MIME-Version: 1.0
References: <20211210172034.13614-1-mcroce@linux.microsoft.com>
 <CAADnVQJRVpL0HL=Lz8_e-ZU5y0WrQ_Z0KvQXF2w8rE660Jr62g@mail.gmail.com>
 <CAFnufp33Dm_5gffiFYQ+Maf4Bj9fE3WLMpFf3cJ=F5mm71mTEQ@mail.gmail.com> <CAADnVQ+OeO=f1rzv_F9HFQmJCcJ7=FojkOuZWvx7cT-XLjVDcQ@mail.gmail.com>
In-Reply-To: <CAADnVQ+OeO=f1rzv_F9HFQmJCcJ7=FojkOuZWvx7cT-XLjVDcQ@mail.gmail.com>
From:   Matteo Croce <mcroce@linux.microsoft.com>
Date:   Wed, 15 Dec 2021 19:21:48 +0100
Message-ID: <CAFnufp3c3pdxu=hse4_TdFU_UZPeQySGH16ie13uTT=3w-TFjA@mail.gmail.com>
Subject: Re: [PATCH bpf-next] bpf: limit bpf_core_types_are_compat() recursion
To:     Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc:     bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Wed, Dec 15, 2021 at 6:29 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Wed, Dec 15, 2021 at 6:54 AM Matteo Croce <mcroce@linux.microsoft.com> wrote:
> > >
> > > Maybe do a level check here?
> > > Since calling it and immediately returning doesn't conserve
> > > the stack.
> > > If it gets called it can finish fine, but
> > > calling it again would be too much.
> > > In other words checking the level here gives us
> > > room for one more frame.
> > >
> >
> > I thought that the compiler was smart enough to return before
> > allocating most of the frame.
> > I tried and this is true only with gcc, not with clang.
>
> Interesting. That's a surprise.
> Could you share the asm that gcc generates?
>

Sure,

This is the gcc x86_64 asm on a stripped down
bpf_core_types_are_compat() with a 1k struct on the stack:

bpf_core_types_are_compat:
test esi, esi
jle .L69
push r15
push r14
push r13
push r12
push rbp
mov rbp, rdi
push rbx
mov ebx, esi
sub rsp, 9112
[...]
.L69:
or eax, -1
ret

This latest clang:

bpf_core_types_are_compat: # @bpf_core_types_are_compat
push rbp
push r15
push r14
push rbx
sub rsp, 1000
mov r14d, -1
test esi, esi
jle .LBB0_7
[...]
.LBB0_7:
mov eax, r14d
add rsp, 1000
pop rbx
pop r14
pop r15
pop rbp
ret

> > > > +                       err = __bpf_core_types_are_compat(local_btf, local_id,
> > > > +                                                         targ_btf, targ_id,
> > > > +                                                         level - 1);
> > > > +                       if (err <= 0)
> > > > +                               return err;
> > > > +               }
> > > > +
> > > > +               /* tail recurse for return type check */
> > > > +               btf_type_skip_modifiers(local_btf, local_type->type, &local_id);
> > > > +               btf_type_skip_modifiers(targ_btf, targ_type->type, &targ_id);
> > > > +               goto recur;
> > > > +       }
> > > > +       default:
> > > > +               pr_warn("unexpected kind %s relocated, local [%d], target [%d]\n",
> > > > +                       btf_type_str(local_type), local_id, targ_id);
> > >
> > > That should be bpf_log() instead.
> > >
> >
> > To do that I need a struct bpf_verifier_log, which is not present
> > there, neither in bpf_core_spec_match() or bpf_core_apply_relo_insn().
>
> It is there. See:
>         err = bpf_core_apply_relo_insn((void *)ctx->log, insn, ...
>
> > Should we drop the message at all?
>
> Passing it into bpf_core_spec_match() and further into
> bpf_core_types_are_compat() is probably unnecessary.
> All callers have an error check with a log right after.
> So I think we won't lose anything if we drop this log.
>

Nice.

> >
> > > > +               return 0;
> > > > +       }
> > > > +}
> > >
> > > Please add tests that exercise this logic by enabling
> > > additional lskels and a new test that hits the recursion limit.
> > > I suspect we don't have such case in selftests.
> > >
> > > Thanks!
> >
> > Will do!
>
> Thanks!


-- 
per aspera ad upstream