On Fri, Nov 13, 2020 at 12:56:52AM +0100, Daniel Borkmann wrote:
> On 11/12/20 8:16 PM, John Fastabend wrote:
> > Alexei Starovoitov wrote:
> > > From: Alexei Starovoitov <a...@kernel.org>
> > >
> > > This patch adds the verifier support to recognize inlined branch
> > > conditions.
> > > The LLVM knows that the branch evaluates to the same value, but the
> > > verifier
> > > couldn't track it. Hence causing valid programs to be rejected.
> > > The potential LLVM workaround: https://reviews.llvm.org/D87428
> > > can have undesired side effects, since LLVM doesn't know that
> > > skb->data/data_end are being compared. LLVM has to introduce extra boolean
> > > variable and use inline_asm trick to force easier for the verifier
> > > assembly.
> > >
> > > Instead teach the verifier to recognize that
> > > r1 = skb->data;
> > > r1 += 10;
> > > r2 = skb->data_end;
> > > if (r1 > r2) {
> > > here r1 points beyond packet_end and
> > > subsequent
> > > if (r1 > r2) // always evaluates to "true".
> > > }
> > >
> > > Tested-by: Jiri Olsa <jo...@redhat.com>
> > > Signed-off-by: Alexei Starovoitov <a...@kernel.org>
> > > ---
> > > include/linux/bpf_verifier.h | 2 +-
> > > kernel/bpf/verifier.c | 129 +++++++++++++++++++++++++++++------
> > > 2 files changed, 108 insertions(+), 23 deletions(-)
> > >
> >
> > Thanks, we can remove another set of inline asm logic.
> >
> > Acked-by: John Fastabend <john.fastab...@gmail.com>
> > > if (pred >= 0) {
> > > @@ -7517,7 +7601,8 @@ static int check_cond_jmp_op(struct
> > > bpf_verifier_env *env,
> > > */
> > > if (!__is_pointer_value(false, dst_reg))
> > > err = mark_chain_precision(env, insn->dst_reg);
> > > - if (BPF_SRC(insn->code) == BPF_X && !err)
> > > + if (BPF_SRC(insn->code) == BPF_X && !err &&
> > > + !__is_pointer_value(false, src_reg))
> >
> > This could have been more specific with !type_is_pkt_pointer() correct? I
> > think its fine as is though.
> >
> > > err = mark_chain_precision(env, insn->src_reg);
> > > if (err)
> > > return err;
>
> Given the reg->range could now be negative, I wonder whether for the regsafe()
> pruning logic we should now better add a >=0 sanity check in there before we
> attempt to test on rold->range > rcur->range?
I thought about it and specifically picked negative range value to keep
regsafe() check as-is.
The check is this:
if (rold->range > rcur->range)
return false;
rold is the one that was safe in the past.
If rold was positive and the current is negative we fail here
which is ok. State pruning is conservative.
If rold was negative it means the previous state was safe even though that
pointer
was pointing beyond packet end. So it's ok for rcur->range to be anything.
Whether rcur is positive or negative doesn't matter. Everything is still ok.
If rold->range == -1 and rcur->range == -2 we fail here.
It's minor annoyance. State pruning is tiny bit more conservative than
necessary.
So I think no extra checks in regsafe() are neeeded.
Does it make sense?
