Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4187522rdb; Mon, 11 Dec 2023 11:16:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IF0n6Gd+q5KDzAAwhwR5CVqheVLNhlEkCz+YnjFXDirOkqQlE5HtXXxCGbHJjJ0GAp658V0 X-Received: by 2002:a17:90a:fd0b:b0:286:6cd8:ef09 with SMTP id cv11-20020a17090afd0b00b002866cd8ef09mr6283461pjb.33.1702322183652; Mon, 11 Dec 2023 11:16:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702322183; cv=none; d=google.com; s=arc-20160816; b=D1LcFCrAPX7GzhvlwYrR5cZWrEVeNhPIiGnYzd+W+YoyKuHWT8fGp5JxOecKsY3fie IBT3xEA4oymoSV+JhafDMAcEGOIe3LLUbvcHgolBlvGXJa+4wzXjvKYeGm2qhJBy29an FvGGSXePkfIsfEI09Kle/ScIrs9C6cFKaBpLxi5chEH0eC+eHwEFe7fJ4j1qQFYKAfmc aaGQ4sVWAWIzpDxNezV4rl1gNFcrqMrAFUPTWZt0Zuu6VesfU5ytcTxVPWsOybsf7yoj O8aa9S6JH8nwcEnvu1rpbpBTaUrGyKwiEG2P/E2OgbMY8wvzCqK46Ys2rjaOAy4Vmq2V 3p5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ahgS9zwVZdE+3LBYLfhZe4mLB78iOJuc5vl8BeZCpa0=; fh=dw/AqKXZ6zRWnGb7USNb16i6PGDXYKm55QDCe46yh9o=; b=0IgY3fZm4YkZqlf5QMicXbf+MiUj+n3TesXMbBAhnaOIQNqBYpsJ8ic8DG6pIjNDph dP0yfuw111f8yMWNE8wzQZ0qtHL8nMADaxPJ4OLkGyUcZEyyslLOW1jFWrPvwtkauG+p XsdfJx4SAdlTdQva5HTJbBFjzupk6YZHXnt3CHDCSLe65XO3syWuekY2fr3+2Zjk+Vrg IOQk82Cu101ovvsFd+djgVEigpvRufWff/s7CwrKLJU0Cw7Y5SenqWzIAo1yLa+EaR4t bNWJFb6cW7MIxIV/koGkJa/nwBSXB56so5eQRfBizz2A1iKGm6mRO2eXyy4RPFmXje3q 39Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lzTd1am1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id p2-20020a17090ab90200b00286a9b3276fsi6645732pjr.33.2023.12.11.11.16.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 11:16:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lzTd1am1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 307E6807D43B; Mon, 11 Dec 2023 11:16:20 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344459AbjLKTP5 (ORCPT + 99 others); Mon, 11 Dec 2023 14:15:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344349AbjLKTP4 (ORCPT ); Mon, 11 Dec 2023 14:15:56 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5684DBD; Mon, 11 Dec 2023 11:16:02 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a00c200782dso646912066b.1; Mon, 11 Dec 2023 11:16:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702322161; x=1702926961; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ahgS9zwVZdE+3LBYLfhZe4mLB78iOJuc5vl8BeZCpa0=; b=lzTd1am16z4D0f6wkemiMfbzD1aZeHe6FM51Mb4DqXCAWrWn2ugvc9uFRlLq+wGH7v ocgbx8HLbUuyQZ712iFmzAQaGn2ch1Jx3kpUq44N0V5UViWlR3xx3l7ILwStu/c2w3jY S4XQDbEzr47aydRUMjg9+uWSg1Y+onoeD9HCEowcKd1Oo9UM1zMmaBlAK9M3Fn3zTOkp h25uvdW0WXwCZAsMEwVNKeb8mIH23BY2/uqX94zrexTP0jRw+jZVbH80QuN7UnVIYpmW znu5UvsjUfdxweVk6dXHaR3QVIwAEdAFvcWp4Qg4E1rvvD0Xt3j27ITSgjaIYxQi51Bo /t1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702322161; x=1702926961; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ahgS9zwVZdE+3LBYLfhZe4mLB78iOJuc5vl8BeZCpa0=; b=RFWZRyUIA/CzRqHz7xodn/KvuzQcgFUqvyI3yu2l43dpKvScoSbiw+jyPOOwgJd9LD XK/Y/61DsLWMkt5U8Pxr+Lgu044+Do/2ki5cy9MbezWHeD31GiYD/jBmv5svDyYGCNVp CadL6DZIY0XiGO6ngXY61t8u+MLosESOf3MD+LloLnGwZbBW2PMLshcSZ+WyOuBuo1Ga YK0WFluccO8qA6NP+uaizx2lYZLhW8tLuG/kIhWrP7674dr/uKROCFCs1bD5wnNYdRug N9rLv6ufOK4LgwQJbsbxe3nYAddD5I/fzvuYAmbawWlh5kn0p6XIxWA+G5I7o1nVAOSA 6dHA== X-Gm-Message-State: AOJu0Yy0zBZyueIBho+4MB1X8gDbnw14wl9cgV/6OawWkRhu80Id5Esb cRbAqzcUOBERnxKRFodYLd3mhyCsg0kaejoVxmA= X-Received: by 2002:a17:906:21b:b0:a1e:395:da5e with SMTP id 27-20020a170906021b00b00a1e0395da5emr1134106ejd.273.1702322160506; Mon, 11 Dec 2023 11:16:00 -0800 (PST) MIME-Version: 1.0 References: <20231210130001.2050847-1-menglong8.dong@gmail.com> In-Reply-To: <20231210130001.2050847-1-menglong8.dong@gmail.com> From: Andrii Nakryiko Date: Mon, 11 Dec 2023 11:15:48 -0800 Message-ID: Subject: Re: [PATCH bpf-next] bpf: make the verifier trace the "not qeual" for regs To: Menglong Dong Cc: andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 11 Dec 2023 11:16:20 -0800 (PST) On Sun, Dec 10, 2023 at 5:00=E2=80=AFAM Menglong Dong wrote: > > We can derive some new information for BPF_JNE in regs_refine_cond_op(). > Take following code for example: > > /* The type of "a" is u16 */ > if (a > 0 && a < 100) { > /* the range of the register for a is [0, 99], not [1, 99], > * and will cause the following error: > * > * invalid zero-sized read > * > * as a can be 0. > */ > bpf_skb_store_bytes(skb, xx, xx, a, 0); > } > > In the code above, "a > 0" will be compiled to "jmp xxx if a =3D=3D 0". I= n the > TRUE branch, the dst_reg will be marked as known to 0. However, in the > fallthrough(FALSE) branch, the dst_reg will not be handled, which makes > the [min, max] for a is [0, 99], not [1, 99]. > > For BPF_JNE, we can reduce the range of the dst reg if the src reg is a > const and is exactly the edge of the dst reg. > > Signed-off-by: Menglong Dong > --- > kernel/bpf/verifier.c | 45 ++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 44 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 727a59e4a647..7b074ac93190 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -1764,6 +1764,40 @@ static void __mark_reg_const_zero(struct bpf_reg_s= tate *reg) > reg->type =3D SCALAR_VALUE; > } > > +#define CHECK_REG_MIN(value) \ > +do { \ > + if ((value) =3D=3D (typeof(value))imm) \ > + value++; \ > +} while (0) > + > +#define CHECK_REG_MAX(value) \ > +do { \ > + if ((value) =3D=3D (typeof(value))imm) \ > + value--; \ > +} while (0) > + > +static void mark_reg32_not_equal(struct bpf_reg_state *reg, u64 imm) > +{ > + CHECK_REG_MIN(reg->s32_min_value); > + CHECK_REG_MAX(reg->s32_max_value); > + CHECK_REG_MIN(reg->u32_min_value); > + CHECK_REG_MAX(reg->u32_max_value); > +} > + > +static void mark_reg_not_equal(struct bpf_reg_state *reg, u64 imm) > +{ > + CHECK_REG_MIN(reg->smin_value); > + CHECK_REG_MAX(reg->smax_value); > + > + CHECK_REG_MIN(reg->umin_value); > + CHECK_REG_MAX(reg->umax_value); > + > + CHECK_REG_MIN(reg->s32_min_value); > + CHECK_REG_MAX(reg->s32_max_value); > + CHECK_REG_MIN(reg->u32_min_value); > + CHECK_REG_MAX(reg->u32_max_value); > +} please don't use macros for this, this code is tricky enough without having to jump around double-checking what exactly macros are doing. Just code it explicitly. Also I don't see the need for mark_reg32_not_equal() and mark_reg_not_equal() helper functions, there is just one place where this logic is going to be called from, so let's add code right there. > + > static void mark_reg_known_zero(struct bpf_verifier_env *env, > struct bpf_reg_state *regs, u32 regno) > { > @@ -14332,7 +14366,16 @@ static void regs_refine_cond_op(struct bpf_reg_s= tate *reg1, struct bpf_reg_state > } > break; > case BPF_JNE: > - /* we don't derive any new information for inequality yet= */ > + /* try to recompute the bound of reg1 if reg2 is a const = and > + * is exactly the edge of reg1. > + */ > + if (is_reg_const(reg2, is_jmp32)) { > + val =3D reg_const_value(reg2, is_jmp32); > + if (is_jmp32) > + mark_reg32_not_equal(reg1, val); > + else > + mark_reg_not_equal(reg1, val); > + } > break; > case BPF_JSET: > if (!is_reg_const(reg2, is_jmp32)) > -- > 2.39.2 >