From: "Björn Töpel" <bjorn.topel@gmail.com>
To: Luke Nelson <lukenels@cs.washington.edu>
Cc: bpf <bpf@vger.kernel.org>, Xi Wang <xi.wang@gmail.com>,
Luke Nelson <luke.r.nels@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@chromium.org>, Netdev <netdev@vger.kernel.org>,
linux-riscv@lists.infradead.org,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf] riscv, bpf: Fix offset range checking for auipc+jalr on RV64
Date: Wed, 8 Apr 2020 07:39:06 +0200 [thread overview]
Message-ID: <CAJ+HfNh=VDeXJQ3iYHDEXAd1xB_YPShnJyqsW4OmRE=VLAMuuw@mail.gmail.com> (raw)
In-Reply-To: <20200406221604.18547-1-luke.r.nels@gmail.com>
On Tue, 7 Apr 2020 at 00:16, Luke Nelson <lukenels@cs.washington.edu> wrote:
>
> The existing code in emit_call on RV64 checks that the PC-relative offset
> to the function fits in 32 bits before calling emit_jump_and_link to emit
> an auipc+jalr pair. However, this check is incorrect because offsets in
> the range [2^31 - 2^11, 2^31 - 1] cannot be encoded using auipc+jalr on
> RV64 (see discussion [1]). The RISC-V spec has recently been updated
> to reflect this fact [2, 3].
>
> This patch fixes the problem by moving the check on the offset into
> emit_jump_and_link and modifying it to the correct range of encodable
> offsets, which is [-2^31 - 2^11, 2^31 - 2^11). This also enforces the
> check on the offset to other uses of emit_jump_and_link (e.g., BPF_JA)
> as well.
>
> Currently, this bug is unlikely to be triggered, because the memory
> region from which JITed images are allocated is close enough to kernel
> text for the offsets to not become too large; and because the bounds on
> BPF program size are small enough. This patch prevents this problem from
> becoming an issue if either of these change.
>
> [1]: https://groups.google.com/a/groups.riscv.org/forum/#!topic/isa-dev/bwWFhBnnZFQ
> [2]: https://github.com/riscv/riscv-isa-manual/commit/b1e42e09ac55116dbf9de5e4fb326a5a90e4a993
> [3]: https://github.com/riscv/riscv-isa-manual/commit/4c1b2066ebd2965a422e41eb262d0a208a7fea07
>
Wow! Interesting! Thanks for fixing this!
Too late to Ack, but still:
Acked-by: Björn Töpel <bjorn.topel@gmail.com>
> Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
> ---
> arch/riscv/net/bpf_jit_comp64.c | 49 +++++++++++++++++++++------------
> 1 file changed, 32 insertions(+), 17 deletions(-)
>
> diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
> index cc1985d8750a..d208a9fd6c52 100644
> --- a/arch/riscv/net/bpf_jit_comp64.c
> +++ b/arch/riscv/net/bpf_jit_comp64.c
> @@ -110,6 +110,16 @@ static bool is_32b_int(s64 val)
> return -(1L << 31) <= val && val < (1L << 31);
> }
>
> +static bool in_auipc_jalr_range(s64 val)
> +{
> + /*
> + * auipc+jalr can reach any signed PC-relative offset in the range
> + * [-2^31 - 2^11, 2^31 - 2^11).
> + */
> + return (-(1L << 31) - (1L << 11)) <= val &&
> + val < ((1L << 31) - (1L << 11));
> +}
> +
> static void emit_imm(u8 rd, s64 val, struct rv_jit_context *ctx)
> {
> /* Note that the immediate from the add is sign-extended,
> @@ -380,20 +390,24 @@ static void emit_sext_32_rd(u8 *rd, struct rv_jit_context *ctx)
> *rd = RV_REG_T2;
> }
>
> -static void emit_jump_and_link(u8 rd, s64 rvoff, bool force_jalr,
> - struct rv_jit_context *ctx)
> +static int emit_jump_and_link(u8 rd, s64 rvoff, bool force_jalr,
> + struct rv_jit_context *ctx)
> {
> s64 upper, lower;
>
> if (rvoff && is_21b_int(rvoff) && !force_jalr) {
> emit(rv_jal(rd, rvoff >> 1), ctx);
> - return;
> + return 0;
> + } else if (in_auipc_jalr_range(rvoff)) {
> + upper = (rvoff + (1 << 11)) >> 12;
> + lower = rvoff & 0xfff;
> + emit(rv_auipc(RV_REG_T1, upper), ctx);
> + emit(rv_jalr(rd, RV_REG_T1, lower), ctx);
> + return 0;
> }
>
> - upper = (rvoff + (1 << 11)) >> 12;
> - lower = rvoff & 0xfff;
> - emit(rv_auipc(RV_REG_T1, upper), ctx);
> - emit(rv_jalr(rd, RV_REG_T1, lower), ctx);
> + pr_err("bpf-jit: target offset 0x%llx is out of range\n", rvoff);
> + return -ERANGE;
> }
>
> static bool is_signed_bpf_cond(u8 cond)
> @@ -407,18 +421,16 @@ static int emit_call(bool fixed, u64 addr, struct rv_jit_context *ctx)
> s64 off = 0;
> u64 ip;
> u8 rd;
> + int ret;
>
> if (addr && ctx->insns) {
> ip = (u64)(long)(ctx->insns + ctx->ninsns);
> off = addr - ip;
> - if (!is_32b_int(off)) {
> - pr_err("bpf-jit: target call addr %pK is out of range\n",
> - (void *)addr);
> - return -ERANGE;
> - }
> }
>
> - emit_jump_and_link(RV_REG_RA, off, !fixed, ctx);
> + ret = emit_jump_and_link(RV_REG_RA, off, !fixed, ctx);
> + if (ret)
> + return ret;
> rd = bpf_to_rv_reg(BPF_REG_0, ctx);
> emit(rv_addi(rd, RV_REG_A0, 0), ctx);
> return 0;
> @@ -429,7 +441,7 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
> {
> bool is64 = BPF_CLASS(insn->code) == BPF_ALU64 ||
> BPF_CLASS(insn->code) == BPF_JMP;
> - int s, e, rvoff, i = insn - ctx->prog->insnsi;
> + int s, e, rvoff, ret, i = insn - ctx->prog->insnsi;
> struct bpf_prog_aux *aux = ctx->prog->aux;
> u8 rd = -1, rs = -1, code = insn->code;
> s16 off = insn->off;
> @@ -699,7 +711,9 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
> /* JUMP off */
> case BPF_JMP | BPF_JA:
> rvoff = rv_offset(i, off, ctx);
> - emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
> + ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
> + if (ret)
> + return ret;
> break;
>
> /* IF (dst COND src) JUMP off */
> @@ -801,7 +815,6 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
> case BPF_JMP | BPF_CALL:
> {
> bool fixed;
> - int ret;
> u64 addr;
>
> mark_call(ctx);
> @@ -826,7 +839,9 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
> break;
>
> rvoff = epilogue_offset(ctx);
> - emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
> + ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
> + if (ret)
> + return ret;
> break;
>
> /* dst = imm64 */
> --
> 2.17.1
>
prev parent reply other threads:[~2020-04-08 5:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-06 22:16 [PATCH bpf] riscv, bpf: Fix offset range checking for auipc+jalr on RV64 Luke Nelson
2020-04-07 23:44 ` Daniel Borkmann
2020-04-08 5:39 ` Björn Töpel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ+HfNh=VDeXJQ3iYHDEXAd1xB_YPShnJyqsW4OmRE=VLAMuuw@mail.gmail.com' \
--to=bjorn.topel@gmail.com \
--cc=andriin@fb.com \
--cc=aou@eecs.berkeley.edu \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luke.r.nels@gmail.com \
--cc=lukenels@cs.washington.edu \
--cc=netdev@vger.kernel.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=songliubraving@fb.com \
--cc=xi.wang@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).