Re: [PATCH v4 bpf-next 08/14] bpf: introduce the bpf_get_local_storage() helper function

From: Daniel Borkmann <daniel@iogearbox.net>
To: Roman Gushchin <guro@fb.com>, netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, kernel-team@fb.com,
	Alexei Starovoitov <ast@kernel.org>
Subject: Re: [PATCH v4 bpf-next 08/14] bpf: introduce the bpf_get_local_storage() helper function
Date: Wed, 1 Aug 2018 00:50:16 +0200	[thread overview]
Message-ID: <ad6c58e3-08a8-aa9c-2d69-528007fe126e@iogearbox.net> (raw)
In-Reply-To: <20180727215243.3850-9-guro@fb.com>

On 07/27/2018 11:52 PM, Roman Gushchin wrote:
[...]
> @@ -2533,6 +2541,16 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
>  	}
>  
>  	regs = cur_regs(env);
> +
> +	/* check that flags argument in get_local_storage(map, flags) is 0,
> +	 * this is required because get_local_storage() can't return an error.
> +	 */
> +	if (func_id == BPF_FUNC_get_local_storage &&
> +	    !tnum_equals_const(regs[BPF_REG_2].var_off, 0)) {
> +		verbose(env, "get_local_storage() doesn't support non-zero flags\n");
> +		return -EINVAL;
> +	}

Hmm, this check is actually not correct. You will still be able to pass non-zero
values in there. arg2_type from the helper is ARG_ANYTHING, so the register type
could for example be one of the pointer types and it will still pass the verifier.
The correct way to check would be to use register_is_null().

> +
>  	/* reset caller saved regs */
>  	for (i = 0; i < CALLER_SAVED_REGS; i++) {
>  		mark_reg_not_init(env, regs, caller_saved[i]);