Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp370710rdg; Thu, 12 Oct 2023 08:02:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHr1lUdIOwIEauWoF1WWp+YLSc2fYbbe9XZFpgdgy+LTrK9wpE6VCfcOnbvwjpm2Y5Lx4DF X-Received: by 2002:a05:6a20:1450:b0:16b:80f2:f30c with SMTP id a16-20020a056a20145000b0016b80f2f30cmr18174332pzi.26.1697122954289; Thu, 12 Oct 2023 08:02:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697122954; cv=none; d=google.com; s=arc-20160816; b=O8QqX5ovOudZmGGC74BV1iCHIp6sJjaGUJk4jVmjDzjay8J/aXoQ47mhBJM8sqMr3g qlbi6VpdxKqbt+ZN6EPWZDI9wJac5OkhxNUL2WI1fIMg1Am5IFc+gxw307zy9GsIK8nm bzxBSurZquMZiVF58WFDHQwn0bZQtCztTH1hFkxfb3DFoE2d6QccyJOPpyTkmt0kzK3u M018a1sX5d2vnxeHLNpOuz4rjXrQMWxby2WEIy0xrr9uwrjZi/OJzMESoIAZwOMSjAqA trkg8w4R5Fe3nmthaoZ3QCGGlSBbh9O55+onUWPhSUXhjF4lOiWAJhZM1cveLn9dzBDB 1BxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=S90hAqlSYxgq/E7D0v0WIajU1lTX+G+PuSX4VnbOm2s=; fh=hy1r8Xg5uVPvlKKCWimrL2LuEXdO6rT+TrvS9W53sW0=; b=mDm6TGEnp71skIyRp+f25lDJessyL+WLa3STVZ+MwPThsWESkLifUalUvVq93f7yzt DvOzHU/seCYR63/eV3EyAtATHjV6sQOssl0ULVhWnMQIqJdkV+ajBOkLLYMESoW3NsLx IFUhnqFWUHtsnuq8747H2D4TRp0zxPCDNru9WGVoAD6T0KmvXFJWqwR543Z+vab3h/VA Kv5Vffg1MBnoADr8RYOIdFovM2jQiEL9ZzryhBPbYTvK6H9dz7LlyFjlp98US8dKvyf2 T+OsBqZGo9SLi9kfbzIene9zndBcAoPSaoG28APt5WZTyTxHolAdaOkLceiSblo28Vtz TMGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KDKis3GW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id bt8-20020a632908000000b00578e2545db1si2391368pgb.360.2023.10.12.08.02.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 08:02:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KDKis3GW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id ED2AA822D0A1; Thu, 12 Oct 2023 08:02:27 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233980AbjJLPCW (ORCPT + 99 others); Thu, 12 Oct 2023 11:02:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376440AbjJLPCP (ORCPT ); Thu, 12 Oct 2023 11:02:15 -0400 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F54CA9; Thu, 12 Oct 2023 08:02:14 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-3215f19a13aso1011108f8f.3; Thu, 12 Oct 2023 08:02:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697122932; x=1697727732; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=S90hAqlSYxgq/E7D0v0WIajU1lTX+G+PuSX4VnbOm2s=; b=KDKis3GWmPt1v3HGVxBgn10/0YAnB/yWFbaafdzEo/3+Gb6RM2En8yCZSk3SYov8SI BlsGVdQ5SIGZflTelek2MEixwPfL8BWa5RaGMq47B6HEHAm5Z2v2gA9LvQq5+JX1PXmJ 6RejCEbYgpgAikP5vtCn9BKw4qRCZovXRMRhZsWSB/f06ur4XhwSFB3rraGiNa+AUeNr LLF3nU26jXFAPyLcHm3Y67jWWxBzdNMGuWd0S+9cgLYJUhY0PnuWqjWhvASYkT8eW/3G +ND3VmrsLjT2FzGVpcNvapxsIDJeN8irvpmwtRfZbbHQ5/xkRG9AYipdbxXzt4P6WgVf N17g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697122932; x=1697727732; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S90hAqlSYxgq/E7D0v0WIajU1lTX+G+PuSX4VnbOm2s=; b=BnQuX0EnRC7qbfpTlvL81KHAxW/0V9VYZ0dQtyXlM50S3Nn9H9jMPPcI+ZSfQvblu5 uzBduNboLIzL3XVPkIyEbQ4KUo01nK855E6xr2G5Sl/jFkKBC2idRw/tjOka6l+9Yeyw l8TMEz8Qd5QgPVEfZaODh3GF9A2KpBQ1lsqVwnmCxSR5yq+xSz4IlYTXu0Zd8syzcEgD eR3dTqbziz5pF85DQ5gGmz0zxeG4IMgzuq+M+8a/X1JfxTuWMlb57MXYxkgv5sRsxXik PVY0ir/9t0qHHfa2Wn6IbDZ1qf0RC+kr41XnlfMe/atbT8TK44CG+zSUo7YsseQUTtnO xhCQ== X-Gm-Message-State: AOJu0YxpEj/ctj5fLHMUupkn9r7uqduRkUpwJFvd+Eiza4/sLliujdKN svG6t1XXG20r61YjfH/+CNNtGd2aG8ydvzrXQoQ= X-Received: by 2002:a05:6000:1cc:b0:32d:819c:5da6 with SMTP id t12-20020a05600001cc00b0032d819c5da6mr5400142wrx.21.1697122932227; Thu, 12 Oct 2023 08:02:12 -0700 (PDT) MIME-Version: 1.0 References: <20231011-jmp-into-reserved-fields-v3-0-97d2aa979788@gmail.com> <20231011-jmp-into-reserved-fields-v3-1-97d2aa979788@gmail.com> In-Reply-To: From: Alexei Starovoitov Date: Thu, 12 Oct 2023 08:02:00 -0700 Message-ID: Subject: Re: [PATCH bpf-next v3 1/3] bpf: Detect jumping to reserved code during check_cfg() To: Shung-Hsi Yu Cc: Hao Sun , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 12 Oct 2023 08:02:28 -0700 (PDT) On Thu, Oct 12, 2023 at 1:14=E2=80=AFAM Shung-Hsi Yu wrote: > > On Wed, Oct 11, 2023 at 06:38:56AM -0700, Alexei Starovoitov wrote: > > On Wed, Oct 11, 2023 at 2:01=E2=80=AFAM Hao Sun w= rote: > > > > > > Currently, we don't check if the branch-taken of a jump is reserved c= ode of > > > ld_imm64. Instead, such a issue is captured in check_ld_imm(). The ve= rifier > > > gives the following log in such case: > > > > > > func#0 @0 > > > 0: R1=3Dctx(off=3D0,imm=3D0) R10=3Dfp0 > > > 0: (18) r4 =3D 0xffff888103436000 ; R4_w=3Dmap_ptr(off=3D0,ks= =3D4,vs=3D128,imm=3D0) > > > 2: (18) r1 =3D 0x1d ; R1_w=3D29 > > > 4: (55) if r4 !=3D 0x0 goto pc+4 ; R4_w=3Dmap_ptr(off=3D0,ks= =3D4,vs=3D128,imm=3D0) > > > 5: (1c) w1 -=3D w1 ; R1_w=3D0 > > > 6: (18) r5 =3D 0x32 ; R5_w=3D50 > > > 8: (56) if w5 !=3D 0xfffffff4 goto pc-2 > > > mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx -1 > > > mark_precise: frame0: regs=3Dr5 stack=3D before 6: (18) r5 =3D 0x32 > > > 7: R5_w=3D50 > > > 7: BUG_ld_00 > > > invalid BPF_LD_IMM insn > > > > > > Here the verifier rejects the program because it thinks insn at 7 is = an > > > invalid BPF_LD_IMM, but such a error log is not accurate since the is= sue > > > is jumping to reserved code not because the program contains invalid = insn. > > > Therefore, make the verifier check the jump target during check_cfg()= . For > > > the same program, the verifier reports the following log: > > > > > > func#0 @0 > > > jump to reserved code from insn 8 to 7 > > > > > > Signed-off-by: Hao Sun > > > --- > > > kernel/bpf/verifier.c | 7 +++++++ > > > 1 file changed, 7 insertions(+) > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index eed7350e15f4..725ac0b464cf 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -14980,6 +14980,7 @@ static int push_insn(int t, int w, int e, str= uct bpf_verifier_env *env, > > > { > > > int *insn_stack =3D env->cfg.insn_stack; > > > int *insn_state =3D env->cfg.insn_state; > > > + struct bpf_insn *insns =3D env->prog->insnsi; > > > > > > if (e =3D=3D FALLTHROUGH && insn_state[t] >=3D (DISCOVERED | = FALLTHROUGH)) > > > return DONE_EXPLORING; > > > @@ -14993,6 +14994,12 @@ static int push_insn(int t, int w, int e, st= ruct bpf_verifier_env *env, > > > return -EINVAL; > > > } > > > > > > + if (e =3D=3D BRANCH && insns[w].code =3D=3D 0) { > > > + verbose_linfo(env, t, "%d", t); > > > + verbose(env, "jump to reserved code from insn %d to %= d\n", t, w); > > > + return -EINVAL; > > > + } > > > > I don't think we should be changing the verifier to make > > fuzzer logs more readable. > > Taking fuzzer out of consideration, giving users clearer explanation for > such verifier rejection could save a lot of head scratching. Users won't see such errors unless they are actively doing what is not recommended. > Compiler shouldn't generate such program, but its plausible to forget to > account that BPF_LD_IMM64 consists of two instructions when writing > assembly (especially with filter.h-like macros) and have it jump to the 2= nd > part of BPF_LD_IMM64. Using macros to write bpf asm code is highly discouraged. All kinds of errors are possible. Bogus jump is just one of such mistakes. Use naked functions and inline asm in C code that both GCC and clang understand then you won't see bad jumps. See selftets/bpf/verifier_*.c as an example. > > Same with patch 2. The code is fine as-is. > > The only way BPF_SIZE(insn->code) !=3D BPF_DW conditional in check_ld_imm= () > can be met right now is when we have a jump to the 2nd part of LD_IMM64; = but > what this conditional actually guard against is not straight-forward and > quite confusing[1]. There are plenty of cases in the verifier where we print an error message. Some of them should be impossible due to prior checks. In such cases we don't yell "verifier bug" and are not going to do that in this case either.