Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp109850rdg; Wed, 11 Oct 2023 23:33:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHFGBBl9X/RrJDoYw/Zjf5r5o/HYOI6VBMMd8nnPXbLQ8EIHcI6E4ts/tU1Uv44dijJJu+d X-Received: by 2002:a05:6a00:391b:b0:690:3793:17e5 with SMTP id fh27-20020a056a00391b00b00690379317e5mr28548860pfb.4.1697092423828; Wed, 11 Oct 2023 23:33:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697092423; cv=none; d=google.com; s=arc-20160816; b=CjxpEmm8R70+hyIv8Bh7o5C7WJy+gKI4yUmgkEfZtApLO3FDbts9/0R+gSioFthLEF hU/XdYnXoJEXmGGq6ghgogOMYmY9YNjDrOKfLUhyNzpeYunVe06FkyFeI0N9DZvh5tm3 ODdwtBOZjvtviwg4iML4aurEO9n/eblVAfzkxugYqpn7okn1bpeJJYhvzD+GiECUtJ+o bbjZFUbKDuvgmbf2RcWvnm5ULDzFyhG92j44ErRhlWklccrzMPdMWRVkkBGixP2MqDnT zWxmKRQe8rZTr1QVX7cer6XafWomlmUzQydrTI8XTkW6iEyqWRcNirFcwb7vB50q9AzH 5bnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=tLs232MoIvKTceoFGKf83FsYAh/WEEvSsX2TipWGeU4=; fh=kAb4w4H8DuXrk+xxthK/u+NRkfzCRLyZn1K/svnsZT8=; b=wkU9MH21xGVIa2hkOMzc1HWDtBTp2YhL2lEgtDbu0Uf66hwdiGf9bB500v1SEwXq6+ zxWto0ZNjToNKJqmj5CSHFayDj7G7Zlfxq6hO4b8DLHJR1MyAoB9RpBMP/dDJ4K0qTA+ ztr6ZIz8A8vaDQibmkEfwizOyCm8Mt5Yfj+bxaMAPGPN4UwoMjcvtDY+kz5bw7oe3l6o va2bS9YUmKYsSsRO9/XnwjU+mzMcqsmf2frUlLN7YaGprlJ0/2hURjvt3obCbdIc34fx HsKjrBNihtsrQROJ9MaPiwrMkBdMTWSryr9kFskSm1QLDwN8ABjlz+8Vvts81CxqDglT nzrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FQgWY1gR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id e13-20020a056a001a8d00b006934a431c55si13987176pfv.163.2023.10.11.23.33.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 23:33:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FQgWY1gR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 61732807C6F8; Wed, 11 Oct 2023 23:33:00 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347069AbjJLGcv (ORCPT + 99 others); Thu, 12 Oct 2023 02:32:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343541AbjJLGct (ORCPT ); Thu, 12 Oct 2023 02:32:49 -0400 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57885BA; Wed, 11 Oct 2023 23:32:48 -0700 (PDT) Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-d9abc069c8bso518364276.3; Wed, 11 Oct 2023 23:32:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697092367; x=1697697167; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tLs232MoIvKTceoFGKf83FsYAh/WEEvSsX2TipWGeU4=; b=FQgWY1gRQCI3x8yWmyVVZY1MEkz/WxLWijdF2uaZanr7xLvbUOYTB+FTPqOGL1nIrK ThAVKJspSYKJS726r/FEn0t3CaW2G1BBf6lhKlqtgFT30r91uTo/pFR636jwkcwYOFxv nAFPInV0GRvvaNJtaSAK3hqQzVlP7Bl1+XDmaUsCsliaMfRPCc1FtHBLnOrvelNPO3yc W82vFuNCrCFrZOMg1chKFdirHuPksvI5NZEq5Rvtj+kp6bbI33UpAIMu/s9p5jl3uNGT ZUp1NvqUfnmW1PCRclKbxZLbLfIq9k6Tl/4OKh/1pFmzNkvs6uXux2a2K/CxTsh6VsUq Bjaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697092367; x=1697697167; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tLs232MoIvKTceoFGKf83FsYAh/WEEvSsX2TipWGeU4=; b=V/9FpPeuOrFYOoLDn1MsQFKsAeJlk0yjbdoWa2WsHrXBVDZpnEaj4p/xFYzBxhZ/zt HTNOMo9XcVv4oAdDz0O4HW/RZ0V2jUBJhoMMxwr5FL9T6X0ry4pH6SYSve0zPM8cq2nG RXAIrJqvanuY+wFgLM7lYN+s5YvCkLjxbaenAlRdy7V8uSKJ5EIfrYGg/gHGsnHVG9/k tOpE0TjLIk+d68Mbsc2suHIY36igzq/sC6nMmHpjDZAvIxPrsulAMi48tjpvfGe+RYk2 cZEV1k+GXDBIYXqH1bDK+do9QtkNBrrJrcthF6uSLgL8hp1FFxo9cixm2bTkuu6A8V7X IEZQ== X-Gm-Message-State: AOJu0Yw5B4/jSal32VJVko9gWg4nJXNc5NNryZfmjHyZpIarm1+iLqbb r3ghJ1+2xqK+76tuoHw+bis5lBzxi6pezFIDIQ== X-Received: by 2002:a25:4d89:0:b0:d99:f29f:371 with SMTP id a131-20020a254d89000000b00d99f29f0371mr9694650ybb.4.1697092367335; Wed, 11 Oct 2023 23:32:47 -0700 (PDT) MIME-Version: 1.0 References: <20231011-jmp-into-reserved-fields-v3-0-97d2aa979788@gmail.com> <20231011-jmp-into-reserved-fields-v3-1-97d2aa979788@gmail.com> In-Reply-To: From: Hao Sun Date: Thu, 12 Oct 2023 08:32:36 +0200 Message-ID: Subject: Re: [PATCH bpf-next v3 1/3] bpf: Detect jumping to reserved code during check_cfg() To: Alexei Starovoitov Cc: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 11 Oct 2023 23:33:00 -0700 (PDT) On Wed, Oct 11, 2023 at 3:39=E2=80=AFPM Alexei Starovoitov wrote: > > On Wed, Oct 11, 2023 at 2:01=E2=80=AFAM Hao Sun wro= te: > > > > Currently, we don't check if the branch-taken of a jump is reserved cod= e of > > ld_imm64. Instead, such a issue is captured in check_ld_imm(). The veri= fier > > gives the following log in such case: > > > > func#0 @0 > > 0: R1=3Dctx(off=3D0,imm=3D0) R10=3Dfp0 > > 0: (18) r4 =3D 0xffff888103436000 ; R4_w=3Dmap_ptr(off=3D0,ks=3D4= ,vs=3D128,imm=3D0) > > 2: (18) r1 =3D 0x1d ; R1_w=3D29 > > 4: (55) if r4 !=3D 0x0 goto pc+4 ; R4_w=3Dmap_ptr(off=3D0,ks=3D4= ,vs=3D128,imm=3D0) > > 5: (1c) w1 -=3D w1 ; R1_w=3D0 > > 6: (18) r5 =3D 0x32 ; R5_w=3D50 > > 8: (56) if w5 !=3D 0xfffffff4 goto pc-2 > > mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx -1 > > mark_precise: frame0: regs=3Dr5 stack=3D before 6: (18) r5 =3D 0x32 > > 7: R5_w=3D50 > > 7: BUG_ld_00 > > invalid BPF_LD_IMM insn > > > > Here the verifier rejects the program because it thinks insn at 7 is an > > invalid BPF_LD_IMM, but such a error log is not accurate since the issu= e > > is jumping to reserved code not because the program contains invalid in= sn. > > Therefore, make the verifier check the jump target during check_cfg(). = For > > the same program, the verifier reports the following log: > > > > func#0 @0 > > jump to reserved code from insn 8 to 7 > > > > Signed-off-by: Hao Sun > > --- > > kernel/bpf/verifier.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index eed7350e15f4..725ac0b464cf 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -14980,6 +14980,7 @@ static int push_insn(int t, int w, int e, struc= t bpf_verifier_env *env, > > { > > int *insn_stack =3D env->cfg.insn_stack; > > int *insn_state =3D env->cfg.insn_state; > > + struct bpf_insn *insns =3D env->prog->insnsi; > > > > if (e =3D=3D FALLTHROUGH && insn_state[t] >=3D (DISCOVERED | FA= LLTHROUGH)) > > return DONE_EXPLORING; > > @@ -14993,6 +14994,12 @@ static int push_insn(int t, int w, int e, stru= ct bpf_verifier_env *env, > > return -EINVAL; > > } > > > > + if (e =3D=3D BRANCH && insns[w].code =3D=3D 0) { > > + verbose_linfo(env, t, "%d", t); > > + verbose(env, "jump to reserved code from insn %d to %d\= n", t, w); > > + return -EINVAL; > > + } > > I don't think we should be changing the verifier to make > fuzzer logs more readable. > > Same with patch 2. The code is fine as-is. Confused, the changes are not for fuzzer logs but to handle jumping to the middle of ld_imm64. Like jumping out of bounds, both are similar issues and can be handled in one place. The current code handles such incorrect jumps in check_ld_imm(), which is strange, and the error log "BAD_LD_IMM" rather than "bad jump" is also strange. The second one is just for verifier debugging because the only caller of check_ld_imm() is do_check(), before which we already have resolve_pseudo_ldimm64() which has opcode_in_insntable() to check the validity of insn code. The only reason we could see an invalid ld_imm64 in check_id_imm() is errors somewhere else.