mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-04-11 00:44:01 +00:00
bpf: enhance verifier to understand stack pointer arithmetic
llvm 4.0 and above generates the code like below: .... 440: (b7) r1 = 15 441: (05) goto pc+73 515: (79) r6 = *(u64 *)(r10 -152) 516: (bf) r7 = r10 517: (07) r7 += -112 518: (bf) r2 = r7 519: (0f) r2 += r1 520: (71) r1 = *(u8 *)(r8 +0) 521: (73) *(u8 *)(r2 +45) = r1 .... and the verifier complains "R2 invalid mem access 'inv'" for insn #521. This is because verifier marks register r2 as unknown value after #519 where r2 is a stack pointer and r1 holds a constant value. Teach verifier to recognize "stack_ptr + imm" and "stack_ptr + reg with const val" as valid stack_ptr with new offset. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Yonghong Song
David S. Miller
parent
2faf265753
commit
332270fdc8
2 changed files with 23 additions and 6 deletions
|
|
@ -1922,6 +1922,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
|
||||||
dst_reg->type = PTR_TO_STACK;
|
dst_reg->type = PTR_TO_STACK;
|
||||||
dst_reg->imm = insn->imm;
|
dst_reg->imm = insn->imm;
|
||||||
return 0;
|
return 0;
|
||||||
|
} else if (opcode == BPF_ADD &&
|
||||||
|
BPF_CLASS(insn->code) == BPF_ALU64 &&
|
||||||
|
dst_reg->type == PTR_TO_STACK &&
|
||||||
|
((BPF_SRC(insn->code) == BPF_X &&
|
||||||
|
regs[insn->src_reg].type == CONST_IMM) ||
|
||||||
|
BPF_SRC(insn->code) == BPF_K)) {
|
||||||
|
if (BPF_SRC(insn->code) == BPF_X)
|
||||||
|
dst_reg->imm += regs[insn->src_reg].imm;
|
||||||
|
else
|
||||||
|
dst_reg->imm += insn->imm;
|
||||||
|
return 0;
|
||||||
} else if (opcode == BPF_ADD &&
|
} else if (opcode == BPF_ADD &&
|
||||||
BPF_CLASS(insn->code) == BPF_ALU64 &&
|
BPF_CLASS(insn->code) == BPF_ALU64 &&
|
||||||
(dst_reg->type == PTR_TO_PACKET ||
|
(dst_reg->type == PTR_TO_PACKET ||
|
||||||
|
|
|
||||||
|
|
@ -1932,16 +1932,22 @@ static struct bpf_test tests[] = {
|
||||||
.result = ACCEPT,
|
.result = ACCEPT,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"unpriv: obfuscate stack pointer",
|
"stack pointer arithmetic",
|
||||||
.insns = {
|
.insns = {
|
||||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
BPF_MOV64_IMM(BPF_REG_1, 4),
|
||||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
||||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
|
||||||
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
|
||||||
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
|
||||||
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
|
||||||
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
|
||||||
|
BPF_ST_MEM(0, BPF_REG_2, 4, 0),
|
||||||
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
|
||||||
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
|
||||||
|
BPF_ST_MEM(0, BPF_REG_2, 4, 0),
|
||||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||||
BPF_EXIT_INSN(),
|
BPF_EXIT_INSN(),
|
||||||
},
|
},
|
||||||
.errstr_unpriv = "R2 pointer arithmetic",
|
|
||||||
.result_unpriv = REJECT,
|
|
||||||
.result = ACCEPT,
|
.result = ACCEPT,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue