From: Edward Cree <ecree@solarflare.com>
To: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: <netdev@vger.kernel.org>, <oss-drivers@netronome.com>,
<alexei.starovoitov@gmail.com>, <daniel@iogearbox.net>
Subject: Re: [PATCH net] bpf: disallow arithmetic operations on context pointer
Date: Mon, 16 Oct 2017 17:47:45 +0100 [thread overview]
Message-ID: <e2c4322a-301f-47f9-d102-725138d1bf67@solarflare.com> (raw)
In-Reply-To: <20171016093043.36fcfedc@cakuba.netronome.com>
On 16/10/17 17:30, Jakub Kicinski wrote:
> On Mon, 16 Oct 2017 17:16:24 +0100, Edward Cree wrote:
>> On 16/10/17 16:45, Jakub Kicinski wrote:
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 8b8d6ba39e23..8499759d0c7a 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -1116,7 +1116,12 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>>> /* ctx accesses must be at a fixed offset, so that we can
>>> * determine what type of data were returned.
>>> */
>>> - if (!tnum_is_const(reg->var_off)) {
>>> + if (reg->off) {
>>> + verbose("derefence of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not\n",
>> This is slightly unclear, it's not that two adds is bad (e.g. r1 += 8;
>> r0 = *(u32 *)r1 is bad too), it's that the offset must be in the load,
>> not the register; your message might be accurate for some compilers but
>> not in full generality (especially for assemblers without compiling).
> I'm happy to hear better suggestions :) I've spent quite a bit of time
> scratching my head thinking how to phrase this best. The first
> part of the message is general enough IMHO, the second is targeted
> mostly at C developers.
Hmm, what really bugs me is that if e.g. the compiler turned
*(ctx + 4 + 4)
or
ctx[4 + 4]
or even
ctx->arraymemb[4]
into this kind of arithmetic on ctx, arguably that would be a bug in the
compiler — if it's doing proper constexpr folding on its IR (or something
along those lines) it should be able to turn them all into good LDX. The
same even goes for if (ctx + 4) got stored in a local, because there's no
reason that has to map to a register.
So it's not even that "your C source breaks the rules", it's that "your C
compiler did something silly that we don't handle".
Maybe the message should be "compiler maybe mishandled ctx+const+const"?
-Ed
next prev parent reply other threads:[~2017-10-16 16:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 15:45 [PATCH net] bpf: disallow arithmetic operations on context pointer Jakub Kicinski
2017-10-16 16:16 ` Edward Cree
2017-10-16 16:30 ` Jakub Kicinski
2017-10-16 16:47 ` Edward Cree [this message]
2017-10-16 17:06 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2c4322a-301f-47f9-d102-725138d1bf67@solarflare.com \
--to=ecree@solarflare.com \
--cc=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=jakub.kicinski@netronome.com \
--cc=netdev@vger.kernel.org \
--cc=oss-drivers@netronome.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.