Received: by 2002:a05:7412:b795:b0:e2:908c:2ebd with SMTP id iv21csp274688rdb; Thu, 2 Nov 2023 03:31:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF2k1XMfgNcy+KfWenDtqwNSLhgGTOmdRADJqf/xyymt/HEPH8L0v99hq/yA4J/vlF1LY34 X-Received: by 2002:a05:6a20:12c5:b0:160:58f5:693b with SMTP id v5-20020a056a2012c500b0016058f5693bmr17258592pzg.44.1698921075262; Thu, 02 Nov 2023 03:31:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698921075; cv=none; d=google.com; s=arc-20160816; b=acEVpQXvS4irVuIgcewQymjdqf9NWbDMTTN0Lnbr/ilRfFLt+O8dN8e+Id9mlOVvVE QsIgDdRLNNwRjC42bo1jfK3wdme/obog2x+22paZsRzFSC7Q0cg/n5NzVMk9L+B6fwKR WVZ8EeFaQS664UnOKZnmlau1A10zRSXJH61iE4XqFQ12BfeUpvD3KBviuG2kBS6OlxSt WQkP7MTe1p5LH4xq+kSmG13H0Bbo66Fw40+SzuGiCx6iwXq6gTid25Zq4TVifTfjIjcF T9yD5FSw/qk1lgojmRFgaweBgxQKYO58BI7Qap2boTpobBFy2Rk1wyAfMLx4dNRe+Z/K 7aZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=3rctCHpSNNnudhMuzQjqFB7K6mRQjkZdSA9bEmnPeqA=; fh=6XGpjzL/yEuPxhJikj/V+Cl2L4375ErQqiJwEGIC0t4=; b=lS6m57rEmnvsm5jsvQM/KFVUUN9nePMUiVbmnmFL4T5/EHPhSF2DzP8t0XLoxmyco0 LOHlkr7JgiPMmengPtbr8i0ueIYsu7JRIHmSEhZXNxtKhkMTpJaLe2Ps7A4TJr1ipd0c F7TlndisgS6wnWk5crN97pCjYDoWDGoZvuvzUulOm00WOVX5owN2BK5iais9IyGoe26A noNHLLtlK+jIBOkRmwMx6U5zM9OmMjOy00YIGL6gPCuazH8WWheEdFJ0LAP/o2zaTGep MqQYj2joXRpvKtPjzACFm49CFDfV8gBhXPBmz5IaOr0s6AQKrGk4NRHcLaO7l6XHzC2Z 8K7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Z1qiOP/+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id c21-20020a056a00249500b0068e3b121545si3503655pfv.58.2023.11.02.03.31.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 03:31:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="Z1qiOP/+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id DF7FE8077473; Thu, 2 Nov 2023 03:30:53 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346678AbjKBKab (ORCPT + 99 others); Thu, 2 Nov 2023 06:30:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346112AbjKBKa1 (ORCPT ); Thu, 2 Nov 2023 06:30:27 -0400 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B97E8136; Thu, 2 Nov 2023 03:30:19 -0700 (PDT) Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-d9cbba16084so756474276.1; Thu, 02 Nov 2023 03:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698921019; x=1699525819; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3rctCHpSNNnudhMuzQjqFB7K6mRQjkZdSA9bEmnPeqA=; b=Z1qiOP/+FOR/JKzHy4msogsvl9JLMorgxzABTCBfAYTEzuxQW05flAE3Wkv1HrA/fJ ewmPi30q2+kgee+9kNz+Mn5k58pk7Qsuy5YuWJsQ1hWmGN84mcth+ockGLwwiWDtRIR8 haHVhYEfz9azA3H/sEEQ8NOP0TjnKchhRMGKrR/0rIl/jShKKlSg1rud8KDc4uSN9qmT Q4ntuOLnXySTmki8cc9XvRt5THyxOG1ERTxzqSkbbC6WSNdGkGcbYvGImocxPmUzNk0V 9unXzZAjftOm5KZ6oQyT4cCVqVuAxlwVFJz2GoFL/qOkfzjFR5JrGsgJig0ng9n77l73 xGQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698921019; x=1699525819; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3rctCHpSNNnudhMuzQjqFB7K6mRQjkZdSA9bEmnPeqA=; b=VK0/AAGFnrztJw72j6X4YIrJzX+cj0Mh7Ax/CDCH26A15AaTLcDlj2/32hPSEKkDve 172ll0ydvUaehgAJCO2l90F5AWdJ/FhrkxTgFIQ+6lOJzJNioQR8rW/K8zUfVxosyH8t GSBN/o/safOyz3wm6ZsrQEjxUMXvLBcPm5XvkMI/KFjqsbIazrOJ61hlbpR05HLPew5F YkXCfncFkmewsICuUeRmNPWZWBYL19DFl6lBPAMxSnf6oKFh+Op4DmJaL4WiXspQBEv0 XnmV1sTts0KNmRsfs3Rsn50rgceVjV6WzsjdGc4yNkJ3OzLbKYOxeKPbK9FzwX5//2uE YC9w== X-Gm-Message-State: AOJu0YwlX1qAp7mqFQfOCdWyOh09omWXqn9isg8EaOh93RscuC2kLtnn ZFlF883ovR+uAze6gFwSO+HWV+G0t+6lURIxEA== X-Received: by 2002:a25:d152:0:b0:da0:3bfc:b915 with SMTP id i79-20020a25d152000000b00da03bfcb915mr16112280ybg.11.1698921018746; Thu, 02 Nov 2023 03:30:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Hao Sun Date: Thu, 2 Nov 2023 11:30:07 +0100 Message-ID: Subject: Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8` To: Andrii Nakryiko Cc: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , Linux Kernel Mailing List , bpf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 02 Nov 2023 03:30:54 -0700 (PDT) On Wed, Nov 1, 2023 at 9:57=E2=80=AFPM Andrii Nakryiko wrote: > > On Wed, Nov 1, 2023 at 6:56=E2=80=AFAM Hao Sun wrot= e: > > > > Hi, > > > > The verifier incorrectly rejects the following prog in check_cfg() when > > loading with root with confusing log `back-edge insn from 7 to 8`: > > /* 0: r9 =3D 2 > > * 1: r3 =3D 0x20 > > * 2: r4 =3D 0x35 > > * 3: r8 =3D r4 > > * 4: goto+3 > > * 5: r9 -=3D r3 > > * 6: r9 -=3D r4 > > * 7: r9 -=3D r8 > > * 8: r8 +=3D r4 > > * 9: if r8 < 0x64 goto-5 > > * 10: r0 =3D r9 > > * 11: exit > > * */ > > BPF_MOV64_IMM(BPF_REG_9, 2), > > BPF_MOV64_IMM(BPF_REG_3, 0x20), > > BPF_MOV64_IMM(BPF_REG_4, 0x35), > > BPF_MOV64_REG(BPF_REG_8, BPF_REG_4), > > BPF_JMP_IMM(BPF_JA, 0, 0, 3), > > BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_3), > > BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_4), > > BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), > > BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_4), > > BPF_JMP32_IMM(BPF_JLT, BPF_REG_8, 0x68, -5), > > BPF_MOV64_REG(BPF_REG_0, BPF_REG_9), > > BPF_EXIT_INSN() > > > > -------- Verifier Log -------- > > func#0 @0 > > back-edge from insn 7 to 8 > > processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 > > peak_states 0 mark_read 0 > > > > This is not intentionally rejected, right? > > The way you wrote it, with goto +3, yes, it's intentional. Note that > you'll get different results in privileged and unprivileged modes. > Privileged mode allows "bounded loops" logic, so it doesn't > immediately reject this program, and then later sees that r8 is always > < 0x64, so program is correct. > I load the program with privileged mode, and goto-5 makes the program run from #9 to #5, so r8 is updated and the program is not infinite loop. > But in unprivileged mode the rules are different, and this conditional > back edge is not allowed, which is probably what you are getting. > > It's actually confusing and your "back-edge from insn 7 to 8" is out > of date and doesn't correspond to your program, you should see > "back-edge from insn 11 to 7", please double check. > Yes it's also confusing to me, but "back-edge from insn 7 to 8" is what I got. The execution path of the program is #4 to #8 (goto+3), so the verifier see the #8 first. Then, the program then goes #9 to #5 (goto-5), the verifier thus sees #7 to #8 and incorrectly concludes back-edge here. This can is the verifier log I got from latest bpf-next, this C program can reproduce this: https://pastebin.com/raw/Yug0NVwx > Anyways, while I was looking into this, I realized that ldimm64 isn't > handled exactly correctly in check_cfg(), so I just sent a fix. It > also adds a nicer detection of jumping into the middle of the ldimm64 > instruction, which I believe is something you were advocating for. > > > > > Best > > Hao