diff options
| author |   Alexei Starovoitov <ast@kernel.org> | 2019-11-22 10:29:38 -0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2019-11-24 16:58:46 -0800 |
| commit | 161f3cbcda06aa70faed6b703066fedbd7653e23 (patch) | |
| tree | dc410e35bdb263512e095f64aed2456b19e132d8 /kernel | |
| parent | selftests/bpf: Ensure core_reloc_kernel is reading test_progs's data only (diff) | |
| parent | selftests/bpf: Add verifier tests for better jmp32 register bounds (diff) | |
| download | wireguard-linux-161f3cbcda06aa70faed6b703066fedbd7653e23.tar.xz wireguard-linux-161f3cbcda06aa70faed6b703066fedbd7653e23.zip | |
Merge branch 'jmp32-reg-bounds'
Yonghong Song says:
====================
With latest llvm, bpf selftest test_progs, which has +alu32 enabled, failed for
strobemeta.o and a few other subtests. The reason is due to that
verifier did not provide better var_off.mask after jmp32 instructions.
This patch set addressed this issue and after the fix, test_progs passed
with alu32.
Patch #1 provided detailed explanation of the problem and the fix.
Patch #2 added three tests in test_verifier.
Changelog:
v1 -> v2:
- do not directly manipulate tnum.{value,mask} in __reg_bound_offset32(),
using tnum_lshift/tnum_rshift functions instead
- do __reg_bound_offset32() after regular 64bit __reg_bound_offset()
since the latter may give a better upper 32bit var_off, which can
be inherited by __reg_bound_offset32().
====================
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to '')
| -rw-r--r-- | kernel/bpf/verifier.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 9f59f7a19dd0..fc85714428c7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1007,6 +1007,17 @@ static void __reg_bound_offset(struct bpf_reg_state *reg) reg->umax_value)); } +static void __reg_bound_offset32(struct bpf_reg_state *reg) +{ + u64 mask = 0xffffFFFF; + struct tnum range = tnum_range(reg->umin_value & mask, + reg->umax_value & mask); + struct tnum lo32 = tnum_cast(reg->var_off, 4); + struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32); + + reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range)); +} + /* Reset the min/max bounds of a register */ static void __mark_reg_unbounded(struct bpf_reg_state *reg) { @@ -5589,6 +5600,10 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, /* We might have learned some bits from the bounds. */ __reg_bound_offset(false_reg); __reg_bound_offset(true_reg); + if (is_jmp32) { + __reg_bound_offset32(false_reg); + __reg_bound_offset32(true_reg); + } /* Intersecting with the old var_off might have improved our bounds * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), * then new var_off is (0; 0x7f...fc) which improves our umax. @@ -5698,6 +5713,10 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, /* We might have learned some bits from the bounds. */ __reg_bound_offset(false_reg); __reg_bound_offset(true_reg); + if (is_jmp32) { + __reg_bound_offset32(false_reg); + __reg_bound_offset32(true_reg); + } /* Intersecting with the old var_off might have improved our bounds * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), * then new var_off is (0; 0x7f...fc) which improves our umax. |