Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8`

From: Andrii Nakryiko
Date: Wed Nov 01 2023 - 16:57:50 EST

Next message: Hamza Mahfooz: "[PATCH] drm/edid: add a quirk for two 240Hz Samsung monitors"
Previous message: Al Viro: "Re: [PATCH] rxrpc_find_service_conn_rcu: use read_seqbegin() rather than read_seqbegin_or_lock()"
In reply to: Hao Sun: "bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Next in thread: Hao Sun: "Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 1, 2023 at 6:56 AM Hao Sun <sunhao.th@xxxxxxxxx> wrote:
>
> Hi,
>
> The verifier incorrectly rejects the following prog in check_cfg() when
> loading with root with confusing log `back-edge insn from 7 to 8`:
> /* 0: r9 = 2
> * 1: r3 = 0x20
> * 2: r4 = 0x35
> * 3: r8 = r4
> * 4: goto+3
> * 5: r9 -= r3
> * 6: r9 -= r4
> * 7: r9 -= r8
> * 8: r8 += r4
> * 9: if r8 < 0x64 goto-5
> * 10: r0 = r9
> * 11: exit
> * */
> BPF_MOV64_IMM(BPF_REG_9, 2),
> BPF_MOV64_IMM(BPF_REG_3, 0x20),
> BPF_MOV64_IMM(BPF_REG_4, 0x35),
> BPF_MOV64_REG(BPF_REG_8, BPF_REG_4),
> BPF_JMP_IMM(BPF_JA, 0, 0, 3),
> BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_3),
> BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_4),
> BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
> BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_4),
> BPF_JMP32_IMM(BPF_JLT, BPF_REG_8, 0x68, -5),
> BPF_MOV64_REG(BPF_REG_0, BPF_REG_9),
> BPF_EXIT_INSN()
>
> -------- Verifier Log --------
> func#0 @0
> back-edge from insn 7 to 8
> processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0
> peak_states 0 mark_read 0
>
> This is not intentionally rejected, right?

The way you wrote it, with goto +3, yes, it's intentional. Note that
you'll get different results in privileged and unprivileged modes.
Privileged mode allows "bounded loops" logic, so it doesn't
immediately reject this program, and then later sees that r8 is always
< 0x64, so program is correct.

But in unprivileged mode the rules are different, and this conditional
back edge is not allowed, which is probably what you are getting.

It's actually confusing and your "back-edge from insn 7 to 8" is out
of date and doesn't correspond to your program, you should see
"back-edge from insn 11 to 7", please double check.

Anyways, while I was looking into this, I realized that ldimm64 isn't
handled exactly correctly in check_cfg(), so I just sent a fix. It
also adds a nicer detection of jumping into the middle of the ldimm64
instruction, which I believe is something you were advocating for.

>
> Best
> Hao

Next message: Hamza Mahfooz: "[PATCH] drm/edid: add a quirk for two 240Hz Samsung monitors"
Previous message: Al Viro: "Re: [PATCH] rxrpc_find_service_conn_rcu: use read_seqbegin() rather than read_seqbegin_or_lock()"
In reply to: Hao Sun: "bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Next in thread: Hao Sun: "Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]