoxHvRbbtZ3P 5hQyxm8k2Cd/3jc/783sTdkfS0AkGG+AaTS/xPAkt9wtR9NWccqsTE2xvLNKIodv9wT5 ePnENMULQ6LYe8wmGna/BkDuygjdVPBYieA8S64iBpjpp+TMyCEDVzWCEv8ogA6D7xRl 2m3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@netronome-com.20150623.gappssmtp.com header.s=20150623 header.b=cSapzLOb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g13si15800985pgo.274.2019.08.21.16.47.47; Wed, 21 Aug 2019 16:48:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@netronome-com.20150623.gappssmtp.com header.s=20150623 header.b=cSapzLOb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730987AbfHUVvl (ORCPT + 99 others); Wed, 21 Aug 2019 17:51:41 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:40508 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729096AbfHUVvk (ORCPT ); Wed, 21 Aug 2019 17:51:40 -0400 Received: by mail-wm1-f66.google.com with SMTP id c5so3439218wmb.5 for ; Wed, 21 Aug 2019 14:51:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=tzs0xL7F6e4DYv0KKXWstcIwevn1IeV2WU1eJYUjfUc=; b=cSapzLObrFhl9WiOnkT1Yt3qMrv+d9JGVzxCP0RCrg4HDDoOq9rDy26FxLVG1MUZWU Tb3wG8LMVh2xbjCriUATkhMeVZCg4a4IaoE0La8xSVXj2Vj55w0A4Jb6KQFbsbDaT0lq RbjwbjviHSBy9Ih21aDFJiuNnLLsa8FprO2LzTBYqg3pWDKz1Lk86wy/DzYpt2mxi+0M agenDEbadExsbz/tlANeVWRO5zI1fm2U9mK3oimhQdlChq+5WojjnsV0IxhasGg54NzQ PeE/BQUGj2ZarJ43yyiKHKL6xiB7I8ASK50mlaQGzkhcyI0fDVH97/iYsutzOeOjPXkd zkpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=tzs0xL7F6e4DYv0KKXWstcIwevn1IeV2WU1eJYUjfUc=; b=hhiDcHUGSbfHg9I/oiB+cuVOU35b14/tn+v1nD/vZVCH/Z1/Tpy7zcUPmkfqpDaI7T WOC4HiFT28CwlzcBmUz6UUXzpm+pFaaeU4iOYedIXQ2pzZtAiiOt1HJLIlAMyy2Sa4Az wJVxRqVqtKHrTsDctF8Wy/zSYsoRbLUpuWiUewI0sSZbcG1iuG7dRhCvuw+6OhtGclrQ 2AcdSUfqCrQU1g1PjXgOnMLpxrQPNZ9BszVRAZG0kLcc1qHEMS766RDrxJYepV32M8VE Lja4pZCyO8+dMiqp/j3ewoiDJ9YAoiKFWjAw0ZF6Fx9xrsPC62G2U0IMLDNVC0l6FqC/ 3jDg== X-Gm-Message-State: APjAAAVRzbvbkcY4U1ZB5K3H78NRPxiyht11w7RoAUQ/IICNtBb3Wu5m NTzzctoMrEQO7VgveVp8g4zk6iBBPvA= X-Received: by 2002:a1c:7d08:: with SMTP id y8mr2441435wmc.50.1566424298379; Wed, 21 Aug 2019 14:51:38 -0700 (PDT) Received: from LAPTOP-V3S7NLPL (cpc1-cmbg19-2-0-cust104.5-4.cable.virginm.net. [82.27.180.105]) by smtp.gmail.com with ESMTPSA id r15sm38044110wrj.68.2019.08.21.14.51.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 21 Aug 2019 14:51:37 -0700 (PDT) References: <20190821192358.31922-1-naveen.n.rao@linux.vnet.ibm.com> User-agent: mu4e 0.9.18; emacs 25.2.2 From: Jiong Wang To: "Naveen N. Rao" Cc: Alexei Starovoitov , Daniel Borkmann , Jiong Wang , Michael Ellerman , bpf@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] bpf: handle 32-bit zext during constant blinding In-reply-to: <20190821192358.31922-1-naveen.n.rao@linux.vnet.ibm.com> Date: Wed, 21 Aug 2019 22:51:35 +0100 Message-ID: <87zhk2faqg.fsf@netronome.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Naveen N. Rao writes: > Since BPF constant blinding is performed after the verifier pass, the > ALU32 instructions inserted for doubleword immediate loads don't have a > corresponding zext instruction. This is causing a kernel oops on powerpc > and can be reproduced by running 'test_cgroup_storage' with > bpf_jit_harden=2. > > Fix this by emitting BPF_ZEXT during constant blinding if > prog->aux->verifier_zext is set. > > Fixes: a4b1d3c1ddf6cb ("bpf: verifier: insert zero extension according to analysis result") > Reported-by: Michael Ellerman > Signed-off-by: Naveen N. Rao Thanks for the fix. Reviewed-by: Jiong Wang Just two other comments during review in case I am wrong on somewhere. - Use verifier_zext instead of bpf_jit_needs_zext() seems better, even though the latter could avoid extending function argument. Because JIT back-ends look at verifier_zext, true means zext inserted by verifier so JITs won't do the code-gen. Use verifier_zext is sort of keeping JIT blinding the same behaviour has verifier even though blinding doesn't belong to verifier, but for such insn patching, it could be seen as a extension of verifier, therefore use verifier_zext seems better than bpf_jit_needs_zext() to me. - JIT blinding is also escaping the HI32 randomization which happens inside verifier, otherwise x86-64 regression should have caught this issue. Regards, Jiong > --- > Changes since RFC: > - Removed changes to ALU32 and JMP32 ops since those don't alter program > execution, and the verifier would have already accounted for them. > > > kernel/bpf/core.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > index 8191a7db2777..66088a9e9b9e 100644 > --- a/kernel/bpf/core.c > +++ b/kernel/bpf/core.c > @@ -890,7 +890,8 @@ int bpf_jit_get_func_addr(const struct bpf_prog *prog, > > static int bpf_jit_blind_insn(const struct bpf_insn *from, > const struct bpf_insn *aux, > - struct bpf_insn *to_buff) > + struct bpf_insn *to_buff, > + bool emit_zext) > { > struct bpf_insn *to = to_buff; > u32 imm_rnd = get_random_int(); > @@ -1005,6 +1006,8 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from, > case 0: /* Part 2 of BPF_LD | BPF_IMM | BPF_DW. */ > *to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[0].imm); > *to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd); > + if (emit_zext) > + *to++ = BPF_ZEXT_REG(BPF_REG_AX); > *to++ = BPF_ALU64_REG(BPF_OR, aux[0].dst_reg, BPF_REG_AX); > break; > > @@ -1088,7 +1091,8 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog) > insn[1].code == 0) > memcpy(aux, insn, sizeof(aux)); > > - rewritten = bpf_jit_blind_insn(insn, aux, insn_buff); > + rewritten = bpf_jit_blind_insn(insn, aux, insn_buff, > + clone->aux->verifier_zext); > if (!rewritten) > continue;