Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp670162rdg;
        Wed, 11 Oct 2023 02:02:32 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGplBfyqCKqTFBhUy/0ibEAAictbyG9iqovWTwMisBJg3RfGdynxQROgR1ZXkUksQaph/Av
X-Received: by 2002:a05:6e02:1189:b0:352:a2f8:99a1 with SMTP id y9-20020a056e02118900b00352a2f899a1mr18434555ili.25.1697014952277;
        Wed, 11 Oct 2023 02:02:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697014952; cv=none;
        d=google.com; s=arc-20160816;
        b=FpsORCa5VUhBhmXrgfFz2lCQ2J3VL4o0nc6uTxh+9zRGJs9yICOHB6ThQXAVwezGgW
         DyhSAij517s1RnjylmzZ796LFn8peSQPc/JbgsoPZtWwFWmdRoa/hogv+smp5AWFFR7+
         3HDnjK3lc4grzFsnTZU3aA/eyUAyuXg90jh639ae6NnTOFci6470dCJqyLoyj3q83DKY
         g1yXUKmicBX8WnTh+c9C5iQ8J0jzRxE6zpvoEE/ur3Ok9nd5aT9TVX8mTkDGwF1IB4fd
         YP05QoGftiVEPmK+0ZpSvYNzWj0t2oymOBiW8L3WORl9oZTwr7L+e7SuMKMW+p69KhaJ
         KyOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:content-transfer-encoding:mime-version
         :message-id:date:subject:from:dkim-signature;
        bh=uSR6qPmHCfHgxPs78KqEiNeIJSUPA1Iy3U8H+7sLIdE=;
        fh=mXBL/m2WqL131Kw3M+zu1H8f4iBK/X/nYOAw26JNs+8=;
        b=XWc203Ke1LQo2Jj1DskPl2zdpe1tLUqemxWEqSQweziR0NpIdZ29Z4EsIYZ5T83knv
         JFf32SLWFXvYobX1GjLZ21UQEe0UPq0CzpmKCMs0tjBb0SphtZ/r+ZiT8zbfyUNDAYRo
         nCNHvFWigtSChmt/faF6EjhcbJk6JCpppvgMHRVgE5kJZAqHMyzHnDtBF8CSMlePjFzX
         ODYCH61RrthrPTppychse+fnblKlTEo2160widjDpWFHI3fnt5f3ismOsKLLHLqq8OL8
         WDfO4jc+bhwgLgUqRJuiL/8XZpitbz4+RXSEh7K0aHII17cdAX78BZjp/PR0ru5A1FxF
         BWzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=e18sClmE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
        by mx.google.com with ESMTPS id s190-20020a6377c7000000b005898db9d676si3044911pgc.260.2023.10.11.02.02.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Oct 2023 02:02:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=e18sClmE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 9C75883BEDE9;
	Wed, 11 Oct 2023 02:02:14 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345840AbjJKJBb (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Wed, 11 Oct 2023 05:01:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52014 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345825AbjJKJBN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Oct 2023 05:01:13 -0400
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3AE81E9;
        Wed, 11 Oct 2023 02:01:11 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-4054f790190so64742855e9.2;
        Wed, 11 Oct 2023 02:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1697014869; x=1697619669; darn=vger.kernel.org;
        h=cc:to:content-transfer-encoding:mime-version:message-id:date
         :subject:from:from:to:cc:subject:date:message-id:reply-to;
        bh=uSR6qPmHCfHgxPs78KqEiNeIJSUPA1Iy3U8H+7sLIdE=;
        b=e18sClmEv8bDilKp+kWugUJLk9uaMlfTo/EC35+r27g0KP7zC00c9eKarqnzG9kZRC
         c4RiSovtL346oSaETG5d3mHsWWiGEkrvDGbrE2oYAstMvPVj2A9aeR2Nh9vr0MHbTec1
         PhxCuUmvW5d8/E481N0XYZLO1CxVvF0dZkX2sAgLJbgZDXSP+vuQzojQH/73aQTNpO9e
         fyUW6A1kiXz8UKU/z5aiH/hORmvTLiMIj3sOiXE+2RBh7uxgmycf2hhLo3ASoVSeIraE
         566tINjcmt9l8+YL1+dNQc0itC+Rl+O9tK5qRLAD2jeLLz9kKtDMR1BWzWRndGaDzYLl
         Fcmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697014869; x=1697619669;
        h=cc:to:content-transfer-encoding:mime-version:message-id:date
         :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=uSR6qPmHCfHgxPs78KqEiNeIJSUPA1Iy3U8H+7sLIdE=;
        b=lw0+gebakNoyUdqDtAymO+Mkr8lI/rAsXd1ARmpz8YOQ6QPvrWQsofalz3apM4DXpn
         DLxcoH82yoXj8v7bjp5mn6kywH0DoR3wnj7lAfofJL6dFnnvpV8PtIrtDA8kMwpAE6s+
         Vo5bRUl5NYTNdmTbcMLXxRSjWKi9VIHObRwz0JU5LlB7RodloZ7KgS4jCuLsKo8rnIny
         +ajZJIBZl3jPnoyiGHzizx5ePDr+Wm2A3gIiNb2lO08NEEytuf/6WZ6hfdYhxmU6NLb7
         G+sYcHOa/hnwMBvBdgg8+CWj9G94b5imrknj5ceusWwF92cbWeDGcomMkEvkc8xTOibe
         xa4w==
X-Gm-Message-State: AOJu0YwM5TTnPD7XN5WGLW0MyWTV62n1K1AoJyyvvGUGHcnJA8AJ5M0z
        M1WmvGC8WesffNfp2FZQoA==
X-Received: by 2002:adf:ef8f:0:b0:31f:a718:4cb6 with SMTP id d15-20020adfef8f000000b0031fa7184cb6mr16152770wro.46.1697014869141;
        Wed, 11 Oct 2023 02:01:09 -0700 (PDT)
Received: from amdsuplus2.inf.ethz.ch (amdsuplus2.inf.ethz.ch. [129.132.31.88])
        by smtp.gmail.com with ESMTPSA id e28-20020adfa45c000000b0032d892e70b4sm554100wra.37.2023.10.11.02.01.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Oct 2023 02:01:08 -0700 (PDT)
From:   Hao Sun <sunhao.th@gmail.com>
Subject: [PATCH bpf-next v3 0/3] bpf: Detect jumping to reserved code of
 ld_imm64
Date:   Wed, 11 Oct 2023 11:00:11 +0200
Message-Id: <20231011-jmp-into-reserved-fields-v3-0-97d2aa979788@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-B4-Tracking: v=1; b=H4sIABxkJmUC/4XNwQ6CMBAE0F8xPbumWxTBk/9hPNR2C2uAkpY0G
 MK/23DipMfJZN4sIlJgiuJ2WESgxJH9kENxPAjT6qEhYJuzUFIVKGUN734EHiYPgfI0kQXH1Nk
 IzqCuK13R1RqR52Mgx/NGP8RrdDDQPIlnblqOkw+f7TPh1v/nEwKCraQsSWmDrrw3vebuZHy/o
 UntIJQ/IJWhwtqLrs8WSeEeWtf1CxER/rETAQAA
To:     Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>,
        Yonghong Song <yonghong.song@linux.dev>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>
Cc:     bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
        Hao Sun <sunhao.th@gmail.com>
X-Mailer: b4 0.12.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1697014868; l=1797;
 i=sunhao.th@gmail.com; s=20231009; h=from:subject:message-id;
 bh=PpW/LKH+HLXhoabm69yqJb+fF47MmoM9puktgjEaSYI=;
 b=GS/2dRweWp4nJ6UMKn6Y4WkIYZnMOux/3qiieewtbYuYG+DBMP8CfccfWTwVuD9tDWKP97ro8
 c0pPn/iqDDiCdy2NsSxig8BDB6s2NEZeG/UND4jZW0+ZBhLVuQa5DQ5
X-Developer-Key: i=sunhao.th@gmail.com; a=ed25519;
 pk=AHFxrImGtyqXOuw4f5xTNh4PGReb7hzD86ayyTZCXd4=
X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 11 Oct 2023 02:02:14 -0700 (PDT)
X-Spam-Level: **

Currently, the verifier rejects a program jumping to reserved code with
the log "invalid BPF_LD_IMM" in check_ld_imm(), which in not accurate,
because the program does not contain any invalid insns. The root cause
is that the verifier does not detect such jump, thus the reserved code
is passed to check_ld_imm().

The first patch makes the verifier detect jump to reserved code during
check_cfg(). Because jump to reserved code is just like jump out bound,
both break the CFG integrity immediately. The second makes the verifier
report internal error if it sees an invlid ld_imm64 in check_ld_imm(),
because we already have bpf_opcode_in_insntable() to check the validity
of insn code. The third patch adapts existing tests to make them pass,
and add a new case to test backward jump to reserved code.

Signed-off-by: Hao Sun <sunhao.th@gmail.com>

---
Changes in v3:
- Separate changes to different commits, change verifier log
- Link to v2: https://lore.kernel.org/r/20231010-jmp-into-reserved-fields-v2-1-3dd5a94d1e21@gmail.com

Changes in v2:
- Adjust existing test cases
- Link to v1: https://lore.kernel.org/bpf/20231009-jmp-into-reserved-fields-v1-1-d8006e2ac1f6@gmail.com/

---
Hao Sun (3):
      bpf: Detect jumping to reserved code during check_cfg()
      bpf: Report internal error on incorrect ld_imm64 in check_ld_imm()
      bpf: Adapt and add tests for detecting jump to reserved code

 kernel/bpf/verifier.c                           | 11 +++++++++--
 tools/testing/selftests/bpf/verifier/ld_imm64.c | 16 ++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)
---
base-commit: 3157b7ce14bbf468b0ca8613322a05c37b5ae25d
change-id: 20231009-jmp-into-reserved-fields-fc1a98a8e7dc

Best regards,
-- 
Hao Sun <sunhao.th@gmail.com>