From: Yonghong Song <yhs@fb.com>
To: Shung-Hsi Yu <shung-hsi.yu@suse.com>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>
Subject: Re: [PATCH bpf-next 2/4] bpf: verifier: explain opcode check in check_ld_imm()
Date: Fri, 20 May 2022 17:25:36 -0700 [thread overview]
Message-ID: <0cf50c32-ab67-ef23-7b84-ef1d4e007c33@fb.com> (raw)
In-Reply-To: <f9511485-cda4-4e5e-fe1f-60ffe57e27d1@fb.com>
On 5/20/22 4:50 PM, Yonghong Song wrote:
>
>
> On 5/20/22 4:37 AM, Shung-Hsi Yu wrote:
>> The BPF_SIZE check in the beginning of check_ld_imm() actually guard
>> against program with JMP instructions that goes to the second
>> instruction of BPF_LD_IMM64, but may be easily dismissed as an simple
>> opcode check that's duplicating the effort of bpf_opcode_in_insntable().
>>
>> Add comment to better reflect the importance of the check.
>>
>> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
>> ---
>> kernel/bpf/verifier.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 79a2695ee2e2..133929751f80 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -9921,6 +9921,10 @@ static int check_ld_imm(struct bpf_verifier_env
>> *env, struct bpf_insn *insn)
>> struct bpf_map *map;
>> int err;
>> + /* checks that this is not the second part of BPF_LD_IMM64, which is
>> + * skipped over during opcode check, but a JMP with invalid
>> offset may
>> + * cause check_ld_imm() to be called upon it.
>> + */
>
> The check_ld_imm() call context is:
>
> } else if (class == BPF_LD) {
> u8 mode = BPF_MODE(insn->code);
>
> if (mode == BPF_ABS || mode == BPF_IND) {
> err = check_ld_abs(env, insn);
> if (err)
> return err;
>
> } else if (mode == BPF_IMM) {
> err = check_ld_imm(env, insn);
> if (err)
> return err;
>
> env->insn_idx++;
> sanitize_mark_insn_seen(env);
> } else {
> verbose(env, "invalid BPF_LD mode\n");
> return -EINVAL;
> }
> }
>
> which is a normal checking of LD_imm64 insn.
>
> I think the to-be-added comment is incorrect and unnecessary.
Okay, double check again and now I understand what happens
when hitting the second insn of ldimm64 with a branch target.
Here we have BPF_LD = 0 and BPF_IMM = 0, so for a branch
target to the 2nd part of ldimm64, it will come to
check_ld_imm() and have error "invalid BPF_LD_IMM insn"
So check_ld_imm() is to check whether the insn is a
*legal* insn for the first part of ldimm64.
So the comment may be rewritten as below.
This is to verify whether an insn is a BPF_LD_IMM64
or not. But since BPF_LD = 0 and BPF_IMM = 0, if the branch
target comes to the second part of BPF_LD_IMM64,
the control may come here as well.
>
>> if (BPF_SIZE(insn->code) != BPF_DW) {
>> verbose(env, "invalid BPF_LD_IMM insn\n");
>> return -EINVAL;
next prev parent reply other threads:[~2022-05-21 0:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-20 11:37 [PATCH bpf-next 0/4] bpf: verifier: remove redundant opcode checks Shung-Hsi Yu
2022-05-20 11:37 ` [PATCH bpf-next 1/4] bpf: verifier: update resolve_pseudo_ldimm64() comment Shung-Hsi Yu
2022-05-20 11:37 ` [PATCH bpf-next 2/4] bpf: verifier: explain opcode check in check_ld_imm() Shung-Hsi Yu
2022-05-20 23:50 ` Yonghong Song
2022-05-21 0:25 ` Yonghong Song [this message]
2022-05-24 7:10 ` Shung-Hsi Yu
2022-05-24 15:12 ` Alexei Starovoitov
2022-05-26 8:59 ` Shung-Hsi Yu
2022-05-20 11:37 ` [PATCH bpf-next 3/4] bpf: verifier: remove redundant opcode checks Shung-Hsi Yu
2022-05-20 22:46 ` Alexei Starovoitov
2022-05-20 11:37 ` [PATCH bpf-next 4/4] selftests/bpf: add reason of rejection in ld_imm64 Shung-Hsi Yu
2022-05-21 0:27 ` Yonghong Song
2022-05-24 4:49 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cf50c32-ab67-ef23-7b84-ef1d4e007c33@fb.com \
--to=yhs@fb.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shung-hsi.yu@suse.com \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.