bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: John Fastabend <john.fastabend@gmail.com>
To: yhs@fb.com, alexei.starovoitov@gmail.com, daniel@iogearbox.net
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, john.fastabend@gmail.com
Subject: [RFC bpf PATCH 0/4] rfc for 32-bit subreg verifier tracking
Date: Sat, 07 Mar 2020 00:10:23 +0000	[thread overview]
Message-ID: <158353965971.3451.14666851223845760316.stgit@ubuntu3-kvm2> (raw)

This series adds 32-bit subreg bounds support to the verifier. This is the
fallout from trying to apply patch 3/4 to fix return value refinement.
With the fix it turned out some code code that _should_ pass the
verifier no longer worked. The root cause of this (see patch 4/4 for
detailed trace) was improper tracking of the 32-bit subreg values. So
that even if a program zero'd the upper 32-bits we wouldn't actually
psas the program.

I tried various other half-measures before I decided it was best to
do proper 32-bit bounds tracking. Each time I tried to "hack" the
result I wanted in the interest of minimal code changes I ended up
with something that was both ugly and usually only matched a small
subset of patterns. Also, in general I'm against pattern matching
special cases because it ends up buggy/broken usually as soon as
we get code in the wild that doesn't do the exact thing we pattern

So end result is u32_{min|max}_value, s32_{min|max}_value,
and var32_off bounds tracking. See patch 2/4 for the details and a few
questions we should address in the RFC while I write up some more
test cases.

After this series we can do some nice cleanup in *next branch. For
example, add proper types for int return values so we can be more
precise. And flush out some additional logic in the ALU ops to
track rsh, lsh, arsh better.

Please, take a look at patch 2 for a couple design questions.

RFC because, needs a bit more review on my part, a couple cleanup
lines still in 2/4, still need to run test_progs all the way
through I missed a bunch due to missing kernel config options, and
want to write a couple verifier tests to catch the subtle cases.

I thought it would be best to get some early/quick review feedback
while I work on the tests. It does pass test_verifier though in
current state.



John Fastabend (4):
      bpf: verifer, refactor adjust_scalar_min_max_vals
      bpf: verifier, do explicit u32 bounds tracking
      bpf: verifier, do_refine_retval_range may clamp umin to 0 incorrectly
      bpf: selftests, bpf_get_stack return value add <0

 tools/testing/selftests/bpf/test_verifier.c        |    2 +-
 .../testing/selftests/bpf/verifier/bpf_get_stack.c |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)


             reply	other threads:[~2020-03-07  0:10 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-07  0:10 John Fastabend [this message]
2020-03-07  0:10 ` [RFC PATCH 1/4] bpf: verifer, refactor adjust_scalar_min_max_vals John Fastabend
2020-03-07  0:11 ` [RFC PATCH 2/4] bpf: verifier, do explicit u32 bounds tracking John Fastabend
2020-03-07  0:22   ` John Fastabend
2020-03-09  5:39     ` Yonghong Song
2020-03-09 23:58   ` Alexei Starovoitov
2020-03-10 17:04     ` John Fastabend
2020-03-10 17:12     ` Edward Cree
2020-03-10 19:24       ` John Fastabend
2020-03-10 19:41         ` Edward Cree
2020-03-10 17:52   ` Yonghong Song
2020-03-10 19:54     ` John Fastabend
2020-03-07  0:11 ` [RFC PATCH 3/4] bpf: verifier, do_refine_retval_range may clamp umin to 0 incorrectly John Fastabend
2020-03-07  0:11 ` [RFC PATCH 4/4] bpf: selftests, bpf_get_stack return value add <0 John Fastabend

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=158353965971.3451.14666851223845760316.stgit@ubuntu3-kvm2 \
    --to=john.fastabend@gmail.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=netdev@vger.kernel.org \
    --cc=yhs@fb.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).