Re: [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly helpers to access array elements
From: Alexei Starovoitov
Date: Tue Jan 09 2024 - 20:07:23 EST
On Tue, Jan 9, 2024 at 5:02 PM Barret Rhoden <brho@xxxxxxxxxx> wrote:
>
> On 1/4/24 16:30, Barret Rhoden wrote:
> [snip]
> >>
> >> The LLVM bpf backend has made some improvement to handle the case like
> >> r1 = ...
> >> r2 = r1 + 1
> >> if (r2 < num) ...
> >> using r1
> >> by preventing generating the above code pattern.
> >>
> >> The implementation is a pattern matching style so surely it won't be
> >> able to cover all cases.
> >>
> >> Do you have specific examples which has verification failure due to
> >> false array out of bound access?
> >
> [ snip ]
>
> >
> > I'll play around and see if I can come up with a selftest that can run
> > into any of these "you did the check, but threw the check away" scenarios.
>
> I got an example for this, and will include it in my next patch version,
> which I'll CC you on.
>
> If we can get the compiler to spill the register r1 to the stack (L11 in
> the asm below), it might spill it before doing the bounds check. Then
> it checks the register (L12), but the verifier doesn't know that applies
> to the stack variable too. Later, we refill r1 from the stack (L21).
This is a known issue.
It's addressed as part of Maxim's series:
https://patchwork.kernel.org/user/todo/netdevbpf/?series=815208