Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp226320rdg; Tue, 10 Oct 2023 08:35:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGl3Q/xnK007NoXLaRF+nyUVwsm396WQNjYQNcB5JiN1K9Oxp3Fp4HM0g7CSQLfTOtWxDnG X-Received: by 2002:a05:6a00:188a:b0:68a:6018:a66f with SMTP id x10-20020a056a00188a00b0068a6018a66fmr24268485pfh.2.1696952137979; Tue, 10 Oct 2023 08:35:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696952137; cv=none; d=google.com; s=arc-20160816; b=nmghrR66cVWFmfOK3SAV4y67dzlaWH+yGZkvpe5iH9xQhk25bmMdxxv5rpgx21mu52 YCFbupJUolc1wW0ze0SHbi/Wsg0NTLb/tadnvFQiyuIMvnmCj/s8ltzgP6J36uwlanFB Nc6cBw0/CC4MvZBvLwrErnb1VoMqYyrPi7hQsIW1k9kYP774MeK9DDQtnJCxh7oQH0JC CGajQ8qaLkdfDTZucFhsM2Ll9cgmCUVgmkfHFZImj8ikiQ+pPOK2QmcbvyjQcwHaBRhN +wNnlIn1DAsfGv62AfU9DKtHKgzMvOUMwB4RwYXmix28uvfgdcjYDXYPJy7acB3IaGyE acow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=YSj7Og7GMhEdxDFXztAZwfRfzfreB00qr43Omn8psvw=; fh=S6Imjy9nRaGWNSXX6WECklEE6wgRFmcZsPHZWpXBZUg=; b=bIpVFDrfKFZMBabasujAmihFvRnuoItTWJ6BpV6kdvrwIUwSJv3EW9md5bVFRDEFJg 4o1edpNlzjT0BrXHbKGlghTHPwYrjCKW7VOkjcp+e1nXAbVT5aYEgsSkUuM298goHEr1 ADja5yW7Z3gKHruYoz9AftNFLro2Wox6Eqn09CPaly3VQmnZunN9AglhFHLuVP2vyzfl sCjb6ThZf9I25nGWvoSPIdabPudV58EDBlSY3Rx/DlswIc5+cil3qIBY+3a+AttJV3Nx g82p3zLRCbtsqMc9AkAzu/AeHSEAn2cQIqALWH6XIvn5s+iD9cgYXN3yKswBy/Jz8x7g tVIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@iogearbox.net header.s=default2302 header.b=LdI9Vg1q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=iogearbox.net Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id j1-20020a63b601000000b0059c663f9820si1328501pgf.119.2023.10.10.08.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 08:35:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@iogearbox.net header.s=default2302 header.b=LdI9Vg1q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=iogearbox.net Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 675B78058A38; Tue, 10 Oct 2023 08:35:35 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233249AbjJJPfT (ORCPT + 99 others); Tue, 10 Oct 2023 11:35:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230448AbjJJPfS (ORCPT ); Tue, 10 Oct 2023 11:35:18 -0400 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CE0099; Tue, 10 Oct 2023 08:35:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iogearbox.net; s=default2302; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=YSj7Og7GMhEdxDFXztAZwfRfzfreB00qr43Omn8psvw=; b=LdI9Vg1qcYWMu7L/YG0+MEsMr7 CHqIGpLjgQSBovApfjNZYfKQQO875Rzb6vTsq2rrObdbwI1+3vXzUn0rmOuWlcWHebidwk/mU0Fw8 daY1G/8CFraYZFjafpgJy8imIJa8z/fFLBFHjL9MFbKRI01rvr1VX9jPn3AkMD0v/B3Sk1vOWicT0 6SFQIz5+sRjk17JPCVvoJUpAqfq2ozJHkRAxeUVcuuE0Pg2bfZlEzcX4G9xjP0Zb/Vmm6u9oHrCSj h8ctudMOmYgYDNeQ2xreHm6rGpLMz4RtvmGN8Ej24pCiieUwc1pDjtKAxZc++Dcoft3vmdleaYVPB FC5qNFlg==; Received: from sslproxy05.your-server.de ([78.46.172.2]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qqElG-0006TP-V3; Tue, 10 Oct 2023 17:35:06 +0200 Received: from [178.197.249.27] (helo=linux.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qqElG-000PTn-ET; Tue, 10 Oct 2023 17:35:06 +0200 Subject: Re: [PATCH bpf-next] Detect jumping to reserved code during check_cfg() To: Hao Sun Cc: John Fastabend , Alexei Starovoitov , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org References: <20231009-jmp-into-reserved-fields-v1-1-d8006e2ac1f6@gmail.com> <6524f6f77b896_66abc2084d@john.notmuch> <92f824ec-9538-501c-e63e-8483ffe14bad@iogearbox.net> From: Daniel Borkmann Message-ID: <0c892e68-3092-0b21-3331-a5e3cad43800@iogearbox.net> Date: Tue, 10 Oct 2023 17:35:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.10/27057/Tue Oct 10 09:39:11 2023) X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 10 Oct 2023 08:35:35 -0700 (PDT) On 10/10/23 11:17 AM, Hao Sun wrote: [...] > I regard this as a fix, because the verifier log is not correct, since > the program does > not contain any invalid ld_imm64 instructions in this case. > > I haven't met other cases not captured via check_ld_imm(), but somehow, I think > we probably want to convert the check there as an internal bug, > because we already > have bpf_opcode_in_insntable() check in resolve_pseudo_ldimm64(). Once we meet > invalid insn code here, then somewhere else in the verifier is > probably wrong. But > I'm not sure, maybe something like this: Makes sense, you could probably add this into your series as a separate commit. > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index eed7350e15f4..bed97de568a5 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -14532,8 +14532,8 @@ static int check_ld_imm(struct > bpf_verifier_env *env, struct bpf_insn *insn) > int err; > > if (BPF_SIZE(insn->code) != BPF_DW) { > - verbose(env, "invalid BPF_LD_IMM insn\n"); > - return -EINVAL; > + verbose(env, "verifier internal bug, invalid BPF_LD_IMM\n"); If so please stick to the common style as we have in other locations: verbose(env, "verifier internal error: \n"); > + return -EFAULT; > } > if (insn->off != 0) { > verbose(env, "BPF_LD_IMM64 uses reserved fields\n"); >