]>
Commit | Line | Data |
---|---|---|
51580e79 | 1 | /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com |
969bf05e | 2 | * Copyright (c) 2016 Facebook |
fd978bf7 | 3 | * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io |
51580e79 AS |
4 | * |
5 | * This program is free software; you can redistribute it and/or | |
6 | * modify it under the terms of version 2 of the GNU General Public | |
7 | * License as published by the Free Software Foundation. | |
8 | * | |
9 | * This program is distributed in the hope that it will be useful, but | |
10 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
12 | * General Public License for more details. | |
13 | */ | |
838e9690 | 14 | #include <uapi/linux/btf.h> |
51580e79 AS |
15 | #include <linux/kernel.h> |
16 | #include <linux/types.h> | |
17 | #include <linux/slab.h> | |
18 | #include <linux/bpf.h> | |
838e9690 | 19 | #include <linux/btf.h> |
58e2af8b | 20 | #include <linux/bpf_verifier.h> |
51580e79 AS |
21 | #include <linux/filter.h> |
22 | #include <net/netlink.h> | |
23 | #include <linux/file.h> | |
24 | #include <linux/vmalloc.h> | |
ebb676da | 25 | #include <linux/stringify.h> |
cc8b0b92 AS |
26 | #include <linux/bsearch.h> |
27 | #include <linux/sort.h> | |
c195651e | 28 | #include <linux/perf_event.h> |
51580e79 | 29 | |
f4ac7e0b JK |
30 | #include "disasm.h" |
31 | ||
00176a34 JK |
32 | static const struct bpf_verifier_ops * const bpf_verifier_ops[] = { |
33 | #define BPF_PROG_TYPE(_id, _name) \ | |
34 | [_id] = & _name ## _verifier_ops, | |
35 | #define BPF_MAP_TYPE(_id, _ops) | |
36 | #include <linux/bpf_types.h> | |
37 | #undef BPF_PROG_TYPE | |
38 | #undef BPF_MAP_TYPE | |
39 | }; | |
40 | ||
51580e79 AS |
41 | /* bpf_check() is a static code analyzer that walks eBPF program |
42 | * instruction by instruction and updates register/stack state. | |
43 | * All paths of conditional branches are analyzed until 'bpf_exit' insn. | |
44 | * | |
45 | * The first pass is depth-first-search to check that the program is a DAG. | |
46 | * It rejects the following programs: | |
47 | * - larger than BPF_MAXINSNS insns | |
48 | * - if loop is present (detected via back-edge) | |
49 | * - unreachable insns exist (shouldn't be a forest. program = one function) | |
50 | * - out of bounds or malformed jumps | |
51 | * The second pass is all possible path descent from the 1st insn. | |
52 | * Since it's analyzing all pathes through the program, the length of the | |
eba38a96 | 53 | * analysis is limited to 64k insn, which may be hit even if total number of |
51580e79 AS |
54 | * insn is less then 4K, but there are too many branches that change stack/regs. |
55 | * Number of 'branches to be analyzed' is limited to 1k | |
56 | * | |
57 | * On entry to each instruction, each register has a type, and the instruction | |
58 | * changes the types of the registers depending on instruction semantics. | |
59 | * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is | |
60 | * copied to R1. | |
61 | * | |
62 | * All registers are 64-bit. | |
63 | * R0 - return register | |
64 | * R1-R5 argument passing registers | |
65 | * R6-R9 callee saved registers | |
66 | * R10 - frame pointer read-only | |
67 | * | |
68 | * At the start of BPF program the register R1 contains a pointer to bpf_context | |
69 | * and has type PTR_TO_CTX. | |
70 | * | |
71 | * Verifier tracks arithmetic operations on pointers in case: | |
72 | * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
73 | * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20), | |
74 | * 1st insn copies R10 (which has FRAME_PTR) type into R1 | |
75 | * and 2nd arithmetic instruction is pattern matched to recognize | |
76 | * that it wants to construct a pointer to some element within stack. | |
77 | * So after 2nd insn, the register R1 has type PTR_TO_STACK | |
78 | * (and -20 constant is saved for further stack bounds checking). | |
79 | * Meaning that this reg is a pointer to stack plus known immediate constant. | |
80 | * | |
f1174f77 | 81 | * Most of the time the registers have SCALAR_VALUE type, which |
51580e79 | 82 | * means the register has some value, but it's not a valid pointer. |
f1174f77 | 83 | * (like pointer plus pointer becomes SCALAR_VALUE type) |
51580e79 AS |
84 | * |
85 | * When verifier sees load or store instructions the type of base register | |
c64b7983 JS |
86 | * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are |
87 | * four pointer types recognized by check_mem_access() function. | |
51580e79 AS |
88 | * |
89 | * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value' | |
90 | * and the range of [ptr, ptr + map's value_size) is accessible. | |
91 | * | |
92 | * registers used to pass values to function calls are checked against | |
93 | * function argument constraints. | |
94 | * | |
95 | * ARG_PTR_TO_MAP_KEY is one of such argument constraints. | |
96 | * It means that the register type passed to this function must be | |
97 | * PTR_TO_STACK and it will be used inside the function as | |
98 | * 'pointer to map element key' | |
99 | * | |
100 | * For example the argument constraints for bpf_map_lookup_elem(): | |
101 | * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, | |
102 | * .arg1_type = ARG_CONST_MAP_PTR, | |
103 | * .arg2_type = ARG_PTR_TO_MAP_KEY, | |
104 | * | |
105 | * ret_type says that this function returns 'pointer to map elem value or null' | |
106 | * function expects 1st argument to be a const pointer to 'struct bpf_map' and | |
107 | * 2nd argument should be a pointer to stack, which will be used inside | |
108 | * the helper function as a pointer to map element key. | |
109 | * | |
110 | * On the kernel side the helper function looks like: | |
111 | * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) | |
112 | * { | |
113 | * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1; | |
114 | * void *key = (void *) (unsigned long) r2; | |
115 | * void *value; | |
116 | * | |
117 | * here kernel can access 'key' and 'map' pointers safely, knowing that | |
118 | * [key, key + map->key_size) bytes are valid and were initialized on | |
119 | * the stack of eBPF program. | |
120 | * } | |
121 | * | |
122 | * Corresponding eBPF program may look like: | |
123 | * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR | |
124 | * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK | |
125 | * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP | |
126 | * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
127 | * here verifier looks at prototype of map_lookup_elem() and sees: | |
128 | * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok, | |
129 | * Now verifier knows that this map has key of R1->map_ptr->key_size bytes | |
130 | * | |
131 | * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far, | |
132 | * Now verifier checks that [R2, R2 + map's key_size) are within stack limits | |
133 | * and were initialized prior to this call. | |
134 | * If it's ok, then verifier allows this BPF_CALL insn and looks at | |
135 | * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets | |
136 | * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function | |
137 | * returns ether pointer to map value or NULL. | |
138 | * | |
139 | * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off' | |
140 | * insn, the register holding that pointer in the true branch changes state to | |
141 | * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false | |
142 | * branch. See check_cond_jmp_op(). | |
143 | * | |
144 | * After the call R0 is set to return type of the function and registers R1-R5 | |
145 | * are set to NOT_INIT to indicate that they are no longer readable. | |
fd978bf7 JS |
146 | * |
147 | * The following reference types represent a potential reference to a kernel | |
148 | * resource which, after first being allocated, must be checked and freed by | |
149 | * the BPF program: | |
150 | * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET | |
151 | * | |
152 | * When the verifier sees a helper call return a reference type, it allocates a | |
153 | * pointer id for the reference and stores it in the current function state. | |
154 | * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into | |
155 | * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type | |
156 | * passes through a NULL-check conditional. For the branch wherein the state is | |
157 | * changed to CONST_IMM, the verifier releases the reference. | |
6acc9b43 JS |
158 | * |
159 | * For each helper function that allocates a reference, such as | |
160 | * bpf_sk_lookup_tcp(), there is a corresponding release function, such as | |
161 | * bpf_sk_release(). When a reference type passes into the release function, | |
162 | * the verifier also releases the reference. If any unchecked or unreleased | |
163 | * reference remains at the end of the program, the verifier rejects it. | |
51580e79 AS |
164 | */ |
165 | ||
17a52670 | 166 | /* verifier_state + insn_idx are pushed to stack when branch is encountered */ |
58e2af8b | 167 | struct bpf_verifier_stack_elem { |
17a52670 AS |
168 | /* verifer state is 'st' |
169 | * before processing instruction 'insn_idx' | |
170 | * and after processing instruction 'prev_insn_idx' | |
171 | */ | |
58e2af8b | 172 | struct bpf_verifier_state st; |
17a52670 AS |
173 | int insn_idx; |
174 | int prev_insn_idx; | |
58e2af8b | 175 | struct bpf_verifier_stack_elem *next; |
cbd35700 AS |
176 | }; |
177 | ||
8e17c1b1 | 178 | #define BPF_COMPLEXITY_LIMIT_INSNS 131072 |
07016151 DB |
179 | #define BPF_COMPLEXITY_LIMIT_STACK 1024 |
180 | ||
c93552c4 DB |
181 | #define BPF_MAP_PTR_UNPRIV 1UL |
182 | #define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \ | |
183 | POISON_POINTER_DELTA)) | |
184 | #define BPF_MAP_PTR(X) ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV)) | |
185 | ||
186 | static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux) | |
187 | { | |
188 | return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON; | |
189 | } | |
190 | ||
191 | static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux) | |
192 | { | |
193 | return aux->map_state & BPF_MAP_PTR_UNPRIV; | |
194 | } | |
195 | ||
196 | static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux, | |
197 | const struct bpf_map *map, bool unpriv) | |
198 | { | |
199 | BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV); | |
200 | unpriv |= bpf_map_ptr_unpriv(aux); | |
201 | aux->map_state = (unsigned long)map | | |
202 | (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL); | |
203 | } | |
fad73a1a | 204 | |
33ff9823 DB |
205 | struct bpf_call_arg_meta { |
206 | struct bpf_map *map_ptr; | |
435faee1 | 207 | bool raw_mode; |
36bbef52 | 208 | bool pkt_access; |
435faee1 DB |
209 | int regno; |
210 | int access_size; | |
849fa506 YS |
211 | s64 msize_smax_value; |
212 | u64 msize_umax_value; | |
fd978bf7 | 213 | int ptr_id; |
33ff9823 DB |
214 | }; |
215 | ||
cbd35700 AS |
216 | static DEFINE_MUTEX(bpf_verifier_lock); |
217 | ||
77d2e05a MKL |
218 | void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, |
219 | va_list args) | |
cbd35700 | 220 | { |
a2a7d570 | 221 | unsigned int n; |
cbd35700 | 222 | |
a2a7d570 | 223 | n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); |
a2a7d570 JK |
224 | |
225 | WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, | |
226 | "verifier log line truncated - local buffer too short\n"); | |
227 | ||
228 | n = min(log->len_total - log->len_used - 1, n); | |
229 | log->kbuf[n] = '\0'; | |
230 | ||
231 | if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1)) | |
232 | log->len_used += n; | |
233 | else | |
234 | log->ubuf = NULL; | |
cbd35700 | 235 | } |
abe08840 JO |
236 | |
237 | /* log_level controls verbosity level of eBPF verifier. | |
238 | * bpf_verifier_log_write() is used to dump the verification trace to the log, | |
239 | * so the user can figure out what's wrong with the program | |
430e68d1 | 240 | */ |
abe08840 JO |
241 | __printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env, |
242 | const char *fmt, ...) | |
243 | { | |
244 | va_list args; | |
245 | ||
77d2e05a MKL |
246 | if (!bpf_verifier_log_needed(&env->log)) |
247 | return; | |
248 | ||
abe08840 | 249 | va_start(args, fmt); |
77d2e05a | 250 | bpf_verifier_vlog(&env->log, fmt, args); |
abe08840 JO |
251 | va_end(args); |
252 | } | |
253 | EXPORT_SYMBOL_GPL(bpf_verifier_log_write); | |
254 | ||
255 | __printf(2, 3) static void verbose(void *private_data, const char *fmt, ...) | |
256 | { | |
77d2e05a | 257 | struct bpf_verifier_env *env = private_data; |
abe08840 JO |
258 | va_list args; |
259 | ||
77d2e05a MKL |
260 | if (!bpf_verifier_log_needed(&env->log)) |
261 | return; | |
262 | ||
abe08840 | 263 | va_start(args, fmt); |
77d2e05a | 264 | bpf_verifier_vlog(&env->log, fmt, args); |
abe08840 JO |
265 | va_end(args); |
266 | } | |
cbd35700 | 267 | |
de8f3a83 DB |
268 | static bool type_is_pkt_pointer(enum bpf_reg_type type) |
269 | { | |
270 | return type == PTR_TO_PACKET || | |
271 | type == PTR_TO_PACKET_META; | |
272 | } | |
273 | ||
840b9615 JS |
274 | static bool reg_type_may_be_null(enum bpf_reg_type type) |
275 | { | |
fd978bf7 JS |
276 | return type == PTR_TO_MAP_VALUE_OR_NULL || |
277 | type == PTR_TO_SOCKET_OR_NULL; | |
278 | } | |
279 | ||
280 | static bool type_is_refcounted(enum bpf_reg_type type) | |
281 | { | |
282 | return type == PTR_TO_SOCKET; | |
283 | } | |
284 | ||
285 | static bool type_is_refcounted_or_null(enum bpf_reg_type type) | |
286 | { | |
287 | return type == PTR_TO_SOCKET || type == PTR_TO_SOCKET_OR_NULL; | |
288 | } | |
289 | ||
290 | static bool reg_is_refcounted(const struct bpf_reg_state *reg) | |
291 | { | |
292 | return type_is_refcounted(reg->type); | |
293 | } | |
294 | ||
295 | static bool reg_is_refcounted_or_null(const struct bpf_reg_state *reg) | |
296 | { | |
297 | return type_is_refcounted_or_null(reg->type); | |
298 | } | |
299 | ||
300 | static bool arg_type_is_refcounted(enum bpf_arg_type type) | |
301 | { | |
302 | return type == ARG_PTR_TO_SOCKET; | |
303 | } | |
304 | ||
305 | /* Determine whether the function releases some resources allocated by another | |
306 | * function call. The first reference type argument will be assumed to be | |
307 | * released by release_reference(). | |
308 | */ | |
309 | static bool is_release_function(enum bpf_func_id func_id) | |
310 | { | |
6acc9b43 | 311 | return func_id == BPF_FUNC_sk_release; |
840b9615 JS |
312 | } |
313 | ||
17a52670 AS |
314 | /* string representation of 'enum bpf_reg_type' */ |
315 | static const char * const reg_type_str[] = { | |
316 | [NOT_INIT] = "?", | |
f1174f77 | 317 | [SCALAR_VALUE] = "inv", |
17a52670 AS |
318 | [PTR_TO_CTX] = "ctx", |
319 | [CONST_PTR_TO_MAP] = "map_ptr", | |
320 | [PTR_TO_MAP_VALUE] = "map_value", | |
321 | [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", | |
17a52670 | 322 | [PTR_TO_STACK] = "fp", |
969bf05e | 323 | [PTR_TO_PACKET] = "pkt", |
de8f3a83 | 324 | [PTR_TO_PACKET_META] = "pkt_meta", |
969bf05e | 325 | [PTR_TO_PACKET_END] = "pkt_end", |
d58e468b | 326 | [PTR_TO_FLOW_KEYS] = "flow_keys", |
c64b7983 JS |
327 | [PTR_TO_SOCKET] = "sock", |
328 | [PTR_TO_SOCKET_OR_NULL] = "sock_or_null", | |
17a52670 AS |
329 | }; |
330 | ||
8efea21d EC |
331 | static char slot_type_char[] = { |
332 | [STACK_INVALID] = '?', | |
333 | [STACK_SPILL] = 'r', | |
334 | [STACK_MISC] = 'm', | |
335 | [STACK_ZERO] = '0', | |
336 | }; | |
337 | ||
4e92024a AS |
338 | static void print_liveness(struct bpf_verifier_env *env, |
339 | enum bpf_reg_liveness live) | |
340 | { | |
341 | if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN)) | |
342 | verbose(env, "_"); | |
343 | if (live & REG_LIVE_READ) | |
344 | verbose(env, "r"); | |
345 | if (live & REG_LIVE_WRITTEN) | |
346 | verbose(env, "w"); | |
347 | } | |
348 | ||
f4d7e40a AS |
349 | static struct bpf_func_state *func(struct bpf_verifier_env *env, |
350 | const struct bpf_reg_state *reg) | |
351 | { | |
352 | struct bpf_verifier_state *cur = env->cur_state; | |
353 | ||
354 | return cur->frame[reg->frameno]; | |
355 | } | |
356 | ||
61bd5218 | 357 | static void print_verifier_state(struct bpf_verifier_env *env, |
f4d7e40a | 358 | const struct bpf_func_state *state) |
17a52670 | 359 | { |
f4d7e40a | 360 | const struct bpf_reg_state *reg; |
17a52670 AS |
361 | enum bpf_reg_type t; |
362 | int i; | |
363 | ||
f4d7e40a AS |
364 | if (state->frameno) |
365 | verbose(env, " frame%d:", state->frameno); | |
17a52670 | 366 | for (i = 0; i < MAX_BPF_REG; i++) { |
1a0dc1ac AS |
367 | reg = &state->regs[i]; |
368 | t = reg->type; | |
17a52670 AS |
369 | if (t == NOT_INIT) |
370 | continue; | |
4e92024a AS |
371 | verbose(env, " R%d", i); |
372 | print_liveness(env, reg->live); | |
373 | verbose(env, "=%s", reg_type_str[t]); | |
f1174f77 EC |
374 | if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && |
375 | tnum_is_const(reg->var_off)) { | |
376 | /* reg->off should be 0 for SCALAR_VALUE */ | |
61bd5218 | 377 | verbose(env, "%lld", reg->var_off.value + reg->off); |
f4d7e40a AS |
378 | if (t == PTR_TO_STACK) |
379 | verbose(env, ",call_%d", func(env, reg)->callsite); | |
f1174f77 | 380 | } else { |
61bd5218 | 381 | verbose(env, "(id=%d", reg->id); |
f1174f77 | 382 | if (t != SCALAR_VALUE) |
61bd5218 | 383 | verbose(env, ",off=%d", reg->off); |
de8f3a83 | 384 | if (type_is_pkt_pointer(t)) |
61bd5218 | 385 | verbose(env, ",r=%d", reg->range); |
f1174f77 EC |
386 | else if (t == CONST_PTR_TO_MAP || |
387 | t == PTR_TO_MAP_VALUE || | |
388 | t == PTR_TO_MAP_VALUE_OR_NULL) | |
61bd5218 | 389 | verbose(env, ",ks=%d,vs=%d", |
f1174f77 EC |
390 | reg->map_ptr->key_size, |
391 | reg->map_ptr->value_size); | |
7d1238f2 EC |
392 | if (tnum_is_const(reg->var_off)) { |
393 | /* Typically an immediate SCALAR_VALUE, but | |
394 | * could be a pointer whose offset is too big | |
395 | * for reg->off | |
396 | */ | |
61bd5218 | 397 | verbose(env, ",imm=%llx", reg->var_off.value); |
7d1238f2 EC |
398 | } else { |
399 | if (reg->smin_value != reg->umin_value && | |
400 | reg->smin_value != S64_MIN) | |
61bd5218 | 401 | verbose(env, ",smin_value=%lld", |
7d1238f2 EC |
402 | (long long)reg->smin_value); |
403 | if (reg->smax_value != reg->umax_value && | |
404 | reg->smax_value != S64_MAX) | |
61bd5218 | 405 | verbose(env, ",smax_value=%lld", |
7d1238f2 EC |
406 | (long long)reg->smax_value); |
407 | if (reg->umin_value != 0) | |
61bd5218 | 408 | verbose(env, ",umin_value=%llu", |
7d1238f2 EC |
409 | (unsigned long long)reg->umin_value); |
410 | if (reg->umax_value != U64_MAX) | |
61bd5218 | 411 | verbose(env, ",umax_value=%llu", |
7d1238f2 EC |
412 | (unsigned long long)reg->umax_value); |
413 | if (!tnum_is_unknown(reg->var_off)) { | |
414 | char tn_buf[48]; | |
f1174f77 | 415 | |
7d1238f2 | 416 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
61bd5218 | 417 | verbose(env, ",var_off=%s", tn_buf); |
7d1238f2 | 418 | } |
f1174f77 | 419 | } |
61bd5218 | 420 | verbose(env, ")"); |
f1174f77 | 421 | } |
17a52670 | 422 | } |
638f5b90 | 423 | for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) { |
8efea21d EC |
424 | char types_buf[BPF_REG_SIZE + 1]; |
425 | bool valid = false; | |
426 | int j; | |
427 | ||
428 | for (j = 0; j < BPF_REG_SIZE; j++) { | |
429 | if (state->stack[i].slot_type[j] != STACK_INVALID) | |
430 | valid = true; | |
431 | types_buf[j] = slot_type_char[ | |
432 | state->stack[i].slot_type[j]]; | |
433 | } | |
434 | types_buf[BPF_REG_SIZE] = 0; | |
435 | if (!valid) | |
436 | continue; | |
437 | verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE); | |
438 | print_liveness(env, state->stack[i].spilled_ptr.live); | |
439 | if (state->stack[i].slot_type[0] == STACK_SPILL) | |
4e92024a | 440 | verbose(env, "=%s", |
638f5b90 | 441 | reg_type_str[state->stack[i].spilled_ptr.type]); |
8efea21d EC |
442 | else |
443 | verbose(env, "=%s", types_buf); | |
17a52670 | 444 | } |
fd978bf7 JS |
445 | if (state->acquired_refs && state->refs[0].id) { |
446 | verbose(env, " refs=%d", state->refs[0].id); | |
447 | for (i = 1; i < state->acquired_refs; i++) | |
448 | if (state->refs[i].id) | |
449 | verbose(env, ",%d", state->refs[i].id); | |
450 | } | |
61bd5218 | 451 | verbose(env, "\n"); |
17a52670 AS |
452 | } |
453 | ||
84dbf350 JS |
454 | #define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE) \ |
455 | static int copy_##NAME##_state(struct bpf_func_state *dst, \ | |
456 | const struct bpf_func_state *src) \ | |
457 | { \ | |
458 | if (!src->FIELD) \ | |
459 | return 0; \ | |
460 | if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) { \ | |
461 | /* internal bug, make state invalid to reject the program */ \ | |
462 | memset(dst, 0, sizeof(*dst)); \ | |
463 | return -EFAULT; \ | |
464 | } \ | |
465 | memcpy(dst->FIELD, src->FIELD, \ | |
466 | sizeof(*src->FIELD) * (src->COUNT / SIZE)); \ | |
467 | return 0; \ | |
638f5b90 | 468 | } |
fd978bf7 JS |
469 | /* copy_reference_state() */ |
470 | COPY_STATE_FN(reference, acquired_refs, refs, 1) | |
84dbf350 JS |
471 | /* copy_stack_state() */ |
472 | COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) | |
473 | #undef COPY_STATE_FN | |
474 | ||
475 | #define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE) \ | |
476 | static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \ | |
477 | bool copy_old) \ | |
478 | { \ | |
479 | u32 old_size = state->COUNT; \ | |
480 | struct bpf_##NAME##_state *new_##FIELD; \ | |
481 | int slot = size / SIZE; \ | |
482 | \ | |
483 | if (size <= old_size || !size) { \ | |
484 | if (copy_old) \ | |
485 | return 0; \ | |
486 | state->COUNT = slot * SIZE; \ | |
487 | if (!size && old_size) { \ | |
488 | kfree(state->FIELD); \ | |
489 | state->FIELD = NULL; \ | |
490 | } \ | |
491 | return 0; \ | |
492 | } \ | |
493 | new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \ | |
494 | GFP_KERNEL); \ | |
495 | if (!new_##FIELD) \ | |
496 | return -ENOMEM; \ | |
497 | if (copy_old) { \ | |
498 | if (state->FIELD) \ | |
499 | memcpy(new_##FIELD, state->FIELD, \ | |
500 | sizeof(*new_##FIELD) * (old_size / SIZE)); \ | |
501 | memset(new_##FIELD + old_size / SIZE, 0, \ | |
502 | sizeof(*new_##FIELD) * (size - old_size) / SIZE); \ | |
503 | } \ | |
504 | state->COUNT = slot * SIZE; \ | |
505 | kfree(state->FIELD); \ | |
506 | state->FIELD = new_##FIELD; \ | |
507 | return 0; \ | |
508 | } | |
fd978bf7 JS |
509 | /* realloc_reference_state() */ |
510 | REALLOC_STATE_FN(reference, acquired_refs, refs, 1) | |
84dbf350 JS |
511 | /* realloc_stack_state() */ |
512 | REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) | |
513 | #undef REALLOC_STATE_FN | |
638f5b90 AS |
514 | |
515 | /* do_check() starts with zero-sized stack in struct bpf_verifier_state to | |
516 | * make it consume minimal amount of memory. check_stack_write() access from | |
f4d7e40a | 517 | * the program calls into realloc_func_state() to grow the stack size. |
84dbf350 JS |
518 | * Note there is a non-zero 'parent' pointer inside bpf_verifier_state |
519 | * which realloc_stack_state() copies over. It points to previous | |
520 | * bpf_verifier_state which is never reallocated. | |
638f5b90 | 521 | */ |
fd978bf7 JS |
522 | static int realloc_func_state(struct bpf_func_state *state, int stack_size, |
523 | int refs_size, bool copy_old) | |
638f5b90 | 524 | { |
fd978bf7 JS |
525 | int err = realloc_reference_state(state, refs_size, copy_old); |
526 | if (err) | |
527 | return err; | |
528 | return realloc_stack_state(state, stack_size, copy_old); | |
529 | } | |
530 | ||
531 | /* Acquire a pointer id from the env and update the state->refs to include | |
532 | * this new pointer reference. | |
533 | * On success, returns a valid pointer id to associate with the register | |
534 | * On failure, returns a negative errno. | |
638f5b90 | 535 | */ |
fd978bf7 | 536 | static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx) |
638f5b90 | 537 | { |
fd978bf7 JS |
538 | struct bpf_func_state *state = cur_func(env); |
539 | int new_ofs = state->acquired_refs; | |
540 | int id, err; | |
541 | ||
542 | err = realloc_reference_state(state, state->acquired_refs + 1, true); | |
543 | if (err) | |
544 | return err; | |
545 | id = ++env->id_gen; | |
546 | state->refs[new_ofs].id = id; | |
547 | state->refs[new_ofs].insn_idx = insn_idx; | |
638f5b90 | 548 | |
fd978bf7 JS |
549 | return id; |
550 | } | |
551 | ||
552 | /* release function corresponding to acquire_reference_state(). Idempotent. */ | |
553 | static int __release_reference_state(struct bpf_func_state *state, int ptr_id) | |
554 | { | |
555 | int i, last_idx; | |
556 | ||
557 | if (!ptr_id) | |
558 | return -EFAULT; | |
559 | ||
560 | last_idx = state->acquired_refs - 1; | |
561 | for (i = 0; i < state->acquired_refs; i++) { | |
562 | if (state->refs[i].id == ptr_id) { | |
563 | if (last_idx && i != last_idx) | |
564 | memcpy(&state->refs[i], &state->refs[last_idx], | |
565 | sizeof(*state->refs)); | |
566 | memset(&state->refs[last_idx], 0, sizeof(*state->refs)); | |
567 | state->acquired_refs--; | |
638f5b90 | 568 | return 0; |
638f5b90 | 569 | } |
638f5b90 | 570 | } |
fd978bf7 JS |
571 | return -EFAULT; |
572 | } | |
573 | ||
574 | /* variation on the above for cases where we expect that there must be an | |
575 | * outstanding reference for the specified ptr_id. | |
576 | */ | |
577 | static int release_reference_state(struct bpf_verifier_env *env, int ptr_id) | |
578 | { | |
579 | struct bpf_func_state *state = cur_func(env); | |
580 | int err; | |
581 | ||
582 | err = __release_reference_state(state, ptr_id); | |
583 | if (WARN_ON_ONCE(err != 0)) | |
584 | verbose(env, "verifier internal error: can't release reference\n"); | |
585 | return err; | |
586 | } | |
587 | ||
588 | static int transfer_reference_state(struct bpf_func_state *dst, | |
589 | struct bpf_func_state *src) | |
590 | { | |
591 | int err = realloc_reference_state(dst, src->acquired_refs, false); | |
592 | if (err) | |
593 | return err; | |
594 | err = copy_reference_state(dst, src); | |
595 | if (err) | |
596 | return err; | |
638f5b90 AS |
597 | return 0; |
598 | } | |
599 | ||
f4d7e40a AS |
600 | static void free_func_state(struct bpf_func_state *state) |
601 | { | |
5896351e AS |
602 | if (!state) |
603 | return; | |
fd978bf7 | 604 | kfree(state->refs); |
f4d7e40a AS |
605 | kfree(state->stack); |
606 | kfree(state); | |
607 | } | |
608 | ||
1969db47 AS |
609 | static void free_verifier_state(struct bpf_verifier_state *state, |
610 | bool free_self) | |
638f5b90 | 611 | { |
f4d7e40a AS |
612 | int i; |
613 | ||
614 | for (i = 0; i <= state->curframe; i++) { | |
615 | free_func_state(state->frame[i]); | |
616 | state->frame[i] = NULL; | |
617 | } | |
1969db47 AS |
618 | if (free_self) |
619 | kfree(state); | |
638f5b90 AS |
620 | } |
621 | ||
622 | /* copy verifier state from src to dst growing dst stack space | |
623 | * when necessary to accommodate larger src stack | |
624 | */ | |
f4d7e40a AS |
625 | static int copy_func_state(struct bpf_func_state *dst, |
626 | const struct bpf_func_state *src) | |
638f5b90 AS |
627 | { |
628 | int err; | |
629 | ||
fd978bf7 JS |
630 | err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs, |
631 | false); | |
632 | if (err) | |
633 | return err; | |
634 | memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs)); | |
635 | err = copy_reference_state(dst, src); | |
638f5b90 AS |
636 | if (err) |
637 | return err; | |
638f5b90 AS |
638 | return copy_stack_state(dst, src); |
639 | } | |
640 | ||
f4d7e40a AS |
641 | static int copy_verifier_state(struct bpf_verifier_state *dst_state, |
642 | const struct bpf_verifier_state *src) | |
643 | { | |
644 | struct bpf_func_state *dst; | |
645 | int i, err; | |
646 | ||
647 | /* if dst has more stack frames then src frame, free them */ | |
648 | for (i = src->curframe + 1; i <= dst_state->curframe; i++) { | |
649 | free_func_state(dst_state->frame[i]); | |
650 | dst_state->frame[i] = NULL; | |
651 | } | |
652 | dst_state->curframe = src->curframe; | |
f4d7e40a AS |
653 | for (i = 0; i <= src->curframe; i++) { |
654 | dst = dst_state->frame[i]; | |
655 | if (!dst) { | |
656 | dst = kzalloc(sizeof(*dst), GFP_KERNEL); | |
657 | if (!dst) | |
658 | return -ENOMEM; | |
659 | dst_state->frame[i] = dst; | |
660 | } | |
661 | err = copy_func_state(dst, src->frame[i]); | |
662 | if (err) | |
663 | return err; | |
664 | } | |
665 | return 0; | |
666 | } | |
667 | ||
638f5b90 AS |
668 | static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx, |
669 | int *insn_idx) | |
670 | { | |
671 | struct bpf_verifier_state *cur = env->cur_state; | |
672 | struct bpf_verifier_stack_elem *elem, *head = env->head; | |
673 | int err; | |
17a52670 AS |
674 | |
675 | if (env->head == NULL) | |
638f5b90 | 676 | return -ENOENT; |
17a52670 | 677 | |
638f5b90 AS |
678 | if (cur) { |
679 | err = copy_verifier_state(cur, &head->st); | |
680 | if (err) | |
681 | return err; | |
682 | } | |
683 | if (insn_idx) | |
684 | *insn_idx = head->insn_idx; | |
17a52670 | 685 | if (prev_insn_idx) |
638f5b90 AS |
686 | *prev_insn_idx = head->prev_insn_idx; |
687 | elem = head->next; | |
1969db47 | 688 | free_verifier_state(&head->st, false); |
638f5b90 | 689 | kfree(head); |
17a52670 AS |
690 | env->head = elem; |
691 | env->stack_size--; | |
638f5b90 | 692 | return 0; |
17a52670 AS |
693 | } |
694 | ||
58e2af8b JK |
695 | static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, |
696 | int insn_idx, int prev_insn_idx) | |
17a52670 | 697 | { |
638f5b90 | 698 | struct bpf_verifier_state *cur = env->cur_state; |
58e2af8b | 699 | struct bpf_verifier_stack_elem *elem; |
638f5b90 | 700 | int err; |
17a52670 | 701 | |
638f5b90 | 702 | elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); |
17a52670 AS |
703 | if (!elem) |
704 | goto err; | |
705 | ||
17a52670 AS |
706 | elem->insn_idx = insn_idx; |
707 | elem->prev_insn_idx = prev_insn_idx; | |
708 | elem->next = env->head; | |
709 | env->head = elem; | |
710 | env->stack_size++; | |
1969db47 AS |
711 | err = copy_verifier_state(&elem->st, cur); |
712 | if (err) | |
713 | goto err; | |
07016151 | 714 | if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
61bd5218 | 715 | verbose(env, "BPF program is too complex\n"); |
17a52670 AS |
716 | goto err; |
717 | } | |
718 | return &elem->st; | |
719 | err: | |
5896351e AS |
720 | free_verifier_state(env->cur_state, true); |
721 | env->cur_state = NULL; | |
17a52670 | 722 | /* pop all elements and return */ |
638f5b90 | 723 | while (!pop_stack(env, NULL, NULL)); |
17a52670 AS |
724 | return NULL; |
725 | } | |
726 | ||
727 | #define CALLER_SAVED_REGS 6 | |
728 | static const int caller_saved[CALLER_SAVED_REGS] = { | |
729 | BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5 | |
730 | }; | |
731 | ||
f1174f77 EC |
732 | static void __mark_reg_not_init(struct bpf_reg_state *reg); |
733 | ||
b03c9f9f EC |
734 | /* Mark the unknown part of a register (variable offset or scalar value) as |
735 | * known to have the value @imm. | |
736 | */ | |
737 | static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) | |
738 | { | |
a9c676bc AS |
739 | /* Clear id, off, and union(map_ptr, range) */ |
740 | memset(((u8 *)reg) + sizeof(reg->type), 0, | |
741 | offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type)); | |
b03c9f9f EC |
742 | reg->var_off = tnum_const(imm); |
743 | reg->smin_value = (s64)imm; | |
744 | reg->smax_value = (s64)imm; | |
745 | reg->umin_value = imm; | |
746 | reg->umax_value = imm; | |
747 | } | |
748 | ||
f1174f77 EC |
749 | /* Mark the 'variable offset' part of a register as zero. This should be |
750 | * used only on registers holding a pointer type. | |
751 | */ | |
752 | static void __mark_reg_known_zero(struct bpf_reg_state *reg) | |
a9789ef9 | 753 | { |
b03c9f9f | 754 | __mark_reg_known(reg, 0); |
f1174f77 | 755 | } |
a9789ef9 | 756 | |
cc2b14d5 AS |
757 | static void __mark_reg_const_zero(struct bpf_reg_state *reg) |
758 | { | |
759 | __mark_reg_known(reg, 0); | |
cc2b14d5 AS |
760 | reg->type = SCALAR_VALUE; |
761 | } | |
762 | ||
61bd5218 JK |
763 | static void mark_reg_known_zero(struct bpf_verifier_env *env, |
764 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
765 | { |
766 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 767 | verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); |
f1174f77 EC |
768 | /* Something bad happened, let's kill all regs */ |
769 | for (regno = 0; regno < MAX_BPF_REG; regno++) | |
770 | __mark_reg_not_init(regs + regno); | |
771 | return; | |
772 | } | |
773 | __mark_reg_known_zero(regs + regno); | |
774 | } | |
775 | ||
de8f3a83 DB |
776 | static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg) |
777 | { | |
778 | return type_is_pkt_pointer(reg->type); | |
779 | } | |
780 | ||
781 | static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg) | |
782 | { | |
783 | return reg_is_pkt_pointer(reg) || | |
784 | reg->type == PTR_TO_PACKET_END; | |
785 | } | |
786 | ||
787 | /* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */ | |
788 | static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg, | |
789 | enum bpf_reg_type which) | |
790 | { | |
791 | /* The register can already have a range from prior markings. | |
792 | * This is fine as long as it hasn't been advanced from its | |
793 | * origin. | |
794 | */ | |
795 | return reg->type == which && | |
796 | reg->id == 0 && | |
797 | reg->off == 0 && | |
798 | tnum_equals_const(reg->var_off, 0); | |
799 | } | |
800 | ||
b03c9f9f EC |
801 | /* Attempts to improve min/max values based on var_off information */ |
802 | static void __update_reg_bounds(struct bpf_reg_state *reg) | |
803 | { | |
804 | /* min signed is max(sign bit) | min(other bits) */ | |
805 | reg->smin_value = max_t(s64, reg->smin_value, | |
806 | reg->var_off.value | (reg->var_off.mask & S64_MIN)); | |
807 | /* max signed is min(sign bit) | max(other bits) */ | |
808 | reg->smax_value = min_t(s64, reg->smax_value, | |
809 | reg->var_off.value | (reg->var_off.mask & S64_MAX)); | |
810 | reg->umin_value = max(reg->umin_value, reg->var_off.value); | |
811 | reg->umax_value = min(reg->umax_value, | |
812 | reg->var_off.value | reg->var_off.mask); | |
813 | } | |
814 | ||
815 | /* Uses signed min/max values to inform unsigned, and vice-versa */ | |
816 | static void __reg_deduce_bounds(struct bpf_reg_state *reg) | |
817 | { | |
818 | /* Learn sign from signed bounds. | |
819 | * If we cannot cross the sign boundary, then signed and unsigned bounds | |
820 | * are the same, so combine. This works even in the negative case, e.g. | |
821 | * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff. | |
822 | */ | |
823 | if (reg->smin_value >= 0 || reg->smax_value < 0) { | |
824 | reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, | |
825 | reg->umin_value); | |
826 | reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, | |
827 | reg->umax_value); | |
828 | return; | |
829 | } | |
830 | /* Learn sign from unsigned bounds. Signed bounds cross the sign | |
831 | * boundary, so we must be careful. | |
832 | */ | |
833 | if ((s64)reg->umax_value >= 0) { | |
834 | /* Positive. We can't learn anything from the smin, but smax | |
835 | * is positive, hence safe. | |
836 | */ | |
837 | reg->smin_value = reg->umin_value; | |
838 | reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, | |
839 | reg->umax_value); | |
840 | } else if ((s64)reg->umin_value < 0) { | |
841 | /* Negative. We can't learn anything from the smax, but smin | |
842 | * is negative, hence safe. | |
843 | */ | |
844 | reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, | |
845 | reg->umin_value); | |
846 | reg->smax_value = reg->umax_value; | |
847 | } | |
848 | } | |
849 | ||
850 | /* Attempts to improve var_off based on unsigned min/max information */ | |
851 | static void __reg_bound_offset(struct bpf_reg_state *reg) | |
852 | { | |
853 | reg->var_off = tnum_intersect(reg->var_off, | |
854 | tnum_range(reg->umin_value, | |
855 | reg->umax_value)); | |
856 | } | |
857 | ||
858 | /* Reset the min/max bounds of a register */ | |
859 | static void __mark_reg_unbounded(struct bpf_reg_state *reg) | |
860 | { | |
861 | reg->smin_value = S64_MIN; | |
862 | reg->smax_value = S64_MAX; | |
863 | reg->umin_value = 0; | |
864 | reg->umax_value = U64_MAX; | |
865 | } | |
866 | ||
f1174f77 EC |
867 | /* Mark a register as having a completely unknown (scalar) value. */ |
868 | static void __mark_reg_unknown(struct bpf_reg_state *reg) | |
869 | { | |
a9c676bc AS |
870 | /* |
871 | * Clear type, id, off, and union(map_ptr, range) and | |
872 | * padding between 'type' and union | |
873 | */ | |
874 | memset(reg, 0, offsetof(struct bpf_reg_state, var_off)); | |
f1174f77 | 875 | reg->type = SCALAR_VALUE; |
f1174f77 | 876 | reg->var_off = tnum_unknown; |
f4d7e40a | 877 | reg->frameno = 0; |
b03c9f9f | 878 | __mark_reg_unbounded(reg); |
f1174f77 EC |
879 | } |
880 | ||
61bd5218 JK |
881 | static void mark_reg_unknown(struct bpf_verifier_env *env, |
882 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
883 | { |
884 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 885 | verbose(env, "mark_reg_unknown(regs, %u)\n", regno); |
19ceb417 AS |
886 | /* Something bad happened, let's kill all regs except FP */ |
887 | for (regno = 0; regno < BPF_REG_FP; regno++) | |
f1174f77 EC |
888 | __mark_reg_not_init(regs + regno); |
889 | return; | |
890 | } | |
891 | __mark_reg_unknown(regs + regno); | |
892 | } | |
893 | ||
894 | static void __mark_reg_not_init(struct bpf_reg_state *reg) | |
895 | { | |
896 | __mark_reg_unknown(reg); | |
897 | reg->type = NOT_INIT; | |
898 | } | |
899 | ||
61bd5218 JK |
900 | static void mark_reg_not_init(struct bpf_verifier_env *env, |
901 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
902 | { |
903 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 904 | verbose(env, "mark_reg_not_init(regs, %u)\n", regno); |
19ceb417 AS |
905 | /* Something bad happened, let's kill all regs except FP */ |
906 | for (regno = 0; regno < BPF_REG_FP; regno++) | |
f1174f77 EC |
907 | __mark_reg_not_init(regs + regno); |
908 | return; | |
909 | } | |
910 | __mark_reg_not_init(regs + regno); | |
a9789ef9 DB |
911 | } |
912 | ||
61bd5218 | 913 | static void init_reg_state(struct bpf_verifier_env *env, |
f4d7e40a | 914 | struct bpf_func_state *state) |
17a52670 | 915 | { |
f4d7e40a | 916 | struct bpf_reg_state *regs = state->regs; |
17a52670 AS |
917 | int i; |
918 | ||
dc503a8a | 919 | for (i = 0; i < MAX_BPF_REG; i++) { |
61bd5218 | 920 | mark_reg_not_init(env, regs, i); |
dc503a8a | 921 | regs[i].live = REG_LIVE_NONE; |
679c782d | 922 | regs[i].parent = NULL; |
dc503a8a | 923 | } |
17a52670 AS |
924 | |
925 | /* frame pointer */ | |
f1174f77 | 926 | regs[BPF_REG_FP].type = PTR_TO_STACK; |
61bd5218 | 927 | mark_reg_known_zero(env, regs, BPF_REG_FP); |
f4d7e40a | 928 | regs[BPF_REG_FP].frameno = state->frameno; |
17a52670 AS |
929 | |
930 | /* 1st arg to a function */ | |
931 | regs[BPF_REG_1].type = PTR_TO_CTX; | |
61bd5218 | 932 | mark_reg_known_zero(env, regs, BPF_REG_1); |
6760bf2d DB |
933 | } |
934 | ||
f4d7e40a AS |
935 | #define BPF_MAIN_FUNC (-1) |
936 | static void init_func_state(struct bpf_verifier_env *env, | |
937 | struct bpf_func_state *state, | |
938 | int callsite, int frameno, int subprogno) | |
939 | { | |
940 | state->callsite = callsite; | |
941 | state->frameno = frameno; | |
942 | state->subprogno = subprogno; | |
943 | init_reg_state(env, state); | |
944 | } | |
945 | ||
17a52670 AS |
946 | enum reg_arg_type { |
947 | SRC_OP, /* register is used as source operand */ | |
948 | DST_OP, /* register is used as destination operand */ | |
949 | DST_OP_NO_MARK /* same as above, check only, don't mark */ | |
950 | }; | |
951 | ||
cc8b0b92 AS |
952 | static int cmp_subprogs(const void *a, const void *b) |
953 | { | |
9c8105bd JW |
954 | return ((struct bpf_subprog_info *)a)->start - |
955 | ((struct bpf_subprog_info *)b)->start; | |
cc8b0b92 AS |
956 | } |
957 | ||
958 | static int find_subprog(struct bpf_verifier_env *env, int off) | |
959 | { | |
9c8105bd | 960 | struct bpf_subprog_info *p; |
cc8b0b92 | 961 | |
9c8105bd JW |
962 | p = bsearch(&off, env->subprog_info, env->subprog_cnt, |
963 | sizeof(env->subprog_info[0]), cmp_subprogs); | |
cc8b0b92 AS |
964 | if (!p) |
965 | return -ENOENT; | |
9c8105bd | 966 | return p - env->subprog_info; |
cc8b0b92 AS |
967 | |
968 | } | |
969 | ||
970 | static int add_subprog(struct bpf_verifier_env *env, int off) | |
971 | { | |
972 | int insn_cnt = env->prog->len; | |
973 | int ret; | |
974 | ||
975 | if (off >= insn_cnt || off < 0) { | |
976 | verbose(env, "call to invalid destination\n"); | |
977 | return -EINVAL; | |
978 | } | |
979 | ret = find_subprog(env, off); | |
980 | if (ret >= 0) | |
981 | return 0; | |
4cb3d99c | 982 | if (env->subprog_cnt >= BPF_MAX_SUBPROGS) { |
cc8b0b92 AS |
983 | verbose(env, "too many subprograms\n"); |
984 | return -E2BIG; | |
985 | } | |
9c8105bd JW |
986 | env->subprog_info[env->subprog_cnt++].start = off; |
987 | sort(env->subprog_info, env->subprog_cnt, | |
988 | sizeof(env->subprog_info[0]), cmp_subprogs, NULL); | |
cc8b0b92 AS |
989 | return 0; |
990 | } | |
991 | ||
992 | static int check_subprogs(struct bpf_verifier_env *env) | |
993 | { | |
994 | int i, ret, subprog_start, subprog_end, off, cur_subprog = 0; | |
9c8105bd | 995 | struct bpf_subprog_info *subprog = env->subprog_info; |
cc8b0b92 AS |
996 | struct bpf_insn *insn = env->prog->insnsi; |
997 | int insn_cnt = env->prog->len; | |
998 | ||
f910cefa JW |
999 | /* Add entry function. */ |
1000 | ret = add_subprog(env, 0); | |
1001 | if (ret < 0) | |
1002 | return ret; | |
1003 | ||
cc8b0b92 AS |
1004 | /* determine subprog starts. The end is one before the next starts */ |
1005 | for (i = 0; i < insn_cnt; i++) { | |
1006 | if (insn[i].code != (BPF_JMP | BPF_CALL)) | |
1007 | continue; | |
1008 | if (insn[i].src_reg != BPF_PSEUDO_CALL) | |
1009 | continue; | |
1010 | if (!env->allow_ptr_leaks) { | |
1011 | verbose(env, "function calls to other bpf functions are allowed for root only\n"); | |
1012 | return -EPERM; | |
1013 | } | |
cc8b0b92 AS |
1014 | ret = add_subprog(env, i + insn[i].imm + 1); |
1015 | if (ret < 0) | |
1016 | return ret; | |
1017 | } | |
1018 | ||
4cb3d99c JW |
1019 | /* Add a fake 'exit' subprog which could simplify subprog iteration |
1020 | * logic. 'subprog_cnt' should not be increased. | |
1021 | */ | |
1022 | subprog[env->subprog_cnt].start = insn_cnt; | |
1023 | ||
cc8b0b92 AS |
1024 | if (env->log.level > 1) |
1025 | for (i = 0; i < env->subprog_cnt; i++) | |
9c8105bd | 1026 | verbose(env, "func#%d @%d\n", i, subprog[i].start); |
cc8b0b92 AS |
1027 | |
1028 | /* now check that all jumps are within the same subprog */ | |
4cb3d99c JW |
1029 | subprog_start = subprog[cur_subprog].start; |
1030 | subprog_end = subprog[cur_subprog + 1].start; | |
cc8b0b92 AS |
1031 | for (i = 0; i < insn_cnt; i++) { |
1032 | u8 code = insn[i].code; | |
1033 | ||
1034 | if (BPF_CLASS(code) != BPF_JMP) | |
1035 | goto next; | |
1036 | if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL) | |
1037 | goto next; | |
1038 | off = i + insn[i].off + 1; | |
1039 | if (off < subprog_start || off >= subprog_end) { | |
1040 | verbose(env, "jump out of range from insn %d to %d\n", i, off); | |
1041 | return -EINVAL; | |
1042 | } | |
1043 | next: | |
1044 | if (i == subprog_end - 1) { | |
1045 | /* to avoid fall-through from one subprog into another | |
1046 | * the last insn of the subprog should be either exit | |
1047 | * or unconditional jump back | |
1048 | */ | |
1049 | if (code != (BPF_JMP | BPF_EXIT) && | |
1050 | code != (BPF_JMP | BPF_JA)) { | |
1051 | verbose(env, "last insn is not an exit or jmp\n"); | |
1052 | return -EINVAL; | |
1053 | } | |
1054 | subprog_start = subprog_end; | |
4cb3d99c JW |
1055 | cur_subprog++; |
1056 | if (cur_subprog < env->subprog_cnt) | |
9c8105bd | 1057 | subprog_end = subprog[cur_subprog + 1].start; |
cc8b0b92 AS |
1058 | } |
1059 | } | |
1060 | return 0; | |
1061 | } | |
1062 | ||
679c782d EC |
1063 | /* Parentage chain of this register (or stack slot) should take care of all |
1064 | * issues like callee-saved registers, stack slot allocation time, etc. | |
1065 | */ | |
f4d7e40a | 1066 | static int mark_reg_read(struct bpf_verifier_env *env, |
679c782d EC |
1067 | const struct bpf_reg_state *state, |
1068 | struct bpf_reg_state *parent) | |
f4d7e40a AS |
1069 | { |
1070 | bool writes = parent == state->parent; /* Observe write marks */ | |
dc503a8a EC |
1071 | |
1072 | while (parent) { | |
1073 | /* if read wasn't screened by an earlier write ... */ | |
679c782d | 1074 | if (writes && state->live & REG_LIVE_WRITTEN) |
dc503a8a EC |
1075 | break; |
1076 | /* ... then we depend on parent's value */ | |
679c782d | 1077 | parent->live |= REG_LIVE_READ; |
dc503a8a EC |
1078 | state = parent; |
1079 | parent = state->parent; | |
f4d7e40a | 1080 | writes = true; |
dc503a8a | 1081 | } |
f4d7e40a | 1082 | return 0; |
dc503a8a EC |
1083 | } |
1084 | ||
1085 | static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, | |
17a52670 AS |
1086 | enum reg_arg_type t) |
1087 | { | |
f4d7e40a AS |
1088 | struct bpf_verifier_state *vstate = env->cur_state; |
1089 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
1090 | struct bpf_reg_state *regs = state->regs; | |
dc503a8a | 1091 | |
17a52670 | 1092 | if (regno >= MAX_BPF_REG) { |
61bd5218 | 1093 | verbose(env, "R%d is invalid\n", regno); |
17a52670 AS |
1094 | return -EINVAL; |
1095 | } | |
1096 | ||
1097 | if (t == SRC_OP) { | |
1098 | /* check whether register used as source operand can be read */ | |
1099 | if (regs[regno].type == NOT_INIT) { | |
61bd5218 | 1100 | verbose(env, "R%d !read_ok\n", regno); |
17a52670 AS |
1101 | return -EACCES; |
1102 | } | |
679c782d EC |
1103 | /* We don't need to worry about FP liveness because it's read-only */ |
1104 | if (regno != BPF_REG_FP) | |
1105 | return mark_reg_read(env, ®s[regno], | |
1106 | regs[regno].parent); | |
17a52670 AS |
1107 | } else { |
1108 | /* check whether register used as dest operand can be written to */ | |
1109 | if (regno == BPF_REG_FP) { | |
61bd5218 | 1110 | verbose(env, "frame pointer is read only\n"); |
17a52670 AS |
1111 | return -EACCES; |
1112 | } | |
dc503a8a | 1113 | regs[regno].live |= REG_LIVE_WRITTEN; |
17a52670 | 1114 | if (t == DST_OP) |
61bd5218 | 1115 | mark_reg_unknown(env, regs, regno); |
17a52670 AS |
1116 | } |
1117 | return 0; | |
1118 | } | |
1119 | ||
1be7f75d AS |
1120 | static bool is_spillable_regtype(enum bpf_reg_type type) |
1121 | { | |
1122 | switch (type) { | |
1123 | case PTR_TO_MAP_VALUE: | |
1124 | case PTR_TO_MAP_VALUE_OR_NULL: | |
1125 | case PTR_TO_STACK: | |
1126 | case PTR_TO_CTX: | |
969bf05e | 1127 | case PTR_TO_PACKET: |
de8f3a83 | 1128 | case PTR_TO_PACKET_META: |
969bf05e | 1129 | case PTR_TO_PACKET_END: |
d58e468b | 1130 | case PTR_TO_FLOW_KEYS: |
1be7f75d | 1131 | case CONST_PTR_TO_MAP: |
c64b7983 JS |
1132 | case PTR_TO_SOCKET: |
1133 | case PTR_TO_SOCKET_OR_NULL: | |
1be7f75d AS |
1134 | return true; |
1135 | default: | |
1136 | return false; | |
1137 | } | |
1138 | } | |
1139 | ||
cc2b14d5 AS |
1140 | /* Does this register contain a constant zero? */ |
1141 | static bool register_is_null(struct bpf_reg_state *reg) | |
1142 | { | |
1143 | return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0); | |
1144 | } | |
1145 | ||
17a52670 AS |
1146 | /* check_stack_read/write functions track spill/fill of registers, |
1147 | * stack boundary and alignment are checked in check_mem_access() | |
1148 | */ | |
61bd5218 | 1149 | static int check_stack_write(struct bpf_verifier_env *env, |
f4d7e40a | 1150 | struct bpf_func_state *state, /* func where register points to */ |
af86ca4e | 1151 | int off, int size, int value_regno, int insn_idx) |
17a52670 | 1152 | { |
f4d7e40a | 1153 | struct bpf_func_state *cur; /* state of the current function */ |
638f5b90 | 1154 | int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; |
f4d7e40a | 1155 | enum bpf_reg_type type; |
638f5b90 | 1156 | |
f4d7e40a | 1157 | err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), |
fd978bf7 | 1158 | state->acquired_refs, true); |
638f5b90 AS |
1159 | if (err) |
1160 | return err; | |
9c399760 AS |
1161 | /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, |
1162 | * so it's aligned access and [off, off + size) are within stack limits | |
1163 | */ | |
638f5b90 AS |
1164 | if (!env->allow_ptr_leaks && |
1165 | state->stack[spi].slot_type[0] == STACK_SPILL && | |
1166 | size != BPF_REG_SIZE) { | |
1167 | verbose(env, "attempt to corrupt spilled pointer on stack\n"); | |
1168 | return -EACCES; | |
1169 | } | |
17a52670 | 1170 | |
f4d7e40a | 1171 | cur = env->cur_state->frame[env->cur_state->curframe]; |
17a52670 | 1172 | if (value_regno >= 0 && |
f4d7e40a | 1173 | is_spillable_regtype((type = cur->regs[value_regno].type))) { |
17a52670 AS |
1174 | |
1175 | /* register containing pointer is being spilled into stack */ | |
9c399760 | 1176 | if (size != BPF_REG_SIZE) { |
61bd5218 | 1177 | verbose(env, "invalid size of register spill\n"); |
17a52670 AS |
1178 | return -EACCES; |
1179 | } | |
1180 | ||
f4d7e40a AS |
1181 | if (state != cur && type == PTR_TO_STACK) { |
1182 | verbose(env, "cannot spill pointers to stack into stack frame of the caller\n"); | |
1183 | return -EINVAL; | |
1184 | } | |
1185 | ||
17a52670 | 1186 | /* save register state */ |
f4d7e40a | 1187 | state->stack[spi].spilled_ptr = cur->regs[value_regno]; |
638f5b90 | 1188 | state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; |
17a52670 | 1189 | |
af86ca4e AS |
1190 | for (i = 0; i < BPF_REG_SIZE; i++) { |
1191 | if (state->stack[spi].slot_type[i] == STACK_MISC && | |
1192 | !env->allow_ptr_leaks) { | |
1193 | int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; | |
1194 | int soff = (-spi - 1) * BPF_REG_SIZE; | |
1195 | ||
1196 | /* detected reuse of integer stack slot with a pointer | |
1197 | * which means either llvm is reusing stack slot or | |
1198 | * an attacker is trying to exploit CVE-2018-3639 | |
1199 | * (speculative store bypass) | |
1200 | * Have to sanitize that slot with preemptive | |
1201 | * store of zero. | |
1202 | */ | |
1203 | if (*poff && *poff != soff) { | |
1204 | /* disallow programs where single insn stores | |
1205 | * into two different stack slots, since verifier | |
1206 | * cannot sanitize them | |
1207 | */ | |
1208 | verbose(env, | |
1209 | "insn %d cannot access two stack slots fp%d and fp%d", | |
1210 | insn_idx, *poff, soff); | |
1211 | return -EINVAL; | |
1212 | } | |
1213 | *poff = soff; | |
1214 | } | |
638f5b90 | 1215 | state->stack[spi].slot_type[i] = STACK_SPILL; |
af86ca4e | 1216 | } |
9c399760 | 1217 | } else { |
cc2b14d5 AS |
1218 | u8 type = STACK_MISC; |
1219 | ||
679c782d EC |
1220 | /* regular write of data into stack destroys any spilled ptr */ |
1221 | state->stack[spi].spilled_ptr.type = NOT_INIT; | |
9c399760 | 1222 | |
cc2b14d5 AS |
1223 | /* only mark the slot as written if all 8 bytes were written |
1224 | * otherwise read propagation may incorrectly stop too soon | |
1225 | * when stack slots are partially written. | |
1226 | * This heuristic means that read propagation will be | |
1227 | * conservative, since it will add reg_live_read marks | |
1228 | * to stack slots all the way to first state when programs | |
1229 | * writes+reads less than 8 bytes | |
1230 | */ | |
1231 | if (size == BPF_REG_SIZE) | |
1232 | state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; | |
1233 | ||
1234 | /* when we zero initialize stack slots mark them as such */ | |
1235 | if (value_regno >= 0 && | |
1236 | register_is_null(&cur->regs[value_regno])) | |
1237 | type = STACK_ZERO; | |
1238 | ||
9c399760 | 1239 | for (i = 0; i < size; i++) |
638f5b90 | 1240 | state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = |
cc2b14d5 | 1241 | type; |
17a52670 AS |
1242 | } |
1243 | return 0; | |
1244 | } | |
1245 | ||
61bd5218 | 1246 | static int check_stack_read(struct bpf_verifier_env *env, |
f4d7e40a AS |
1247 | struct bpf_func_state *reg_state /* func where register points to */, |
1248 | int off, int size, int value_regno) | |
17a52670 | 1249 | { |
f4d7e40a AS |
1250 | struct bpf_verifier_state *vstate = env->cur_state; |
1251 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
638f5b90 AS |
1252 | int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; |
1253 | u8 *stype; | |
17a52670 | 1254 | |
f4d7e40a | 1255 | if (reg_state->allocated_stack <= slot) { |
638f5b90 AS |
1256 | verbose(env, "invalid read from stack off %d+0 size %d\n", |
1257 | off, size); | |
1258 | return -EACCES; | |
1259 | } | |
f4d7e40a | 1260 | stype = reg_state->stack[spi].slot_type; |
17a52670 | 1261 | |
638f5b90 | 1262 | if (stype[0] == STACK_SPILL) { |
9c399760 | 1263 | if (size != BPF_REG_SIZE) { |
61bd5218 | 1264 | verbose(env, "invalid size of register spill\n"); |
17a52670 AS |
1265 | return -EACCES; |
1266 | } | |
9c399760 | 1267 | for (i = 1; i < BPF_REG_SIZE; i++) { |
638f5b90 | 1268 | if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) { |
61bd5218 | 1269 | verbose(env, "corrupted spill memory\n"); |
17a52670 AS |
1270 | return -EACCES; |
1271 | } | |
1272 | } | |
1273 | ||
dc503a8a | 1274 | if (value_regno >= 0) { |
17a52670 | 1275 | /* restore register state from stack */ |
f4d7e40a | 1276 | state->regs[value_regno] = reg_state->stack[spi].spilled_ptr; |
2f18f62e AS |
1277 | /* mark reg as written since spilled pointer state likely |
1278 | * has its liveness marks cleared by is_state_visited() | |
1279 | * which resets stack/reg liveness for state transitions | |
1280 | */ | |
1281 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; | |
dc503a8a | 1282 | } |
679c782d EC |
1283 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
1284 | reg_state->stack[spi].spilled_ptr.parent); | |
17a52670 AS |
1285 | return 0; |
1286 | } else { | |
cc2b14d5 AS |
1287 | int zeros = 0; |
1288 | ||
17a52670 | 1289 | for (i = 0; i < size; i++) { |
cc2b14d5 AS |
1290 | if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC) |
1291 | continue; | |
1292 | if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) { | |
1293 | zeros++; | |
1294 | continue; | |
17a52670 | 1295 | } |
cc2b14d5 AS |
1296 | verbose(env, "invalid read from stack off %d+%d size %d\n", |
1297 | off, i, size); | |
1298 | return -EACCES; | |
1299 | } | |
679c782d EC |
1300 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
1301 | reg_state->stack[spi].spilled_ptr.parent); | |
cc2b14d5 AS |
1302 | if (value_regno >= 0) { |
1303 | if (zeros == size) { | |
1304 | /* any size read into register is zero extended, | |
1305 | * so the whole register == const_zero | |
1306 | */ | |
1307 | __mark_reg_const_zero(&state->regs[value_regno]); | |
1308 | } else { | |
1309 | /* have read misc data from the stack */ | |
1310 | mark_reg_unknown(env, state->regs, value_regno); | |
1311 | } | |
1312 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; | |
17a52670 | 1313 | } |
17a52670 AS |
1314 | return 0; |
1315 | } | |
1316 | } | |
1317 | ||
1318 | /* check read/write into map element returned by bpf_map_lookup_elem() */ | |
f1174f77 | 1319 | static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off, |
9fd29c08 | 1320 | int size, bool zero_size_allowed) |
17a52670 | 1321 | { |
638f5b90 AS |
1322 | struct bpf_reg_state *regs = cur_regs(env); |
1323 | struct bpf_map *map = regs[regno].map_ptr; | |
17a52670 | 1324 | |
9fd29c08 YS |
1325 | if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
1326 | off + size > map->value_size) { | |
61bd5218 | 1327 | verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n", |
17a52670 AS |
1328 | map->value_size, off, size); |
1329 | return -EACCES; | |
1330 | } | |
1331 | return 0; | |
1332 | } | |
1333 | ||
f1174f77 EC |
1334 | /* check read/write into a map element with possible variable offset */ |
1335 | static int check_map_access(struct bpf_verifier_env *env, u32 regno, | |
9fd29c08 | 1336 | int off, int size, bool zero_size_allowed) |
dbcfe5f7 | 1337 | { |
f4d7e40a AS |
1338 | struct bpf_verifier_state *vstate = env->cur_state; |
1339 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
dbcfe5f7 GB |
1340 | struct bpf_reg_state *reg = &state->regs[regno]; |
1341 | int err; | |
1342 | ||
f1174f77 EC |
1343 | /* We may have adjusted the register to this map value, so we |
1344 | * need to try adding each of min_value and max_value to off | |
1345 | * to make sure our theoretical access will be safe. | |
dbcfe5f7 | 1346 | */ |
61bd5218 JK |
1347 | if (env->log.level) |
1348 | print_verifier_state(env, state); | |
dbcfe5f7 GB |
1349 | /* The minimum value is only important with signed |
1350 | * comparisons where we can't assume the floor of a | |
1351 | * value is 0. If we are using signed variables for our | |
1352 | * index'es we need to make sure that whatever we use | |
1353 | * will have a set floor within our range. | |
1354 | */ | |
b03c9f9f | 1355 | if (reg->smin_value < 0) { |
61bd5218 | 1356 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
dbcfe5f7 GB |
1357 | regno); |
1358 | return -EACCES; | |
1359 | } | |
9fd29c08 YS |
1360 | err = __check_map_access(env, regno, reg->smin_value + off, size, |
1361 | zero_size_allowed); | |
dbcfe5f7 | 1362 | if (err) { |
61bd5218 JK |
1363 | verbose(env, "R%d min value is outside of the array range\n", |
1364 | regno); | |
dbcfe5f7 GB |
1365 | return err; |
1366 | } | |
1367 | ||
b03c9f9f EC |
1368 | /* If we haven't set a max value then we need to bail since we can't be |
1369 | * sure we won't do bad things. | |
1370 | * If reg->umax_value + off could overflow, treat that as unbounded too. | |
dbcfe5f7 | 1371 | */ |
b03c9f9f | 1372 | if (reg->umax_value >= BPF_MAX_VAR_OFF) { |
61bd5218 | 1373 | verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n", |
dbcfe5f7 GB |
1374 | regno); |
1375 | return -EACCES; | |
1376 | } | |
9fd29c08 YS |
1377 | err = __check_map_access(env, regno, reg->umax_value + off, size, |
1378 | zero_size_allowed); | |
f1174f77 | 1379 | if (err) |
61bd5218 JK |
1380 | verbose(env, "R%d max value is outside of the array range\n", |
1381 | regno); | |
f1174f77 | 1382 | return err; |
dbcfe5f7 GB |
1383 | } |
1384 | ||
969bf05e AS |
1385 | #define MAX_PACKET_OFF 0xffff |
1386 | ||
58e2af8b | 1387 | static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, |
3a0af8fd TG |
1388 | const struct bpf_call_arg_meta *meta, |
1389 | enum bpf_access_type t) | |
4acf6c0b | 1390 | { |
36bbef52 | 1391 | switch (env->prog->type) { |
5d66fa7d | 1392 | /* Program types only with direct read access go here! */ |
3a0af8fd TG |
1393 | case BPF_PROG_TYPE_LWT_IN: |
1394 | case BPF_PROG_TYPE_LWT_OUT: | |
004d4b27 | 1395 | case BPF_PROG_TYPE_LWT_SEG6LOCAL: |
2dbb9b9e | 1396 | case BPF_PROG_TYPE_SK_REUSEPORT: |
5d66fa7d | 1397 | case BPF_PROG_TYPE_FLOW_DISSECTOR: |
d5563d36 | 1398 | case BPF_PROG_TYPE_CGROUP_SKB: |
3a0af8fd TG |
1399 | if (t == BPF_WRITE) |
1400 | return false; | |
7e57fbb2 | 1401 | /* fallthrough */ |
5d66fa7d DB |
1402 | |
1403 | /* Program types with direct read + write access go here! */ | |
36bbef52 DB |
1404 | case BPF_PROG_TYPE_SCHED_CLS: |
1405 | case BPF_PROG_TYPE_SCHED_ACT: | |
4acf6c0b | 1406 | case BPF_PROG_TYPE_XDP: |
3a0af8fd | 1407 | case BPF_PROG_TYPE_LWT_XMIT: |
8a31db56 | 1408 | case BPF_PROG_TYPE_SK_SKB: |
4f738adb | 1409 | case BPF_PROG_TYPE_SK_MSG: |
36bbef52 DB |
1410 | if (meta) |
1411 | return meta->pkt_access; | |
1412 | ||
1413 | env->seen_direct_write = true; | |
4acf6c0b BB |
1414 | return true; |
1415 | default: | |
1416 | return false; | |
1417 | } | |
1418 | } | |
1419 | ||
f1174f77 | 1420 | static int __check_packet_access(struct bpf_verifier_env *env, u32 regno, |
9fd29c08 | 1421 | int off, int size, bool zero_size_allowed) |
969bf05e | 1422 | { |
638f5b90 | 1423 | struct bpf_reg_state *regs = cur_regs(env); |
58e2af8b | 1424 | struct bpf_reg_state *reg = ®s[regno]; |
969bf05e | 1425 | |
9fd29c08 YS |
1426 | if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
1427 | (u64)off + size > reg->range) { | |
61bd5218 | 1428 | verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", |
d91b28ed | 1429 | off, size, regno, reg->id, reg->off, reg->range); |
969bf05e AS |
1430 | return -EACCES; |
1431 | } | |
1432 | return 0; | |
1433 | } | |
1434 | ||
f1174f77 | 1435 | static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, |
9fd29c08 | 1436 | int size, bool zero_size_allowed) |
f1174f77 | 1437 | { |
638f5b90 | 1438 | struct bpf_reg_state *regs = cur_regs(env); |
f1174f77 EC |
1439 | struct bpf_reg_state *reg = ®s[regno]; |
1440 | int err; | |
1441 | ||
1442 | /* We may have added a variable offset to the packet pointer; but any | |
1443 | * reg->range we have comes after that. We are only checking the fixed | |
1444 | * offset. | |
1445 | */ | |
1446 | ||
1447 | /* We don't allow negative numbers, because we aren't tracking enough | |
1448 | * detail to prove they're safe. | |
1449 | */ | |
b03c9f9f | 1450 | if (reg->smin_value < 0) { |
61bd5218 | 1451 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
f1174f77 EC |
1452 | regno); |
1453 | return -EACCES; | |
1454 | } | |
9fd29c08 | 1455 | err = __check_packet_access(env, regno, off, size, zero_size_allowed); |
f1174f77 | 1456 | if (err) { |
61bd5218 | 1457 | verbose(env, "R%d offset is outside of the packet\n", regno); |
f1174f77 EC |
1458 | return err; |
1459 | } | |
e647815a JW |
1460 | |
1461 | /* __check_packet_access has made sure "off + size - 1" is within u16. | |
1462 | * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff, | |
1463 | * otherwise find_good_pkt_pointers would have refused to set range info | |
1464 | * that __check_packet_access would have rejected this pkt access. | |
1465 | * Therefore, "off + reg->umax_value + size - 1" won't overflow u32. | |
1466 | */ | |
1467 | env->prog->aux->max_pkt_offset = | |
1468 | max_t(u32, env->prog->aux->max_pkt_offset, | |
1469 | off + reg->umax_value + size - 1); | |
1470 | ||
f1174f77 EC |
1471 | return err; |
1472 | } | |
1473 | ||
1474 | /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ | |
31fd8581 | 1475 | static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, |
19de99f7 | 1476 | enum bpf_access_type t, enum bpf_reg_type *reg_type) |
17a52670 | 1477 | { |
f96da094 DB |
1478 | struct bpf_insn_access_aux info = { |
1479 | .reg_type = *reg_type, | |
1480 | }; | |
31fd8581 | 1481 | |
4f9218aa | 1482 | if (env->ops->is_valid_access && |
5e43f899 | 1483 | env->ops->is_valid_access(off, size, t, env->prog, &info)) { |
f96da094 DB |
1484 | /* A non zero info.ctx_field_size indicates that this field is a |
1485 | * candidate for later verifier transformation to load the whole | |
1486 | * field and then apply a mask when accessed with a narrower | |
1487 | * access than actual ctx access size. A zero info.ctx_field_size | |
1488 | * will only allow for whole field access and rejects any other | |
1489 | * type of narrower access. | |
31fd8581 | 1490 | */ |
23994631 | 1491 | *reg_type = info.reg_type; |
31fd8581 | 1492 | |
4f9218aa | 1493 | env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size; |
32bbe007 AS |
1494 | /* remember the offset of last byte accessed in ctx */ |
1495 | if (env->prog->aux->max_ctx_offset < off + size) | |
1496 | env->prog->aux->max_ctx_offset = off + size; | |
17a52670 | 1497 | return 0; |
32bbe007 | 1498 | } |
17a52670 | 1499 | |
61bd5218 | 1500 | verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size); |
17a52670 AS |
1501 | return -EACCES; |
1502 | } | |
1503 | ||
d58e468b PP |
1504 | static int check_flow_keys_access(struct bpf_verifier_env *env, int off, |
1505 | int size) | |
1506 | { | |
1507 | if (size < 0 || off < 0 || | |
1508 | (u64)off + size > sizeof(struct bpf_flow_keys)) { | |
1509 | verbose(env, "invalid access to flow keys off=%d size=%d\n", | |
1510 | off, size); | |
1511 | return -EACCES; | |
1512 | } | |
1513 | return 0; | |
1514 | } | |
1515 | ||
c64b7983 JS |
1516 | static int check_sock_access(struct bpf_verifier_env *env, u32 regno, int off, |
1517 | int size, enum bpf_access_type t) | |
1518 | { | |
1519 | struct bpf_reg_state *regs = cur_regs(env); | |
1520 | struct bpf_reg_state *reg = ®s[regno]; | |
1521 | struct bpf_insn_access_aux info; | |
1522 | ||
1523 | if (reg->smin_value < 0) { | |
1524 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", | |
1525 | regno); | |
1526 | return -EACCES; | |
1527 | } | |
1528 | ||
1529 | if (!bpf_sock_is_valid_access(off, size, t, &info)) { | |
1530 | verbose(env, "invalid bpf_sock access off=%d size=%d\n", | |
1531 | off, size); | |
1532 | return -EACCES; | |
1533 | } | |
1534 | ||
1535 | return 0; | |
1536 | } | |
1537 | ||
4cabc5b1 DB |
1538 | static bool __is_pointer_value(bool allow_ptr_leaks, |
1539 | const struct bpf_reg_state *reg) | |
1be7f75d | 1540 | { |
4cabc5b1 | 1541 | if (allow_ptr_leaks) |
1be7f75d AS |
1542 | return false; |
1543 | ||
f1174f77 | 1544 | return reg->type != SCALAR_VALUE; |
1be7f75d AS |
1545 | } |
1546 | ||
2a159c6f DB |
1547 | static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno) |
1548 | { | |
1549 | return cur_regs(env) + regno; | |
1550 | } | |
1551 | ||
4cabc5b1 DB |
1552 | static bool is_pointer_value(struct bpf_verifier_env *env, int regno) |
1553 | { | |
2a159c6f | 1554 | return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno)); |
4cabc5b1 DB |
1555 | } |
1556 | ||
f37a8cb8 DB |
1557 | static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) |
1558 | { | |
2a159c6f | 1559 | const struct bpf_reg_state *reg = reg_state(env, regno); |
f37a8cb8 | 1560 | |
fd978bf7 JS |
1561 | return reg->type == PTR_TO_CTX || |
1562 | reg->type == PTR_TO_SOCKET; | |
f37a8cb8 DB |
1563 | } |
1564 | ||
ca369602 DB |
1565 | static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) |
1566 | { | |
2a159c6f | 1567 | const struct bpf_reg_state *reg = reg_state(env, regno); |
ca369602 DB |
1568 | |
1569 | return type_is_pkt_pointer(reg->type); | |
1570 | } | |
1571 | ||
4b5defde DB |
1572 | static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno) |
1573 | { | |
1574 | const struct bpf_reg_state *reg = reg_state(env, regno); | |
1575 | ||
1576 | /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */ | |
1577 | return reg->type == PTR_TO_FLOW_KEYS; | |
1578 | } | |
1579 | ||
61bd5218 JK |
1580 | static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, |
1581 | const struct bpf_reg_state *reg, | |
d1174416 | 1582 | int off, int size, bool strict) |
969bf05e | 1583 | { |
f1174f77 | 1584 | struct tnum reg_off; |
e07b98d9 | 1585 | int ip_align; |
d1174416 DM |
1586 | |
1587 | /* Byte size accesses are always allowed. */ | |
1588 | if (!strict || size == 1) | |
1589 | return 0; | |
1590 | ||
e4eda884 DM |
1591 | /* For platforms that do not have a Kconfig enabling |
1592 | * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of | |
1593 | * NET_IP_ALIGN is universally set to '2'. And on platforms | |
1594 | * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get | |
1595 | * to this code only in strict mode where we want to emulate | |
1596 | * the NET_IP_ALIGN==2 checking. Therefore use an | |
1597 | * unconditional IP align value of '2'. | |
e07b98d9 | 1598 | */ |
e4eda884 | 1599 | ip_align = 2; |
f1174f77 EC |
1600 | |
1601 | reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off)); | |
1602 | if (!tnum_is_aligned(reg_off, size)) { | |
1603 | char tn_buf[48]; | |
1604 | ||
1605 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 JK |
1606 | verbose(env, |
1607 | "misaligned packet access off %d+%s+%d+%d size %d\n", | |
f1174f77 | 1608 | ip_align, tn_buf, reg->off, off, size); |
969bf05e AS |
1609 | return -EACCES; |
1610 | } | |
79adffcd | 1611 | |
969bf05e AS |
1612 | return 0; |
1613 | } | |
1614 | ||
61bd5218 JK |
1615 | static int check_generic_ptr_alignment(struct bpf_verifier_env *env, |
1616 | const struct bpf_reg_state *reg, | |
f1174f77 EC |
1617 | const char *pointer_desc, |
1618 | int off, int size, bool strict) | |
79adffcd | 1619 | { |
f1174f77 EC |
1620 | struct tnum reg_off; |
1621 | ||
1622 | /* Byte size accesses are always allowed. */ | |
1623 | if (!strict || size == 1) | |
1624 | return 0; | |
1625 | ||
1626 | reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off)); | |
1627 | if (!tnum_is_aligned(reg_off, size)) { | |
1628 | char tn_buf[48]; | |
1629 | ||
1630 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 | 1631 | verbose(env, "misaligned %saccess off %s+%d+%d size %d\n", |
f1174f77 | 1632 | pointer_desc, tn_buf, reg->off, off, size); |
79adffcd DB |
1633 | return -EACCES; |
1634 | } | |
1635 | ||
969bf05e AS |
1636 | return 0; |
1637 | } | |
1638 | ||
e07b98d9 | 1639 | static int check_ptr_alignment(struct bpf_verifier_env *env, |
ca369602 DB |
1640 | const struct bpf_reg_state *reg, int off, |
1641 | int size, bool strict_alignment_once) | |
79adffcd | 1642 | { |
ca369602 | 1643 | bool strict = env->strict_alignment || strict_alignment_once; |
f1174f77 | 1644 | const char *pointer_desc = ""; |
d1174416 | 1645 | |
79adffcd DB |
1646 | switch (reg->type) { |
1647 | case PTR_TO_PACKET: | |
de8f3a83 DB |
1648 | case PTR_TO_PACKET_META: |
1649 | /* Special case, because of NET_IP_ALIGN. Given metadata sits | |
1650 | * right in front, treat it the very same way. | |
1651 | */ | |
61bd5218 | 1652 | return check_pkt_ptr_alignment(env, reg, off, size, strict); |
d58e468b PP |
1653 | case PTR_TO_FLOW_KEYS: |
1654 | pointer_desc = "flow keys "; | |
1655 | break; | |
f1174f77 EC |
1656 | case PTR_TO_MAP_VALUE: |
1657 | pointer_desc = "value "; | |
1658 | break; | |
1659 | case PTR_TO_CTX: | |
1660 | pointer_desc = "context "; | |
1661 | break; | |
1662 | case PTR_TO_STACK: | |
1663 | pointer_desc = "stack "; | |
a5ec6ae1 JH |
1664 | /* The stack spill tracking logic in check_stack_write() |
1665 | * and check_stack_read() relies on stack accesses being | |
1666 | * aligned. | |
1667 | */ | |
1668 | strict = true; | |
f1174f77 | 1669 | break; |
c64b7983 JS |
1670 | case PTR_TO_SOCKET: |
1671 | pointer_desc = "sock "; | |
1672 | break; | |
79adffcd | 1673 | default: |
f1174f77 | 1674 | break; |
79adffcd | 1675 | } |
61bd5218 JK |
1676 | return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, |
1677 | strict); | |
79adffcd DB |
1678 | } |
1679 | ||
f4d7e40a AS |
1680 | static int update_stack_depth(struct bpf_verifier_env *env, |
1681 | const struct bpf_func_state *func, | |
1682 | int off) | |
1683 | { | |
9c8105bd | 1684 | u16 stack = env->subprog_info[func->subprogno].stack_depth; |
f4d7e40a AS |
1685 | |
1686 | if (stack >= -off) | |
1687 | return 0; | |
1688 | ||
1689 | /* update known max for given subprogram */ | |
9c8105bd | 1690 | env->subprog_info[func->subprogno].stack_depth = -off; |
70a87ffe AS |
1691 | return 0; |
1692 | } | |
f4d7e40a | 1693 | |
70a87ffe AS |
1694 | /* starting from main bpf function walk all instructions of the function |
1695 | * and recursively walk all callees that given function can call. | |
1696 | * Ignore jump and exit insns. | |
1697 | * Since recursion is prevented by check_cfg() this algorithm | |
1698 | * only needs a local stack of MAX_CALL_FRAMES to remember callsites | |
1699 | */ | |
1700 | static int check_max_stack_depth(struct bpf_verifier_env *env) | |
1701 | { | |
9c8105bd JW |
1702 | int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; |
1703 | struct bpf_subprog_info *subprog = env->subprog_info; | |
70a87ffe | 1704 | struct bpf_insn *insn = env->prog->insnsi; |
70a87ffe AS |
1705 | int ret_insn[MAX_CALL_FRAMES]; |
1706 | int ret_prog[MAX_CALL_FRAMES]; | |
f4d7e40a | 1707 | |
70a87ffe AS |
1708 | process_func: |
1709 | /* round up to 32-bytes, since this is granularity | |
1710 | * of interpreter stack size | |
1711 | */ | |
9c8105bd | 1712 | depth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
70a87ffe | 1713 | if (depth > MAX_BPF_STACK) { |
f4d7e40a | 1714 | verbose(env, "combined stack size of %d calls is %d. Too large\n", |
70a87ffe | 1715 | frame + 1, depth); |
f4d7e40a AS |
1716 | return -EACCES; |
1717 | } | |
70a87ffe | 1718 | continue_func: |
4cb3d99c | 1719 | subprog_end = subprog[idx + 1].start; |
70a87ffe AS |
1720 | for (; i < subprog_end; i++) { |
1721 | if (insn[i].code != (BPF_JMP | BPF_CALL)) | |
1722 | continue; | |
1723 | if (insn[i].src_reg != BPF_PSEUDO_CALL) | |
1724 | continue; | |
1725 | /* remember insn and function to return to */ | |
1726 | ret_insn[frame] = i + 1; | |
9c8105bd | 1727 | ret_prog[frame] = idx; |
70a87ffe AS |
1728 | |
1729 | /* find the callee */ | |
1730 | i = i + insn[i].imm + 1; | |
9c8105bd JW |
1731 | idx = find_subprog(env, i); |
1732 | if (idx < 0) { | |
70a87ffe AS |
1733 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", |
1734 | i); | |
1735 | return -EFAULT; | |
1736 | } | |
70a87ffe AS |
1737 | frame++; |
1738 | if (frame >= MAX_CALL_FRAMES) { | |
1739 | WARN_ONCE(1, "verifier bug. Call stack is too deep\n"); | |
1740 | return -EFAULT; | |
1741 | } | |
1742 | goto process_func; | |
1743 | } | |
1744 | /* end of for() loop means the last insn of the 'subprog' | |
1745 | * was reached. Doesn't matter whether it was JA or EXIT | |
1746 | */ | |
1747 | if (frame == 0) | |
1748 | return 0; | |
9c8105bd | 1749 | depth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
70a87ffe AS |
1750 | frame--; |
1751 | i = ret_insn[frame]; | |
9c8105bd | 1752 | idx = ret_prog[frame]; |
70a87ffe | 1753 | goto continue_func; |
f4d7e40a AS |
1754 | } |
1755 | ||
19d28fbd | 1756 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
1ea47e01 AS |
1757 | static int get_callee_stack_depth(struct bpf_verifier_env *env, |
1758 | const struct bpf_insn *insn, int idx) | |
1759 | { | |
1760 | int start = idx + insn->imm + 1, subprog; | |
1761 | ||
1762 | subprog = find_subprog(env, start); | |
1763 | if (subprog < 0) { | |
1764 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", | |
1765 | start); | |
1766 | return -EFAULT; | |
1767 | } | |
9c8105bd | 1768 | return env->subprog_info[subprog].stack_depth; |
1ea47e01 | 1769 | } |
19d28fbd | 1770 | #endif |
1ea47e01 | 1771 | |
58990d1f DB |
1772 | static int check_ctx_reg(struct bpf_verifier_env *env, |
1773 | const struct bpf_reg_state *reg, int regno) | |
1774 | { | |
1775 | /* Access to ctx or passing it to a helper is only allowed in | |
1776 | * its original, unmodified form. | |
1777 | */ | |
1778 | ||
1779 | if (reg->off) { | |
1780 | verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n", | |
1781 | regno, reg->off); | |
1782 | return -EACCES; | |
1783 | } | |
1784 | ||
1785 | if (!tnum_is_const(reg->var_off) || reg->var_off.value) { | |
1786 | char tn_buf[48]; | |
1787 | ||
1788 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
1789 | verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf); | |
1790 | return -EACCES; | |
1791 | } | |
1792 | ||
1793 | return 0; | |
1794 | } | |
1795 | ||
0c17d1d2 JH |
1796 | /* truncate register to smaller size (in bytes) |
1797 | * must be called with size < BPF_REG_SIZE | |
1798 | */ | |
1799 | static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) | |
1800 | { | |
1801 | u64 mask; | |
1802 | ||
1803 | /* clear high bits in bit representation */ | |
1804 | reg->var_off = tnum_cast(reg->var_off, size); | |
1805 | ||
1806 | /* fix arithmetic bounds */ | |
1807 | mask = ((u64)1 << (size * 8)) - 1; | |
1808 | if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { | |
1809 | reg->umin_value &= mask; | |
1810 | reg->umax_value &= mask; | |
1811 | } else { | |
1812 | reg->umin_value = 0; | |
1813 | reg->umax_value = mask; | |
1814 | } | |
1815 | reg->smin_value = reg->umin_value; | |
1816 | reg->smax_value = reg->umax_value; | |
1817 | } | |
1818 | ||
17a52670 AS |
1819 | /* check whether memory at (regno + off) is accessible for t = (read | write) |
1820 | * if t==write, value_regno is a register which value is stored into memory | |
1821 | * if t==read, value_regno is a register which will receive the value from memory | |
1822 | * if t==write && value_regno==-1, some unknown value is stored into memory | |
1823 | * if t==read && value_regno==-1, don't care what we read from memory | |
1824 | */ | |
ca369602 DB |
1825 | static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, |
1826 | int off, int bpf_size, enum bpf_access_type t, | |
1827 | int value_regno, bool strict_alignment_once) | |
17a52670 | 1828 | { |
638f5b90 AS |
1829 | struct bpf_reg_state *regs = cur_regs(env); |
1830 | struct bpf_reg_state *reg = regs + regno; | |
f4d7e40a | 1831 | struct bpf_func_state *state; |
17a52670 AS |
1832 | int size, err = 0; |
1833 | ||
1834 | size = bpf_size_to_bytes(bpf_size); | |
1835 | if (size < 0) | |
1836 | return size; | |
1837 | ||
f1174f77 | 1838 | /* alignment checks will add in reg->off themselves */ |
ca369602 | 1839 | err = check_ptr_alignment(env, reg, off, size, strict_alignment_once); |
969bf05e AS |
1840 | if (err) |
1841 | return err; | |
17a52670 | 1842 | |
f1174f77 EC |
1843 | /* for access checks, reg->off is just part of off */ |
1844 | off += reg->off; | |
1845 | ||
1846 | if (reg->type == PTR_TO_MAP_VALUE) { | |
1be7f75d AS |
1847 | if (t == BPF_WRITE && value_regno >= 0 && |
1848 | is_pointer_value(env, value_regno)) { | |
61bd5218 | 1849 | verbose(env, "R%d leaks addr into map\n", value_regno); |
1be7f75d AS |
1850 | return -EACCES; |
1851 | } | |
48461135 | 1852 | |
9fd29c08 | 1853 | err = check_map_access(env, regno, off, size, false); |
17a52670 | 1854 | if (!err && t == BPF_READ && value_regno >= 0) |
638f5b90 | 1855 | mark_reg_unknown(env, regs, value_regno); |
17a52670 | 1856 | |
1a0dc1ac | 1857 | } else if (reg->type == PTR_TO_CTX) { |
f1174f77 | 1858 | enum bpf_reg_type reg_type = SCALAR_VALUE; |
19de99f7 | 1859 | |
1be7f75d AS |
1860 | if (t == BPF_WRITE && value_regno >= 0 && |
1861 | is_pointer_value(env, value_regno)) { | |
61bd5218 | 1862 | verbose(env, "R%d leaks addr into ctx\n", value_regno); |
1be7f75d AS |
1863 | return -EACCES; |
1864 | } | |
f1174f77 | 1865 | |
58990d1f DB |
1866 | err = check_ctx_reg(env, reg, regno); |
1867 | if (err < 0) | |
1868 | return err; | |
1869 | ||
31fd8581 | 1870 | err = check_ctx_access(env, insn_idx, off, size, t, ®_type); |
969bf05e | 1871 | if (!err && t == BPF_READ && value_regno >= 0) { |
f1174f77 | 1872 | /* ctx access returns either a scalar, or a |
de8f3a83 DB |
1873 | * PTR_TO_PACKET[_META,_END]. In the latter |
1874 | * case, we know the offset is zero. | |
f1174f77 EC |
1875 | */ |
1876 | if (reg_type == SCALAR_VALUE) | |
638f5b90 | 1877 | mark_reg_unknown(env, regs, value_regno); |
f1174f77 | 1878 | else |
638f5b90 | 1879 | mark_reg_known_zero(env, regs, |
61bd5218 | 1880 | value_regno); |
638f5b90 | 1881 | regs[value_regno].type = reg_type; |
969bf05e | 1882 | } |
17a52670 | 1883 | |
f1174f77 EC |
1884 | } else if (reg->type == PTR_TO_STACK) { |
1885 | /* stack accesses must be at a fixed offset, so that we can | |
1886 | * determine what type of data were returned. | |
1887 | * See check_stack_read(). | |
1888 | */ | |
1889 | if (!tnum_is_const(reg->var_off)) { | |
1890 | char tn_buf[48]; | |
1891 | ||
1892 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 | 1893 | verbose(env, "variable stack access var_off=%s off=%d size=%d", |
f1174f77 EC |
1894 | tn_buf, off, size); |
1895 | return -EACCES; | |
1896 | } | |
1897 | off += reg->var_off.value; | |
17a52670 | 1898 | if (off >= 0 || off < -MAX_BPF_STACK) { |
61bd5218 JK |
1899 | verbose(env, "invalid stack off=%d size=%d\n", off, |
1900 | size); | |
17a52670 AS |
1901 | return -EACCES; |
1902 | } | |
8726679a | 1903 | |
f4d7e40a AS |
1904 | state = func(env, reg); |
1905 | err = update_stack_depth(env, state, off); | |
1906 | if (err) | |
1907 | return err; | |
8726679a | 1908 | |
638f5b90 | 1909 | if (t == BPF_WRITE) |
61bd5218 | 1910 | err = check_stack_write(env, state, off, size, |
af86ca4e | 1911 | value_regno, insn_idx); |
638f5b90 | 1912 | else |
61bd5218 JK |
1913 | err = check_stack_read(env, state, off, size, |
1914 | value_regno); | |
de8f3a83 | 1915 | } else if (reg_is_pkt_pointer(reg)) { |
3a0af8fd | 1916 | if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { |
61bd5218 | 1917 | verbose(env, "cannot write into packet\n"); |
969bf05e AS |
1918 | return -EACCES; |
1919 | } | |
4acf6c0b BB |
1920 | if (t == BPF_WRITE && value_regno >= 0 && |
1921 | is_pointer_value(env, value_regno)) { | |
61bd5218 JK |
1922 | verbose(env, "R%d leaks addr into packet\n", |
1923 | value_regno); | |
4acf6c0b BB |
1924 | return -EACCES; |
1925 | } | |
9fd29c08 | 1926 | err = check_packet_access(env, regno, off, size, false); |
969bf05e | 1927 | if (!err && t == BPF_READ && value_regno >= 0) |
638f5b90 | 1928 | mark_reg_unknown(env, regs, value_regno); |
d58e468b PP |
1929 | } else if (reg->type == PTR_TO_FLOW_KEYS) { |
1930 | if (t == BPF_WRITE && value_regno >= 0 && | |
1931 | is_pointer_value(env, value_regno)) { | |
1932 | verbose(env, "R%d leaks addr into flow keys\n", | |
1933 | value_regno); | |
1934 | return -EACCES; | |
1935 | } | |
1936 | ||
1937 | err = check_flow_keys_access(env, off, size); | |
1938 | if (!err && t == BPF_READ && value_regno >= 0) | |
1939 | mark_reg_unknown(env, regs, value_regno); | |
c64b7983 JS |
1940 | } else if (reg->type == PTR_TO_SOCKET) { |
1941 | if (t == BPF_WRITE) { | |
1942 | verbose(env, "cannot write into socket\n"); | |
1943 | return -EACCES; | |
1944 | } | |
1945 | err = check_sock_access(env, regno, off, size, t); | |
1946 | if (!err && value_regno >= 0) | |
1947 | mark_reg_unknown(env, regs, value_regno); | |
17a52670 | 1948 | } else { |
61bd5218 JK |
1949 | verbose(env, "R%d invalid mem access '%s'\n", regno, |
1950 | reg_type_str[reg->type]); | |
17a52670 AS |
1951 | return -EACCES; |
1952 | } | |
969bf05e | 1953 | |
f1174f77 | 1954 | if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && |
638f5b90 | 1955 | regs[value_regno].type == SCALAR_VALUE) { |
f1174f77 | 1956 | /* b/h/w load zero-extends, mark upper bits as known 0 */ |
0c17d1d2 | 1957 | coerce_reg_to_size(®s[value_regno], size); |
969bf05e | 1958 | } |
17a52670 AS |
1959 | return err; |
1960 | } | |
1961 | ||
31fd8581 | 1962 | static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn) |
17a52670 | 1963 | { |
17a52670 AS |
1964 | int err; |
1965 | ||
1966 | if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || | |
1967 | insn->imm != 0) { | |
61bd5218 | 1968 | verbose(env, "BPF_XADD uses reserved fields\n"); |
17a52670 AS |
1969 | return -EINVAL; |
1970 | } | |
1971 | ||
1972 | /* check src1 operand */ | |
dc503a8a | 1973 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
1974 | if (err) |
1975 | return err; | |
1976 | ||
1977 | /* check src2 operand */ | |
dc503a8a | 1978 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
1979 | if (err) |
1980 | return err; | |
1981 | ||
6bdf6abc | 1982 | if (is_pointer_value(env, insn->src_reg)) { |
61bd5218 | 1983 | verbose(env, "R%d leaks addr into mem\n", insn->src_reg); |
6bdf6abc DB |
1984 | return -EACCES; |
1985 | } | |
1986 | ||
ca369602 | 1987 | if (is_ctx_reg(env, insn->dst_reg) || |
4b5defde DB |
1988 | is_pkt_reg(env, insn->dst_reg) || |
1989 | is_flow_key_reg(env, insn->dst_reg)) { | |
ca369602 | 1990 | verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", |
2a159c6f DB |
1991 | insn->dst_reg, |
1992 | reg_type_str[reg_state(env, insn->dst_reg)->type]); | |
f37a8cb8 DB |
1993 | return -EACCES; |
1994 | } | |
1995 | ||
17a52670 | 1996 | /* check whether atomic_add can read the memory */ |
31fd8581 | 1997 | err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
ca369602 | 1998 | BPF_SIZE(insn->code), BPF_READ, -1, true); |
17a52670 AS |
1999 | if (err) |
2000 | return err; | |
2001 | ||
2002 | /* check whether atomic_add can write into the same memory */ | |
31fd8581 | 2003 | return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
ca369602 | 2004 | BPF_SIZE(insn->code), BPF_WRITE, -1, true); |
17a52670 AS |
2005 | } |
2006 | ||
2007 | /* when register 'regno' is passed into function that will read 'access_size' | |
2008 | * bytes from that pointer, make sure that it's within stack boundary | |
f1174f77 EC |
2009 | * and all elements of stack are initialized. |
2010 | * Unlike most pointer bounds-checking functions, this one doesn't take an | |
2011 | * 'off' argument, so it has to add in reg->off itself. | |
17a52670 | 2012 | */ |
58e2af8b | 2013 | static int check_stack_boundary(struct bpf_verifier_env *env, int regno, |
435faee1 DB |
2014 | int access_size, bool zero_size_allowed, |
2015 | struct bpf_call_arg_meta *meta) | |
17a52670 | 2016 | { |
2a159c6f | 2017 | struct bpf_reg_state *reg = reg_state(env, regno); |
f4d7e40a | 2018 | struct bpf_func_state *state = func(env, reg); |
638f5b90 | 2019 | int off, i, slot, spi; |
17a52670 | 2020 | |
914cb781 | 2021 | if (reg->type != PTR_TO_STACK) { |
f1174f77 | 2022 | /* Allow zero-byte read from NULL, regardless of pointer type */ |
8e2fe1d9 | 2023 | if (zero_size_allowed && access_size == 0 && |
914cb781 | 2024 | register_is_null(reg)) |
8e2fe1d9 DB |
2025 | return 0; |
2026 | ||
61bd5218 | 2027 | verbose(env, "R%d type=%s expected=%s\n", regno, |
914cb781 | 2028 | reg_type_str[reg->type], |
8e2fe1d9 | 2029 | reg_type_str[PTR_TO_STACK]); |
17a52670 | 2030 | return -EACCES; |
8e2fe1d9 | 2031 | } |
17a52670 | 2032 | |
f1174f77 | 2033 | /* Only allow fixed-offset stack reads */ |
914cb781 | 2034 | if (!tnum_is_const(reg->var_off)) { |
f1174f77 EC |
2035 | char tn_buf[48]; |
2036 | ||
914cb781 | 2037 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
61bd5218 | 2038 | verbose(env, "invalid variable stack read R%d var_off=%s\n", |
f1174f77 | 2039 | regno, tn_buf); |
ea25f914 | 2040 | return -EACCES; |
f1174f77 | 2041 | } |
914cb781 | 2042 | off = reg->off + reg->var_off.value; |
17a52670 | 2043 | if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |
9fd29c08 | 2044 | access_size < 0 || (access_size == 0 && !zero_size_allowed)) { |
61bd5218 | 2045 | verbose(env, "invalid stack type R%d off=%d access_size=%d\n", |
17a52670 AS |
2046 | regno, off, access_size); |
2047 | return -EACCES; | |
2048 | } | |
2049 | ||
435faee1 DB |
2050 | if (meta && meta->raw_mode) { |
2051 | meta->access_size = access_size; | |
2052 | meta->regno = regno; | |
2053 | return 0; | |
2054 | } | |
2055 | ||
17a52670 | 2056 | for (i = 0; i < access_size; i++) { |
cc2b14d5 AS |
2057 | u8 *stype; |
2058 | ||
638f5b90 AS |
2059 | slot = -(off + i) - 1; |
2060 | spi = slot / BPF_REG_SIZE; | |
cc2b14d5 AS |
2061 | if (state->allocated_stack <= slot) |
2062 | goto err; | |
2063 | stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; | |
2064 | if (*stype == STACK_MISC) | |
2065 | goto mark; | |
2066 | if (*stype == STACK_ZERO) { | |
2067 | /* helper can write anything into the stack */ | |
2068 | *stype = STACK_MISC; | |
2069 | goto mark; | |
17a52670 | 2070 | } |
cc2b14d5 AS |
2071 | err: |
2072 | verbose(env, "invalid indirect read from stack off %d+%d size %d\n", | |
2073 | off, i, access_size); | |
2074 | return -EACCES; | |
2075 | mark: | |
2076 | /* reading any byte out of 8-byte 'spill_slot' will cause | |
2077 | * the whole slot to be marked as 'read' | |
2078 | */ | |
679c782d EC |
2079 | mark_reg_read(env, &state->stack[spi].spilled_ptr, |
2080 | state->stack[spi].spilled_ptr.parent); | |
17a52670 | 2081 | } |
f4d7e40a | 2082 | return update_stack_depth(env, state, off); |
17a52670 AS |
2083 | } |
2084 | ||
06c1c049 GB |
2085 | static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, |
2086 | int access_size, bool zero_size_allowed, | |
2087 | struct bpf_call_arg_meta *meta) | |
2088 | { | |
638f5b90 | 2089 | struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
06c1c049 | 2090 | |
f1174f77 | 2091 | switch (reg->type) { |
06c1c049 | 2092 | case PTR_TO_PACKET: |
de8f3a83 | 2093 | case PTR_TO_PACKET_META: |
9fd29c08 YS |
2094 | return check_packet_access(env, regno, reg->off, access_size, |
2095 | zero_size_allowed); | |
06c1c049 | 2096 | case PTR_TO_MAP_VALUE: |
9fd29c08 YS |
2097 | return check_map_access(env, regno, reg->off, access_size, |
2098 | zero_size_allowed); | |
f1174f77 | 2099 | default: /* scalar_value|ptr_to_stack or invalid ptr */ |
06c1c049 GB |
2100 | return check_stack_boundary(env, regno, access_size, |
2101 | zero_size_allowed, meta); | |
2102 | } | |
2103 | } | |
2104 | ||
90133415 DB |
2105 | static bool arg_type_is_mem_ptr(enum bpf_arg_type type) |
2106 | { | |
2107 | return type == ARG_PTR_TO_MEM || | |
2108 | type == ARG_PTR_TO_MEM_OR_NULL || | |
2109 | type == ARG_PTR_TO_UNINIT_MEM; | |
2110 | } | |
2111 | ||
2112 | static bool arg_type_is_mem_size(enum bpf_arg_type type) | |
2113 | { | |
2114 | return type == ARG_CONST_SIZE || | |
2115 | type == ARG_CONST_SIZE_OR_ZERO; | |
2116 | } | |
2117 | ||
58e2af8b | 2118 | static int check_func_arg(struct bpf_verifier_env *env, u32 regno, |
33ff9823 DB |
2119 | enum bpf_arg_type arg_type, |
2120 | struct bpf_call_arg_meta *meta) | |
17a52670 | 2121 | { |
638f5b90 | 2122 | struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
6841de8b | 2123 | enum bpf_reg_type expected_type, type = reg->type; |
17a52670 AS |
2124 | int err = 0; |
2125 | ||
80f1d68c | 2126 | if (arg_type == ARG_DONTCARE) |
17a52670 AS |
2127 | return 0; |
2128 | ||
dc503a8a EC |
2129 | err = check_reg_arg(env, regno, SRC_OP); |
2130 | if (err) | |
2131 | return err; | |
17a52670 | 2132 | |
1be7f75d AS |
2133 | if (arg_type == ARG_ANYTHING) { |
2134 | if (is_pointer_value(env, regno)) { | |
61bd5218 JK |
2135 | verbose(env, "R%d leaks addr into helper function\n", |
2136 | regno); | |
1be7f75d AS |
2137 | return -EACCES; |
2138 | } | |
80f1d68c | 2139 | return 0; |
1be7f75d | 2140 | } |
80f1d68c | 2141 | |
de8f3a83 | 2142 | if (type_is_pkt_pointer(type) && |
3a0af8fd | 2143 | !may_access_direct_pkt_data(env, meta, BPF_READ)) { |
61bd5218 | 2144 | verbose(env, "helper access to the packet is not allowed\n"); |
6841de8b AS |
2145 | return -EACCES; |
2146 | } | |
2147 | ||
8e2fe1d9 | 2148 | if (arg_type == ARG_PTR_TO_MAP_KEY || |
2ea864c5 MV |
2149 | arg_type == ARG_PTR_TO_MAP_VALUE || |
2150 | arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { | |
17a52670 | 2151 | expected_type = PTR_TO_STACK; |
d71962f3 | 2152 | if (!type_is_pkt_pointer(type) && type != PTR_TO_MAP_VALUE && |
de8f3a83 | 2153 | type != expected_type) |
6841de8b | 2154 | goto err_type; |
39f19ebb AS |
2155 | } else if (arg_type == ARG_CONST_SIZE || |
2156 | arg_type == ARG_CONST_SIZE_OR_ZERO) { | |
f1174f77 EC |
2157 | expected_type = SCALAR_VALUE; |
2158 | if (type != expected_type) | |
6841de8b | 2159 | goto err_type; |
17a52670 AS |
2160 | } else if (arg_type == ARG_CONST_MAP_PTR) { |
2161 | expected_type = CONST_PTR_TO_MAP; | |
6841de8b AS |
2162 | if (type != expected_type) |
2163 | goto err_type; | |
608cd71a AS |
2164 | } else if (arg_type == ARG_PTR_TO_CTX) { |
2165 | expected_type = PTR_TO_CTX; | |
6841de8b AS |
2166 | if (type != expected_type) |
2167 | goto err_type; | |
58990d1f DB |
2168 | err = check_ctx_reg(env, reg, regno); |
2169 | if (err < 0) | |
2170 | return err; | |
c64b7983 JS |
2171 | } else if (arg_type == ARG_PTR_TO_SOCKET) { |
2172 | expected_type = PTR_TO_SOCKET; | |
2173 | if (type != expected_type) | |
2174 | goto err_type; | |
fd978bf7 JS |
2175 | if (meta->ptr_id || !reg->id) { |
2176 | verbose(env, "verifier internal error: mismatched references meta=%d, reg=%d\n", | |
2177 | meta->ptr_id, reg->id); | |
2178 | return -EFAULT; | |
2179 | } | |
2180 | meta->ptr_id = reg->id; | |
90133415 | 2181 | } else if (arg_type_is_mem_ptr(arg_type)) { |
8e2fe1d9 DB |
2182 | expected_type = PTR_TO_STACK; |
2183 | /* One exception here. In case function allows for NULL to be | |
f1174f77 | 2184 | * passed in as argument, it's a SCALAR_VALUE type. Final test |
8e2fe1d9 DB |
2185 | * happens during stack boundary checking. |
2186 | */ | |
914cb781 | 2187 | if (register_is_null(reg) && |
db1ac496 | 2188 | arg_type == ARG_PTR_TO_MEM_OR_NULL) |
6841de8b | 2189 | /* final test in check_stack_boundary() */; |
de8f3a83 DB |
2190 | else if (!type_is_pkt_pointer(type) && |
2191 | type != PTR_TO_MAP_VALUE && | |
f1174f77 | 2192 | type != expected_type) |
6841de8b | 2193 | goto err_type; |
39f19ebb | 2194 | meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; |
17a52670 | 2195 | } else { |
61bd5218 | 2196 | verbose(env, "unsupported arg_type %d\n", arg_type); |
17a52670 AS |
2197 | return -EFAULT; |
2198 | } | |
2199 | ||
17a52670 AS |
2200 | if (arg_type == ARG_CONST_MAP_PTR) { |
2201 | /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ | |
33ff9823 | 2202 | meta->map_ptr = reg->map_ptr; |
17a52670 AS |
2203 | } else if (arg_type == ARG_PTR_TO_MAP_KEY) { |
2204 | /* bpf_map_xxx(..., map_ptr, ..., key) call: | |
2205 | * check that [key, key + map->key_size) are within | |
2206 | * stack limits and initialized | |
2207 | */ | |
33ff9823 | 2208 | if (!meta->map_ptr) { |
17a52670 AS |
2209 | /* in function declaration map_ptr must come before |
2210 | * map_key, so that it's verified and known before | |
2211 | * we have to check map_key here. Otherwise it means | |
2212 | * that kernel subsystem misconfigured verifier | |
2213 | */ | |
61bd5218 | 2214 | verbose(env, "invalid map_ptr to access map->key\n"); |
17a52670 AS |
2215 | return -EACCES; |
2216 | } | |
d71962f3 PC |
2217 | err = check_helper_mem_access(env, regno, |
2218 | meta->map_ptr->key_size, false, | |
2219 | NULL); | |
2ea864c5 MV |
2220 | } else if (arg_type == ARG_PTR_TO_MAP_VALUE || |
2221 | arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { | |
17a52670 AS |
2222 | /* bpf_map_xxx(..., map_ptr, ..., value) call: |
2223 | * check [value, value + map->value_size) validity | |
2224 | */ | |
33ff9823 | 2225 | if (!meta->map_ptr) { |
17a52670 | 2226 | /* kernel subsystem misconfigured verifier */ |
61bd5218 | 2227 | verbose(env, "invalid map_ptr to access map->value\n"); |
17a52670 AS |
2228 | return -EACCES; |
2229 | } | |
2ea864c5 | 2230 | meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE); |
d71962f3 PC |
2231 | err = check_helper_mem_access(env, regno, |
2232 | meta->map_ptr->value_size, false, | |
2ea864c5 | 2233 | meta); |
90133415 | 2234 | } else if (arg_type_is_mem_size(arg_type)) { |
39f19ebb | 2235 | bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); |
17a52670 | 2236 | |
849fa506 YS |
2237 | /* remember the mem_size which may be used later |
2238 | * to refine return values. | |
2239 | */ | |
2240 | meta->msize_smax_value = reg->smax_value; | |
2241 | meta->msize_umax_value = reg->umax_value; | |
2242 | ||
f1174f77 EC |
2243 | /* The register is SCALAR_VALUE; the access check |
2244 | * happens using its boundaries. | |
06c1c049 | 2245 | */ |
f1174f77 | 2246 | if (!tnum_is_const(reg->var_off)) |
06c1c049 GB |
2247 | /* For unprivileged variable accesses, disable raw |
2248 | * mode so that the program is required to | |
2249 | * initialize all the memory that the helper could | |
2250 | * just partially fill up. | |
2251 | */ | |
2252 | meta = NULL; | |
2253 | ||
b03c9f9f | 2254 | if (reg->smin_value < 0) { |
61bd5218 | 2255 | verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", |
f1174f77 EC |
2256 | regno); |
2257 | return -EACCES; | |
2258 | } | |
06c1c049 | 2259 | |
b03c9f9f | 2260 | if (reg->umin_value == 0) { |
f1174f77 EC |
2261 | err = check_helper_mem_access(env, regno - 1, 0, |
2262 | zero_size_allowed, | |
2263 | meta); | |
06c1c049 GB |
2264 | if (err) |
2265 | return err; | |
06c1c049 | 2266 | } |
f1174f77 | 2267 | |
b03c9f9f | 2268 | if (reg->umax_value >= BPF_MAX_VAR_SIZ) { |
61bd5218 | 2269 | verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", |
f1174f77 EC |
2270 | regno); |
2271 | return -EACCES; | |
2272 | } | |
2273 | err = check_helper_mem_access(env, regno - 1, | |
b03c9f9f | 2274 | reg->umax_value, |
f1174f77 | 2275 | zero_size_allowed, meta); |
17a52670 AS |
2276 | } |
2277 | ||
2278 | return err; | |
6841de8b | 2279 | err_type: |
61bd5218 | 2280 | verbose(env, "R%d type=%s expected=%s\n", regno, |
6841de8b AS |
2281 | reg_type_str[type], reg_type_str[expected_type]); |
2282 | return -EACCES; | |
17a52670 AS |
2283 | } |
2284 | ||
61bd5218 JK |
2285 | static int check_map_func_compatibility(struct bpf_verifier_env *env, |
2286 | struct bpf_map *map, int func_id) | |
35578d79 | 2287 | { |
35578d79 KX |
2288 | if (!map) |
2289 | return 0; | |
2290 | ||
6aff67c8 AS |
2291 | /* We need a two way check, first is from map perspective ... */ |
2292 | switch (map->map_type) { | |
2293 | case BPF_MAP_TYPE_PROG_ARRAY: | |
2294 | if (func_id != BPF_FUNC_tail_call) | |
2295 | goto error; | |
2296 | break; | |
2297 | case BPF_MAP_TYPE_PERF_EVENT_ARRAY: | |
2298 | if (func_id != BPF_FUNC_perf_event_read && | |
908432ca YS |
2299 | func_id != BPF_FUNC_perf_event_output && |
2300 | func_id != BPF_FUNC_perf_event_read_value) | |
6aff67c8 AS |
2301 | goto error; |
2302 | break; | |
2303 | case BPF_MAP_TYPE_STACK_TRACE: | |
2304 | if (func_id != BPF_FUNC_get_stackid) | |
2305 | goto error; | |
2306 | break; | |
4ed8ec52 | 2307 | case BPF_MAP_TYPE_CGROUP_ARRAY: |
60747ef4 | 2308 | if (func_id != BPF_FUNC_skb_under_cgroup && |
60d20f91 | 2309 | func_id != BPF_FUNC_current_task_under_cgroup) |
4a482f34 MKL |
2310 | goto error; |
2311 | break; | |
cd339431 | 2312 | case BPF_MAP_TYPE_CGROUP_STORAGE: |
b741f163 | 2313 | case BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE: |
cd339431 RG |
2314 | if (func_id != BPF_FUNC_get_local_storage) |
2315 | goto error; | |
2316 | break; | |
546ac1ff JF |
2317 | /* devmap returns a pointer to a live net_device ifindex that we cannot |
2318 | * allow to be modified from bpf side. So do not allow lookup elements | |
2319 | * for now. | |
2320 | */ | |
2321 | case BPF_MAP_TYPE_DEVMAP: | |
2ddf71e2 | 2322 | if (func_id != BPF_FUNC_redirect_map) |
546ac1ff JF |
2323 | goto error; |
2324 | break; | |
fbfc504a BT |
2325 | /* Restrict bpf side of cpumap and xskmap, open when use-cases |
2326 | * appear. | |
2327 | */ | |
6710e112 | 2328 | case BPF_MAP_TYPE_CPUMAP: |
fbfc504a | 2329 | case BPF_MAP_TYPE_XSKMAP: |
6710e112 JDB |
2330 | if (func_id != BPF_FUNC_redirect_map) |
2331 | goto error; | |
2332 | break; | |
56f668df | 2333 | case BPF_MAP_TYPE_ARRAY_OF_MAPS: |
bcc6b1b7 | 2334 | case BPF_MAP_TYPE_HASH_OF_MAPS: |
56f668df MKL |
2335 | if (func_id != BPF_FUNC_map_lookup_elem) |
2336 | goto error; | |
16a43625 | 2337 | break; |
174a79ff JF |
2338 | case BPF_MAP_TYPE_SOCKMAP: |
2339 | if (func_id != BPF_FUNC_sk_redirect_map && | |
2340 | func_id != BPF_FUNC_sock_map_update && | |
4f738adb JF |
2341 | func_id != BPF_FUNC_map_delete_elem && |
2342 | func_id != BPF_FUNC_msg_redirect_map) | |
174a79ff JF |
2343 | goto error; |
2344 | break; | |
81110384 JF |
2345 | case BPF_MAP_TYPE_SOCKHASH: |
2346 | if (func_id != BPF_FUNC_sk_redirect_hash && | |
2347 | func_id != BPF_FUNC_sock_hash_update && | |
2348 | func_id != BPF_FUNC_map_delete_elem && | |
2349 | func_id != BPF_FUNC_msg_redirect_hash) | |
2350 | goto error; | |
2351 | break; | |
2dbb9b9e MKL |
2352 | case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY: |
2353 | if (func_id != BPF_FUNC_sk_select_reuseport) | |
2354 | goto error; | |
2355 | break; | |
f1a2e44a MV |
2356 | case BPF_MAP_TYPE_QUEUE: |
2357 | case BPF_MAP_TYPE_STACK: | |
2358 | if (func_id != BPF_FUNC_map_peek_elem && | |
2359 | func_id != BPF_FUNC_map_pop_elem && | |
2360 | func_id != BPF_FUNC_map_push_elem) | |
2361 | goto error; | |
2362 | break; | |
6aff67c8 AS |
2363 | default: |
2364 | break; | |
2365 | } | |
2366 | ||
2367 | /* ... and second from the function itself. */ | |
2368 | switch (func_id) { | |
2369 | case BPF_FUNC_tail_call: | |
2370 | if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) | |
2371 | goto error; | |
f910cefa | 2372 | if (env->subprog_cnt > 1) { |
f4d7e40a AS |
2373 | verbose(env, "tail_calls are not allowed in programs with bpf-to-bpf calls\n"); |
2374 | return -EINVAL; | |
2375 | } | |
6aff67c8 AS |
2376 | break; |
2377 | case BPF_FUNC_perf_event_read: | |
2378 | case BPF_FUNC_perf_event_output: | |
908432ca | 2379 | case BPF_FUNC_perf_event_read_value: |
6aff67c8 AS |
2380 | if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) |
2381 | goto error; | |
2382 | break; | |
2383 | case BPF_FUNC_get_stackid: | |
2384 | if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) | |
2385 | goto error; | |
2386 | break; | |
60d20f91 | 2387 | case BPF_FUNC_current_task_under_cgroup: |
747ea55e | 2388 | case BPF_FUNC_skb_under_cgroup: |
4a482f34 MKL |
2389 | if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY) |
2390 | goto error; | |
2391 | break; | |
97f91a7c | 2392 | case BPF_FUNC_redirect_map: |
9c270af3 | 2393 | if (map->map_type != BPF_MAP_TYPE_DEVMAP && |
fbfc504a BT |
2394 | map->map_type != BPF_MAP_TYPE_CPUMAP && |
2395 | map->map_type != BPF_MAP_TYPE_XSKMAP) | |
97f91a7c JF |
2396 | goto error; |
2397 | break; | |
174a79ff | 2398 | case BPF_FUNC_sk_redirect_map: |
4f738adb | 2399 | case BPF_FUNC_msg_redirect_map: |
81110384 | 2400 | case BPF_FUNC_sock_map_update: |
174a79ff JF |
2401 | if (map->map_type != BPF_MAP_TYPE_SOCKMAP) |
2402 | goto error; | |
2403 | break; | |
81110384 JF |
2404 | case BPF_FUNC_sk_redirect_hash: |
2405 | case BPF_FUNC_msg_redirect_hash: | |
2406 | case BPF_FUNC_sock_hash_update: | |
2407 | if (map->map_type != BPF_MAP_TYPE_SOCKHASH) | |
174a79ff JF |
2408 | goto error; |
2409 | break; | |
cd339431 | 2410 | case BPF_FUNC_get_local_storage: |
b741f163 RG |
2411 | if (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE && |
2412 | map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) | |
cd339431 RG |
2413 | goto error; |
2414 | break; | |
2dbb9b9e MKL |
2415 | case BPF_FUNC_sk_select_reuseport: |
2416 | if (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) | |
2417 | goto error; | |
2418 | break; | |
f1a2e44a MV |
2419 | case BPF_FUNC_map_peek_elem: |
2420 | case BPF_FUNC_map_pop_elem: | |
2421 | case BPF_FUNC_map_push_elem: | |
2422 | if (map->map_type != BPF_MAP_TYPE_QUEUE && | |
2423 | map->map_type != BPF_MAP_TYPE_STACK) | |
2424 | goto error; | |
2425 | break; | |
6aff67c8 AS |
2426 | default: |
2427 | break; | |
35578d79 KX |
2428 | } |
2429 | ||
2430 | return 0; | |
6aff67c8 | 2431 | error: |
61bd5218 | 2432 | verbose(env, "cannot pass map_type %d into func %s#%d\n", |
ebb676da | 2433 | map->map_type, func_id_name(func_id), func_id); |
6aff67c8 | 2434 | return -EINVAL; |
35578d79 KX |
2435 | } |
2436 | ||
90133415 | 2437 | static bool check_raw_mode_ok(const struct bpf_func_proto *fn) |
435faee1 DB |
2438 | { |
2439 | int count = 0; | |
2440 | ||
39f19ebb | 2441 | if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2442 | count++; |
39f19ebb | 2443 | if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2444 | count++; |
39f19ebb | 2445 | if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2446 | count++; |
39f19ebb | 2447 | if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2448 | count++; |
39f19ebb | 2449 | if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 DB |
2450 | count++; |
2451 | ||
90133415 DB |
2452 | /* We only support one arg being in raw mode at the moment, |
2453 | * which is sufficient for the helper functions we have | |
2454 | * right now. | |
2455 | */ | |
2456 | return count <= 1; | |
2457 | } | |
2458 | ||
2459 | static bool check_args_pair_invalid(enum bpf_arg_type arg_curr, | |
2460 | enum bpf_arg_type arg_next) | |
2461 | { | |
2462 | return (arg_type_is_mem_ptr(arg_curr) && | |
2463 | !arg_type_is_mem_size(arg_next)) || | |
2464 | (!arg_type_is_mem_ptr(arg_curr) && | |
2465 | arg_type_is_mem_size(arg_next)); | |
2466 | } | |
2467 | ||
2468 | static bool check_arg_pair_ok(const struct bpf_func_proto *fn) | |
2469 | { | |
2470 | /* bpf_xxx(..., buf, len) call will access 'len' | |
2471 | * bytes from memory 'buf'. Both arg types need | |
2472 | * to be paired, so make sure there's no buggy | |
2473 | * helper function specification. | |
2474 | */ | |
2475 | if (arg_type_is_mem_size(fn->arg1_type) || | |
2476 | arg_type_is_mem_ptr(fn->arg5_type) || | |
2477 | check_args_pair_invalid(fn->arg1_type, fn->arg2_type) || | |
2478 | check_args_pair_invalid(fn->arg2_type, fn->arg3_type) || | |
2479 | check_args_pair_invalid(fn->arg3_type, fn->arg4_type) || | |
2480 | check_args_pair_invalid(fn->arg4_type, fn->arg5_type)) | |
2481 | return false; | |
2482 | ||
2483 | return true; | |
2484 | } | |
2485 | ||
fd978bf7 JS |
2486 | static bool check_refcount_ok(const struct bpf_func_proto *fn) |
2487 | { | |
2488 | int count = 0; | |
2489 | ||
2490 | if (arg_type_is_refcounted(fn->arg1_type)) | |
2491 | count++; | |
2492 | if (arg_type_is_refcounted(fn->arg2_type)) | |
2493 | count++; | |
2494 | if (arg_type_is_refcounted(fn->arg3_type)) | |
2495 | count++; | |
2496 | if (arg_type_is_refcounted(fn->arg4_type)) | |
2497 | count++; | |
2498 | if (arg_type_is_refcounted(fn->arg5_type)) | |
2499 | count++; | |
2500 | ||
2501 | /* We only support one arg being unreferenced at the moment, | |
2502 | * which is sufficient for the helper functions we have right now. | |
2503 | */ | |
2504 | return count <= 1; | |
2505 | } | |
2506 | ||
90133415 DB |
2507 | static int check_func_proto(const struct bpf_func_proto *fn) |
2508 | { | |
2509 | return check_raw_mode_ok(fn) && | |
fd978bf7 JS |
2510 | check_arg_pair_ok(fn) && |
2511 | check_refcount_ok(fn) ? 0 : -EINVAL; | |
435faee1 DB |
2512 | } |
2513 | ||
de8f3a83 DB |
2514 | /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END] |
2515 | * are now invalid, so turn them into unknown SCALAR_VALUE. | |
f1174f77 | 2516 | */ |
f4d7e40a AS |
2517 | static void __clear_all_pkt_pointers(struct bpf_verifier_env *env, |
2518 | struct bpf_func_state *state) | |
969bf05e | 2519 | { |
58e2af8b | 2520 | struct bpf_reg_state *regs = state->regs, *reg; |
969bf05e AS |
2521 | int i; |
2522 | ||
2523 | for (i = 0; i < MAX_BPF_REG; i++) | |
de8f3a83 | 2524 | if (reg_is_pkt_pointer_any(®s[i])) |
61bd5218 | 2525 | mark_reg_unknown(env, regs, i); |
969bf05e | 2526 | |
f3709f69 JS |
2527 | bpf_for_each_spilled_reg(i, state, reg) { |
2528 | if (!reg) | |
969bf05e | 2529 | continue; |
de8f3a83 DB |
2530 | if (reg_is_pkt_pointer_any(reg)) |
2531 | __mark_reg_unknown(reg); | |
969bf05e AS |
2532 | } |
2533 | } | |
2534 | ||
f4d7e40a AS |
2535 | static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
2536 | { | |
2537 | struct bpf_verifier_state *vstate = env->cur_state; | |
2538 | int i; | |
2539 | ||
2540 | for (i = 0; i <= vstate->curframe; i++) | |
2541 | __clear_all_pkt_pointers(env, vstate->frame[i]); | |
2542 | } | |
2543 | ||
fd978bf7 JS |
2544 | static void release_reg_references(struct bpf_verifier_env *env, |
2545 | struct bpf_func_state *state, int id) | |
2546 | { | |
2547 | struct bpf_reg_state *regs = state->regs, *reg; | |
2548 | int i; | |
2549 | ||
2550 | for (i = 0; i < MAX_BPF_REG; i++) | |
2551 | if (regs[i].id == id) | |
2552 | mark_reg_unknown(env, regs, i); | |
2553 | ||
2554 | bpf_for_each_spilled_reg(i, state, reg) { | |
2555 | if (!reg) | |
2556 | continue; | |
2557 | if (reg_is_refcounted(reg) && reg->id == id) | |
2558 | __mark_reg_unknown(reg); | |
2559 | } | |
2560 | } | |
2561 | ||
2562 | /* The pointer with the specified id has released its reference to kernel | |
2563 | * resources. Identify all copies of the same pointer and clear the reference. | |
2564 | */ | |
2565 | static int release_reference(struct bpf_verifier_env *env, | |
2566 | struct bpf_call_arg_meta *meta) | |
2567 | { | |
2568 | struct bpf_verifier_state *vstate = env->cur_state; | |
2569 | int i; | |
2570 | ||
2571 | for (i = 0; i <= vstate->curframe; i++) | |
2572 | release_reg_references(env, vstate->frame[i], meta->ptr_id); | |
2573 | ||
2574 | return release_reference_state(env, meta->ptr_id); | |
2575 | } | |
2576 | ||
f4d7e40a AS |
2577 | static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, |
2578 | int *insn_idx) | |
2579 | { | |
2580 | struct bpf_verifier_state *state = env->cur_state; | |
2581 | struct bpf_func_state *caller, *callee; | |
fd978bf7 | 2582 | int i, err, subprog, target_insn; |
f4d7e40a | 2583 | |
aada9ce6 | 2584 | if (state->curframe + 1 >= MAX_CALL_FRAMES) { |
f4d7e40a | 2585 | verbose(env, "the call stack of %d frames is too deep\n", |
aada9ce6 | 2586 | state->curframe + 2); |
f4d7e40a AS |
2587 | return -E2BIG; |
2588 | } | |
2589 | ||
2590 | target_insn = *insn_idx + insn->imm; | |
2591 | subprog = find_subprog(env, target_insn + 1); | |
2592 | if (subprog < 0) { | |
2593 | verbose(env, "verifier bug. No program starts at insn %d\n", | |
2594 | target_insn + 1); | |
2595 | return -EFAULT; | |
2596 | } | |
2597 | ||
2598 | caller = state->frame[state->curframe]; | |
2599 | if (state->frame[state->curframe + 1]) { | |
2600 | verbose(env, "verifier bug. Frame %d already allocated\n", | |
2601 | state->curframe + 1); | |
2602 | return -EFAULT; | |
2603 | } | |
2604 | ||
2605 | callee = kzalloc(sizeof(*callee), GFP_KERNEL); | |
2606 | if (!callee) | |
2607 | return -ENOMEM; | |
2608 | state->frame[state->curframe + 1] = callee; | |
2609 | ||
2610 | /* callee cannot access r0, r6 - r9 for reading and has to write | |
2611 | * into its own stack before reading from it. | |
2612 | * callee can read/write into caller's stack | |
2613 | */ | |
2614 | init_func_state(env, callee, | |
2615 | /* remember the callsite, it will be used by bpf_exit */ | |
2616 | *insn_idx /* callsite */, | |
2617 | state->curframe + 1 /* frameno within this callchain */, | |
f910cefa | 2618 | subprog /* subprog number within this prog */); |
f4d7e40a | 2619 | |
fd978bf7 JS |
2620 | /* Transfer references to the callee */ |
2621 | err = transfer_reference_state(callee, caller); | |
2622 | if (err) | |
2623 | return err; | |
2624 | ||
679c782d EC |
2625 | /* copy r1 - r5 args that callee can access. The copy includes parent |
2626 | * pointers, which connects us up to the liveness chain | |
2627 | */ | |
f4d7e40a AS |
2628 | for (i = BPF_REG_1; i <= BPF_REG_5; i++) |
2629 | callee->regs[i] = caller->regs[i]; | |
2630 | ||
679c782d | 2631 | /* after the call registers r0 - r5 were scratched */ |
f4d7e40a AS |
2632 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
2633 | mark_reg_not_init(env, caller->regs, caller_saved[i]); | |
2634 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); | |
2635 | } | |
2636 | ||
2637 | /* only increment it after check_reg_arg() finished */ | |
2638 | state->curframe++; | |
2639 | ||
2640 | /* and go analyze first insn of the callee */ | |
2641 | *insn_idx = target_insn; | |
2642 | ||
2643 | if (env->log.level) { | |
2644 | verbose(env, "caller:\n"); | |
2645 | print_verifier_state(env, caller); | |
2646 | verbose(env, "callee:\n"); | |
2647 | print_verifier_state(env, callee); | |
2648 | } | |
2649 | return 0; | |
2650 | } | |
2651 | ||
2652 | static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) | |
2653 | { | |
2654 | struct bpf_verifier_state *state = env->cur_state; | |
2655 | struct bpf_func_state *caller, *callee; | |
2656 | struct bpf_reg_state *r0; | |
fd978bf7 | 2657 | int err; |
f4d7e40a AS |
2658 | |
2659 | callee = state->frame[state->curframe]; | |
2660 | r0 = &callee->regs[BPF_REG_0]; | |
2661 | if (r0->type == PTR_TO_STACK) { | |
2662 | /* technically it's ok to return caller's stack pointer | |
2663 | * (or caller's caller's pointer) back to the caller, | |
2664 | * since these pointers are valid. Only current stack | |
2665 | * pointer will be invalid as soon as function exits, | |
2666 | * but let's be conservative | |
2667 | */ | |
2668 | verbose(env, "cannot return stack pointer to the caller\n"); | |
2669 | return -EINVAL; | |
2670 | } | |
2671 | ||
2672 | state->curframe--; | |
2673 | caller = state->frame[state->curframe]; | |
2674 | /* return to the caller whatever r0 had in the callee */ | |
2675 | caller->regs[BPF_REG_0] = *r0; | |
2676 | ||
fd978bf7 JS |
2677 | /* Transfer references to the caller */ |
2678 | err = transfer_reference_state(caller, callee); | |
2679 | if (err) | |
2680 | return err; | |
2681 | ||
f4d7e40a AS |
2682 | *insn_idx = callee->callsite + 1; |
2683 | if (env->log.level) { | |
2684 | verbose(env, "returning from callee:\n"); | |
2685 | print_verifier_state(env, callee); | |
2686 | verbose(env, "to caller at %d:\n", *insn_idx); | |
2687 | print_verifier_state(env, caller); | |
2688 | } | |
2689 | /* clear everything in the callee */ | |
2690 | free_func_state(callee); | |
2691 | state->frame[state->curframe + 1] = NULL; | |
2692 | return 0; | |
2693 | } | |
2694 | ||
849fa506 YS |
2695 | static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type, |
2696 | int func_id, | |
2697 | struct bpf_call_arg_meta *meta) | |
2698 | { | |
2699 | struct bpf_reg_state *ret_reg = ®s[BPF_REG_0]; | |
2700 | ||
2701 | if (ret_type != RET_INTEGER || | |
2702 | (func_id != BPF_FUNC_get_stack && | |
2703 | func_id != BPF_FUNC_probe_read_str)) | |
2704 | return; | |
2705 | ||
2706 | ret_reg->smax_value = meta->msize_smax_value; | |
2707 | ret_reg->umax_value = meta->msize_umax_value; | |
2708 | __reg_deduce_bounds(ret_reg); | |
2709 | __reg_bound_offset(ret_reg); | |
2710 | } | |
2711 | ||
c93552c4 DB |
2712 | static int |
2713 | record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta, | |
2714 | int func_id, int insn_idx) | |
2715 | { | |
2716 | struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx]; | |
2717 | ||
2718 | if (func_id != BPF_FUNC_tail_call && | |
09772d92 DB |
2719 | func_id != BPF_FUNC_map_lookup_elem && |
2720 | func_id != BPF_FUNC_map_update_elem && | |
f1a2e44a MV |
2721 | func_id != BPF_FUNC_map_delete_elem && |
2722 | func_id != BPF_FUNC_map_push_elem && | |
2723 | func_id != BPF_FUNC_map_pop_elem && | |
2724 | func_id != BPF_FUNC_map_peek_elem) | |
c93552c4 | 2725 | return 0; |
09772d92 | 2726 | |
c93552c4 DB |
2727 | if (meta->map_ptr == NULL) { |
2728 | verbose(env, "kernel subsystem misconfigured verifier\n"); | |
2729 | return -EINVAL; | |
2730 | } | |
2731 | ||
2732 | if (!BPF_MAP_PTR(aux->map_state)) | |
2733 | bpf_map_ptr_store(aux, meta->map_ptr, | |
2734 | meta->map_ptr->unpriv_array); | |
2735 | else if (BPF_MAP_PTR(aux->map_state) != meta->map_ptr) | |
2736 | bpf_map_ptr_store(aux, BPF_MAP_PTR_POISON, | |
2737 | meta->map_ptr->unpriv_array); | |
2738 | return 0; | |
2739 | } | |
2740 | ||
fd978bf7 JS |
2741 | static int check_reference_leak(struct bpf_verifier_env *env) |
2742 | { | |
2743 | struct bpf_func_state *state = cur_func(env); | |
2744 | int i; | |
2745 | ||
2746 | for (i = 0; i < state->acquired_refs; i++) { | |
2747 | verbose(env, "Unreleased reference id=%d alloc_insn=%d\n", | |
2748 | state->refs[i].id, state->refs[i].insn_idx); | |
2749 | } | |
2750 | return state->acquired_refs ? -EINVAL : 0; | |
2751 | } | |
2752 | ||
f4d7e40a | 2753 | static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx) |
17a52670 | 2754 | { |
17a52670 | 2755 | const struct bpf_func_proto *fn = NULL; |
638f5b90 | 2756 | struct bpf_reg_state *regs; |
33ff9823 | 2757 | struct bpf_call_arg_meta meta; |
969bf05e | 2758 | bool changes_data; |
17a52670 AS |
2759 | int i, err; |
2760 | ||
2761 | /* find function prototype */ | |
2762 | if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { | |
61bd5218 JK |
2763 | verbose(env, "invalid func %s#%d\n", func_id_name(func_id), |
2764 | func_id); | |
17a52670 AS |
2765 | return -EINVAL; |
2766 | } | |
2767 | ||
00176a34 | 2768 | if (env->ops->get_func_proto) |
5e43f899 | 2769 | fn = env->ops->get_func_proto(func_id, env->prog); |
17a52670 | 2770 | if (!fn) { |
61bd5218 JK |
2771 | verbose(env, "unknown func %s#%d\n", func_id_name(func_id), |
2772 | func_id); | |
17a52670 AS |
2773 | return -EINVAL; |
2774 | } | |
2775 | ||
2776 | /* eBPF programs must be GPL compatible to use GPL-ed functions */ | |
24701ece | 2777 | if (!env->prog->gpl_compatible && fn->gpl_only) { |
3fe2867c | 2778 | verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n"); |
17a52670 AS |
2779 | return -EINVAL; |
2780 | } | |
2781 | ||
04514d13 | 2782 | /* With LD_ABS/IND some JITs save/restore skb from r1. */ |
17bedab2 | 2783 | changes_data = bpf_helper_changes_pkt_data(fn->func); |
04514d13 DB |
2784 | if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) { |
2785 | verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", | |
2786 | func_id_name(func_id), func_id); | |
2787 | return -EINVAL; | |
2788 | } | |
969bf05e | 2789 | |
33ff9823 | 2790 | memset(&meta, 0, sizeof(meta)); |
36bbef52 | 2791 | meta.pkt_access = fn->pkt_access; |
33ff9823 | 2792 | |
90133415 | 2793 | err = check_func_proto(fn); |
435faee1 | 2794 | if (err) { |
61bd5218 | 2795 | verbose(env, "kernel subsystem misconfigured func %s#%d\n", |
ebb676da | 2796 | func_id_name(func_id), func_id); |
435faee1 DB |
2797 | return err; |
2798 | } | |
2799 | ||
17a52670 | 2800 | /* check args */ |
33ff9823 | 2801 | err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta); |
17a52670 AS |
2802 | if (err) |
2803 | return err; | |
33ff9823 | 2804 | err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta); |
17a52670 AS |
2805 | if (err) |
2806 | return err; | |
33ff9823 | 2807 | err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta); |
17a52670 AS |
2808 | if (err) |
2809 | return err; | |
33ff9823 | 2810 | err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta); |
17a52670 AS |
2811 | if (err) |
2812 | return err; | |
33ff9823 | 2813 | err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta); |
17a52670 AS |
2814 | if (err) |
2815 | return err; | |
2816 | ||
c93552c4 DB |
2817 | err = record_func_map(env, &meta, func_id, insn_idx); |
2818 | if (err) | |
2819 | return err; | |
2820 | ||
435faee1 DB |
2821 | /* Mark slots with STACK_MISC in case of raw mode, stack offset |
2822 | * is inferred from register state. | |
2823 | */ | |
2824 | for (i = 0; i < meta.access_size; i++) { | |
ca369602 DB |
2825 | err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, |
2826 | BPF_WRITE, -1, false); | |
435faee1 DB |
2827 | if (err) |
2828 | return err; | |
2829 | } | |
2830 | ||
fd978bf7 JS |
2831 | if (func_id == BPF_FUNC_tail_call) { |
2832 | err = check_reference_leak(env); | |
2833 | if (err) { | |
2834 | verbose(env, "tail_call would lead to reference leak\n"); | |
2835 | return err; | |
2836 | } | |
2837 | } else if (is_release_function(func_id)) { | |
2838 | err = release_reference(env, &meta); | |
2839 | if (err) | |
2840 | return err; | |
2841 | } | |
2842 | ||
638f5b90 | 2843 | regs = cur_regs(env); |
cd339431 RG |
2844 | |
2845 | /* check that flags argument in get_local_storage(map, flags) is 0, | |
2846 | * this is required because get_local_storage() can't return an error. | |
2847 | */ | |
2848 | if (func_id == BPF_FUNC_get_local_storage && | |
2849 | !register_is_null(®s[BPF_REG_2])) { | |
2850 | verbose(env, "get_local_storage() doesn't support non-zero flags\n"); | |
2851 | return -EINVAL; | |
2852 | } | |
2853 | ||
17a52670 | 2854 | /* reset caller saved regs */ |
dc503a8a | 2855 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
61bd5218 | 2856 | mark_reg_not_init(env, regs, caller_saved[i]); |
dc503a8a EC |
2857 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
2858 | } | |
17a52670 | 2859 | |
dc503a8a | 2860 | /* update return register (already marked as written above) */ |
17a52670 | 2861 | if (fn->ret_type == RET_INTEGER) { |
f1174f77 | 2862 | /* sets type to SCALAR_VALUE */ |
61bd5218 | 2863 | mark_reg_unknown(env, regs, BPF_REG_0); |
17a52670 AS |
2864 | } else if (fn->ret_type == RET_VOID) { |
2865 | regs[BPF_REG_0].type = NOT_INIT; | |
3e6a4b3e RG |
2866 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL || |
2867 | fn->ret_type == RET_PTR_TO_MAP_VALUE) { | |
f1174f77 | 2868 | /* There is no offset yet applied, variable or fixed */ |
61bd5218 | 2869 | mark_reg_known_zero(env, regs, BPF_REG_0); |
17a52670 AS |
2870 | /* remember map_ptr, so that check_map_access() |
2871 | * can check 'value_size' boundary of memory access | |
2872 | * to map element returned from bpf_map_lookup_elem() | |
2873 | */ | |
33ff9823 | 2874 | if (meta.map_ptr == NULL) { |
61bd5218 JK |
2875 | verbose(env, |
2876 | "kernel subsystem misconfigured verifier\n"); | |
17a52670 AS |
2877 | return -EINVAL; |
2878 | } | |
33ff9823 | 2879 | regs[BPF_REG_0].map_ptr = meta.map_ptr; |
4d31f301 DB |
2880 | if (fn->ret_type == RET_PTR_TO_MAP_VALUE) { |
2881 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE; | |
2882 | } else { | |
2883 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; | |
2884 | regs[BPF_REG_0].id = ++env->id_gen; | |
2885 | } | |
c64b7983 | 2886 | } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) { |
fd978bf7 JS |
2887 | int id = acquire_reference_state(env, insn_idx); |
2888 | if (id < 0) | |
2889 | return id; | |
c64b7983 JS |
2890 | mark_reg_known_zero(env, regs, BPF_REG_0); |
2891 | regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL; | |
fd978bf7 | 2892 | regs[BPF_REG_0].id = id; |
17a52670 | 2893 | } else { |
61bd5218 | 2894 | verbose(env, "unknown return type %d of func %s#%d\n", |
ebb676da | 2895 | fn->ret_type, func_id_name(func_id), func_id); |
17a52670 AS |
2896 | return -EINVAL; |
2897 | } | |
04fd61ab | 2898 | |
849fa506 YS |
2899 | do_refine_retval_range(regs, fn->ret_type, func_id, &meta); |
2900 | ||
61bd5218 | 2901 | err = check_map_func_compatibility(env, meta.map_ptr, func_id); |
35578d79 KX |
2902 | if (err) |
2903 | return err; | |
04fd61ab | 2904 | |
c195651e YS |
2905 | if (func_id == BPF_FUNC_get_stack && !env->prog->has_callchain_buf) { |
2906 | const char *err_str; | |
2907 | ||
2908 | #ifdef CONFIG_PERF_EVENTS | |
2909 | err = get_callchain_buffers(sysctl_perf_event_max_stack); | |
2910 | err_str = "cannot get callchain buffer for func %s#%d\n"; | |
2911 | #else | |
2912 | err = -ENOTSUPP; | |
2913 | err_str = "func %s#%d not supported without CONFIG_PERF_EVENTS\n"; | |
2914 | #endif | |
2915 | if (err) { | |
2916 | verbose(env, err_str, func_id_name(func_id), func_id); | |
2917 | return err; | |
2918 | } | |
2919 | ||
2920 | env->prog->has_callchain_buf = true; | |
2921 | } | |
2922 | ||
969bf05e AS |
2923 | if (changes_data) |
2924 | clear_all_pkt_pointers(env); | |
2925 | return 0; | |
2926 | } | |
2927 | ||
b03c9f9f EC |
2928 | static bool signed_add_overflows(s64 a, s64 b) |
2929 | { | |
2930 | /* Do the add in u64, where overflow is well-defined */ | |
2931 | s64 res = (s64)((u64)a + (u64)b); | |
2932 | ||
2933 | if (b < 0) | |
2934 | return res > a; | |
2935 | return res < a; | |
2936 | } | |
2937 | ||
2938 | static bool signed_sub_overflows(s64 a, s64 b) | |
2939 | { | |
2940 | /* Do the sub in u64, where overflow is well-defined */ | |
2941 | s64 res = (s64)((u64)a - (u64)b); | |
2942 | ||
2943 | if (b < 0) | |
2944 | return res < a; | |
2945 | return res > a; | |
969bf05e AS |
2946 | } |
2947 | ||
bb7f0f98 AS |
2948 | static bool check_reg_sane_offset(struct bpf_verifier_env *env, |
2949 | const struct bpf_reg_state *reg, | |
2950 | enum bpf_reg_type type) | |
2951 | { | |
2952 | bool known = tnum_is_const(reg->var_off); | |
2953 | s64 val = reg->var_off.value; | |
2954 | s64 smin = reg->smin_value; | |
2955 | ||
2956 | if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { | |
2957 | verbose(env, "math between %s pointer and %lld is not allowed\n", | |
2958 | reg_type_str[type], val); | |
2959 | return false; | |
2960 | } | |
2961 | ||
2962 | if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { | |
2963 | verbose(env, "%s pointer offset %d is not allowed\n", | |
2964 | reg_type_str[type], reg->off); | |
2965 | return false; | |
2966 | } | |
2967 | ||
2968 | if (smin == S64_MIN) { | |
2969 | verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n", | |
2970 | reg_type_str[type]); | |
2971 | return false; | |
2972 | } | |
2973 | ||
2974 | if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { | |
2975 | verbose(env, "value %lld makes %s pointer be out of bounds\n", | |
2976 | smin, reg_type_str[type]); | |
2977 | return false; | |
2978 | } | |
2979 | ||
2980 | return true; | |
2981 | } | |
2982 | ||
f1174f77 | 2983 | /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. |
f1174f77 EC |
2984 | * Caller should also handle BPF_MOV case separately. |
2985 | * If we return -EACCES, caller may want to try again treating pointer as a | |
2986 | * scalar. So we only emit a diagnostic if !env->allow_ptr_leaks. | |
2987 | */ | |
2988 | static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |
2989 | struct bpf_insn *insn, | |
2990 | const struct bpf_reg_state *ptr_reg, | |
2991 | const struct bpf_reg_state *off_reg) | |
969bf05e | 2992 | { |
f4d7e40a AS |
2993 | struct bpf_verifier_state *vstate = env->cur_state; |
2994 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
2995 | struct bpf_reg_state *regs = state->regs, *dst_reg; | |
f1174f77 | 2996 | bool known = tnum_is_const(off_reg->var_off); |
b03c9f9f EC |
2997 | s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value, |
2998 | smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; | |
2999 | u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, | |
3000 | umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; | |
969bf05e | 3001 | u8 opcode = BPF_OP(insn->code); |
f1174f77 | 3002 | u32 dst = insn->dst_reg; |
969bf05e | 3003 | |
f1174f77 | 3004 | dst_reg = ®s[dst]; |
969bf05e | 3005 | |
6f16101e DB |
3006 | if ((known && (smin_val != smax_val || umin_val != umax_val)) || |
3007 | smin_val > smax_val || umin_val > umax_val) { | |
3008 | /* Taint dst register if offset had invalid bounds derived from | |
3009 | * e.g. dead branches. | |
3010 | */ | |
3011 | __mark_reg_unknown(dst_reg); | |
3012 | return 0; | |
f1174f77 EC |
3013 | } |
3014 | ||
3015 | if (BPF_CLASS(insn->code) != BPF_ALU64) { | |
3016 | /* 32-bit ALU ops on pointers produce (meaningless) scalars */ | |
82abbf8d AS |
3017 | verbose(env, |
3018 | "R%d 32-bit pointer arithmetic prohibited\n", | |
3019 | dst); | |
f1174f77 | 3020 | return -EACCES; |
969bf05e AS |
3021 | } |
3022 | ||
aad2eeaf JS |
3023 | switch (ptr_reg->type) { |
3024 | case PTR_TO_MAP_VALUE_OR_NULL: | |
3025 | verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n", | |
3026 | dst, reg_type_str[ptr_reg->type]); | |
f1174f77 | 3027 | return -EACCES; |
aad2eeaf JS |
3028 | case CONST_PTR_TO_MAP: |
3029 | case PTR_TO_PACKET_END: | |
c64b7983 JS |
3030 | case PTR_TO_SOCKET: |
3031 | case PTR_TO_SOCKET_OR_NULL: | |
aad2eeaf JS |
3032 | verbose(env, "R%d pointer arithmetic on %s prohibited\n", |
3033 | dst, reg_type_str[ptr_reg->type]); | |
f1174f77 | 3034 | return -EACCES; |
aad2eeaf JS |
3035 | default: |
3036 | break; | |
f1174f77 EC |
3037 | } |
3038 | ||
3039 | /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. | |
3040 | * The id may be overwritten later if we create a new variable offset. | |
969bf05e | 3041 | */ |
f1174f77 EC |
3042 | dst_reg->type = ptr_reg->type; |
3043 | dst_reg->id = ptr_reg->id; | |
969bf05e | 3044 | |
bb7f0f98 AS |
3045 | if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || |
3046 | !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) | |
3047 | return -EINVAL; | |
3048 | ||
f1174f77 EC |
3049 | switch (opcode) { |
3050 | case BPF_ADD: | |
3051 | /* We can take a fixed offset as long as it doesn't overflow | |
3052 | * the s32 'off' field | |
969bf05e | 3053 | */ |
b03c9f9f EC |
3054 | if (known && (ptr_reg->off + smin_val == |
3055 | (s64)(s32)(ptr_reg->off + smin_val))) { | |
f1174f77 | 3056 | /* pointer += K. Accumulate it into fixed offset */ |
b03c9f9f EC |
3057 | dst_reg->smin_value = smin_ptr; |
3058 | dst_reg->smax_value = smax_ptr; | |
3059 | dst_reg->umin_value = umin_ptr; | |
3060 | dst_reg->umax_value = umax_ptr; | |
f1174f77 | 3061 | dst_reg->var_off = ptr_reg->var_off; |
b03c9f9f | 3062 | dst_reg->off = ptr_reg->off + smin_val; |
0962590e | 3063 | dst_reg->raw = ptr_reg->raw; |
f1174f77 EC |
3064 | break; |
3065 | } | |
f1174f77 EC |
3066 | /* A new variable offset is created. Note that off_reg->off |
3067 | * == 0, since it's a scalar. | |
3068 | * dst_reg gets the pointer type and since some positive | |
3069 | * integer value was added to the pointer, give it a new 'id' | |
3070 | * if it's a PTR_TO_PACKET. | |
3071 | * this creates a new 'base' pointer, off_reg (variable) gets | |
3072 | * added into the variable offset, and we copy the fixed offset | |
3073 | * from ptr_reg. | |
969bf05e | 3074 | */ |
b03c9f9f EC |
3075 | if (signed_add_overflows(smin_ptr, smin_val) || |
3076 | signed_add_overflows(smax_ptr, smax_val)) { | |
3077 | dst_reg->smin_value = S64_MIN; | |
3078 | dst_reg->smax_value = S64_MAX; | |
3079 | } else { | |
3080 | dst_reg->smin_value = smin_ptr + smin_val; | |
3081 | dst_reg->smax_value = smax_ptr + smax_val; | |
3082 | } | |
3083 | if (umin_ptr + umin_val < umin_ptr || | |
3084 | umax_ptr + umax_val < umax_ptr) { | |
3085 | dst_reg->umin_value = 0; | |
3086 | dst_reg->umax_value = U64_MAX; | |
3087 | } else { | |
3088 | dst_reg->umin_value = umin_ptr + umin_val; | |
3089 | dst_reg->umax_value = umax_ptr + umax_val; | |
3090 | } | |
f1174f77 EC |
3091 | dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); |
3092 | dst_reg->off = ptr_reg->off; | |
0962590e | 3093 | dst_reg->raw = ptr_reg->raw; |
de8f3a83 | 3094 | if (reg_is_pkt_pointer(ptr_reg)) { |
f1174f77 EC |
3095 | dst_reg->id = ++env->id_gen; |
3096 | /* something was added to pkt_ptr, set range to zero */ | |
0962590e | 3097 | dst_reg->raw = 0; |
f1174f77 EC |
3098 | } |
3099 | break; | |
3100 | case BPF_SUB: | |
3101 | if (dst_reg == off_reg) { | |
3102 | /* scalar -= pointer. Creates an unknown scalar */ | |
82abbf8d AS |
3103 | verbose(env, "R%d tried to subtract pointer from scalar\n", |
3104 | dst); | |
f1174f77 EC |
3105 | return -EACCES; |
3106 | } | |
3107 | /* We don't allow subtraction from FP, because (according to | |
3108 | * test_verifier.c test "invalid fp arithmetic", JITs might not | |
3109 | * be able to deal with it. | |
969bf05e | 3110 | */ |
f1174f77 | 3111 | if (ptr_reg->type == PTR_TO_STACK) { |
82abbf8d AS |
3112 | verbose(env, "R%d subtraction from stack pointer prohibited\n", |
3113 | dst); | |
f1174f77 EC |
3114 | return -EACCES; |
3115 | } | |
b03c9f9f EC |
3116 | if (known && (ptr_reg->off - smin_val == |
3117 | (s64)(s32)(ptr_reg->off - smin_val))) { | |
f1174f77 | 3118 | /* pointer -= K. Subtract it from fixed offset */ |
b03c9f9f EC |
3119 | dst_reg->smin_value = smin_ptr; |
3120 | dst_reg->smax_value = smax_ptr; | |
3121 | dst_reg->umin_value = umin_ptr; | |
3122 | dst_reg->umax_value = umax_ptr; | |
f1174f77 EC |
3123 | dst_reg->var_off = ptr_reg->var_off; |
3124 | dst_reg->id = ptr_reg->id; | |
b03c9f9f | 3125 | dst_reg->off = ptr_reg->off - smin_val; |
0962590e | 3126 | dst_reg->raw = ptr_reg->raw; |
f1174f77 EC |
3127 | break; |
3128 | } | |
f1174f77 EC |
3129 | /* A new variable offset is created. If the subtrahend is known |
3130 | * nonnegative, then any reg->range we had before is still good. | |
969bf05e | 3131 | */ |
b03c9f9f EC |
3132 | if (signed_sub_overflows(smin_ptr, smax_val) || |
3133 | signed_sub_overflows(smax_ptr, smin_val)) { | |
3134 | /* Overflow possible, we know nothing */ | |
3135 | dst_reg->smin_value = S64_MIN; | |
3136 | dst_reg->smax_value = S64_MAX; | |
3137 | } else { | |
3138 | dst_reg->smin_value = smin_ptr - smax_val; | |
3139 | dst_reg->smax_value = smax_ptr - smin_val; | |
3140 | } | |
3141 | if (umin_ptr < umax_val) { | |
3142 | /* Overflow possible, we know nothing */ | |
3143 | dst_reg->umin_value = 0; | |
3144 | dst_reg->umax_value = U64_MAX; | |
3145 | } else { | |
3146 | /* Cannot overflow (as long as bounds are consistent) */ | |
3147 | dst_reg->umin_value = umin_ptr - umax_val; | |
3148 | dst_reg->umax_value = umax_ptr - umin_val; | |
3149 | } | |
f1174f77 EC |
3150 | dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); |
3151 | dst_reg->off = ptr_reg->off; | |
0962590e | 3152 | dst_reg->raw = ptr_reg->raw; |
de8f3a83 | 3153 | if (reg_is_pkt_pointer(ptr_reg)) { |
f1174f77 EC |
3154 | dst_reg->id = ++env->id_gen; |
3155 | /* something was added to pkt_ptr, set range to zero */ | |
b03c9f9f | 3156 | if (smin_val < 0) |
0962590e | 3157 | dst_reg->raw = 0; |
43188702 | 3158 | } |
f1174f77 EC |
3159 | break; |
3160 | case BPF_AND: | |
3161 | case BPF_OR: | |
3162 | case BPF_XOR: | |
82abbf8d AS |
3163 | /* bitwise ops on pointers are troublesome, prohibit. */ |
3164 | verbose(env, "R%d bitwise operator %s on pointer prohibited\n", | |
3165 | dst, bpf_alu_string[opcode >> 4]); | |
f1174f77 EC |
3166 | return -EACCES; |
3167 | default: | |
3168 | /* other operators (e.g. MUL,LSH) produce non-pointer results */ | |
82abbf8d AS |
3169 | verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", |
3170 | dst, bpf_alu_string[opcode >> 4]); | |
f1174f77 | 3171 | return -EACCES; |
43188702 JF |
3172 | } |
3173 | ||
bb7f0f98 AS |
3174 | if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) |
3175 | return -EINVAL; | |
3176 | ||
b03c9f9f EC |
3177 | __update_reg_bounds(dst_reg); |
3178 | __reg_deduce_bounds(dst_reg); | |
3179 | __reg_bound_offset(dst_reg); | |
43188702 JF |
3180 | return 0; |
3181 | } | |
3182 | ||
468f6eaf JH |
3183 | /* WARNING: This function does calculations on 64-bit values, but the actual |
3184 | * execution may occur on 32-bit values. Therefore, things like bitshifts | |
3185 | * need extra checks in the 32-bit case. | |
3186 | */ | |
f1174f77 EC |
3187 | static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
3188 | struct bpf_insn *insn, | |
3189 | struct bpf_reg_state *dst_reg, | |
3190 | struct bpf_reg_state src_reg) | |
969bf05e | 3191 | { |
638f5b90 | 3192 | struct bpf_reg_state *regs = cur_regs(env); |
48461135 | 3193 | u8 opcode = BPF_OP(insn->code); |
f1174f77 | 3194 | bool src_known, dst_known; |
b03c9f9f EC |
3195 | s64 smin_val, smax_val; |
3196 | u64 umin_val, umax_val; | |
468f6eaf | 3197 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
48461135 | 3198 | |
b799207e JH |
3199 | if (insn_bitness == 32) { |
3200 | /* Relevant for 32-bit RSH: Information can propagate towards | |
3201 | * LSB, so it isn't sufficient to only truncate the output to | |
3202 | * 32 bits. | |
3203 | */ | |
3204 | coerce_reg_to_size(dst_reg, 4); | |
3205 | coerce_reg_to_size(&src_reg, 4); | |
3206 | } | |
3207 | ||
b03c9f9f EC |
3208 | smin_val = src_reg.smin_value; |
3209 | smax_val = src_reg.smax_value; | |
3210 | umin_val = src_reg.umin_value; | |
3211 | umax_val = src_reg.umax_value; | |
f1174f77 EC |
3212 | src_known = tnum_is_const(src_reg.var_off); |
3213 | dst_known = tnum_is_const(dst_reg->var_off); | |
f23cc643 | 3214 | |
6f16101e DB |
3215 | if ((src_known && (smin_val != smax_val || umin_val != umax_val)) || |
3216 | smin_val > smax_val || umin_val > umax_val) { | |
3217 | /* Taint dst register if offset had invalid bounds derived from | |
3218 | * e.g. dead branches. | |
3219 | */ | |
3220 | __mark_reg_unknown(dst_reg); | |
3221 | return 0; | |
3222 | } | |
3223 | ||
bb7f0f98 AS |
3224 | if (!src_known && |
3225 | opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { | |
3226 | __mark_reg_unknown(dst_reg); | |
3227 | return 0; | |
3228 | } | |
3229 | ||
48461135 JB |
3230 | switch (opcode) { |
3231 | case BPF_ADD: | |
b03c9f9f EC |
3232 | if (signed_add_overflows(dst_reg->smin_value, smin_val) || |
3233 | signed_add_overflows(dst_reg->smax_value, smax_val)) { | |
3234 | dst_reg->smin_value = S64_MIN; | |
3235 | dst_reg->smax_value = S64_MAX; | |
3236 | } else { | |
3237 | dst_reg->smin_value += smin_val; | |
3238 | dst_reg->smax_value += smax_val; | |
3239 | } | |
3240 | if (dst_reg->umin_value + umin_val < umin_val || | |
3241 | dst_reg->umax_value + umax_val < umax_val) { | |
3242 | dst_reg->umin_value = 0; | |
3243 | dst_reg->umax_value = U64_MAX; | |
3244 | } else { | |
3245 | dst_reg->umin_value += umin_val; | |
3246 | dst_reg->umax_value += umax_val; | |
3247 | } | |
f1174f77 | 3248 | dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); |
48461135 JB |
3249 | break; |
3250 | case BPF_SUB: | |
b03c9f9f EC |
3251 | if (signed_sub_overflows(dst_reg->smin_value, smax_val) || |
3252 | signed_sub_overflows(dst_reg->smax_value, smin_val)) { | |
3253 | /* Overflow possible, we know nothing */ | |
3254 | dst_reg->smin_value = S64_MIN; | |
3255 | dst_reg->smax_value = S64_MAX; | |
3256 | } else { | |
3257 | dst_reg->smin_value -= smax_val; | |
3258 | dst_reg->smax_value -= smin_val; | |
3259 | } | |
3260 | if (dst_reg->umin_value < umax_val) { | |
3261 | /* Overflow possible, we know nothing */ | |
3262 | dst_reg->umin_value = 0; | |
3263 | dst_reg->umax_value = U64_MAX; | |
3264 | } else { | |
3265 | /* Cannot overflow (as long as bounds are consistent) */ | |
3266 | dst_reg->umin_value -= umax_val; | |
3267 | dst_reg->umax_value -= umin_val; | |
3268 | } | |
f1174f77 | 3269 | dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off); |
48461135 JB |
3270 | break; |
3271 | case BPF_MUL: | |
b03c9f9f EC |
3272 | dst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off); |
3273 | if (smin_val < 0 || dst_reg->smin_value < 0) { | |
f1174f77 | 3274 | /* Ain't nobody got time to multiply that sign */ |
b03c9f9f EC |
3275 | __mark_reg_unbounded(dst_reg); |
3276 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
3277 | break; |
3278 | } | |
b03c9f9f EC |
3279 | /* Both values are positive, so we can work with unsigned and |
3280 | * copy the result to signed (unless it exceeds S64_MAX). | |
f1174f77 | 3281 | */ |
b03c9f9f EC |
3282 | if (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) { |
3283 | /* Potential overflow, we know nothing */ | |
3284 | __mark_reg_unbounded(dst_reg); | |
3285 | /* (except what we can learn from the var_off) */ | |
3286 | __update_reg_bounds(dst_reg); | |
3287 | break; | |
3288 | } | |
3289 | dst_reg->umin_value *= umin_val; | |
3290 | dst_reg->umax_value *= umax_val; | |
3291 | if (dst_reg->umax_value > S64_MAX) { | |
3292 | /* Overflow possible, we know nothing */ | |
3293 | dst_reg->smin_value = S64_MIN; | |
3294 | dst_reg->smax_value = S64_MAX; | |
3295 | } else { | |
3296 | dst_reg->smin_value = dst_reg->umin_value; | |
3297 | dst_reg->smax_value = dst_reg->umax_value; | |
3298 | } | |
48461135 JB |
3299 | break; |
3300 | case BPF_AND: | |
f1174f77 | 3301 | if (src_known && dst_known) { |
b03c9f9f EC |
3302 | __mark_reg_known(dst_reg, dst_reg->var_off.value & |
3303 | src_reg.var_off.value); | |
f1174f77 EC |
3304 | break; |
3305 | } | |
b03c9f9f EC |
3306 | /* We get our minimum from the var_off, since that's inherently |
3307 | * bitwise. Our maximum is the minimum of the operands' maxima. | |
f23cc643 | 3308 | */ |
f1174f77 | 3309 | dst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off); |
b03c9f9f EC |
3310 | dst_reg->umin_value = dst_reg->var_off.value; |
3311 | dst_reg->umax_value = min(dst_reg->umax_value, umax_val); | |
3312 | if (dst_reg->smin_value < 0 || smin_val < 0) { | |
3313 | /* Lose signed bounds when ANDing negative numbers, | |
3314 | * ain't nobody got time for that. | |
3315 | */ | |
3316 | dst_reg->smin_value = S64_MIN; | |
3317 | dst_reg->smax_value = S64_MAX; | |
3318 | } else { | |
3319 | /* ANDing two positives gives a positive, so safe to | |
3320 | * cast result into s64. | |
3321 | */ | |
3322 | dst_reg->smin_value = dst_reg->umin_value; | |
3323 | dst_reg->smax_value = dst_reg->umax_value; | |
3324 | } | |
3325 | /* We may learn something more from the var_off */ | |
3326 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
3327 | break; |
3328 | case BPF_OR: | |
3329 | if (src_known && dst_known) { | |
b03c9f9f EC |
3330 | __mark_reg_known(dst_reg, dst_reg->var_off.value | |
3331 | src_reg.var_off.value); | |
f1174f77 EC |
3332 | break; |
3333 | } | |
b03c9f9f EC |
3334 | /* We get our maximum from the var_off, and our minimum is the |
3335 | * maximum of the operands' minima | |
f1174f77 EC |
3336 | */ |
3337 | dst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off); | |
b03c9f9f EC |
3338 | dst_reg->umin_value = max(dst_reg->umin_value, umin_val); |
3339 | dst_reg->umax_value = dst_reg->var_off.value | | |
3340 | dst_reg->var_off.mask; | |
3341 | if (dst_reg->smin_value < 0 || smin_val < 0) { | |
3342 | /* Lose signed bounds when ORing negative numbers, | |
3343 | * ain't nobody got time for that. | |
3344 | */ | |
3345 | dst_reg->smin_value = S64_MIN; | |
3346 | dst_reg->smax_value = S64_MAX; | |
f1174f77 | 3347 | } else { |
b03c9f9f EC |
3348 | /* ORing two positives gives a positive, so safe to |
3349 | * cast result into s64. | |
3350 | */ | |
3351 | dst_reg->smin_value = dst_reg->umin_value; | |
3352 | dst_reg->smax_value = dst_reg->umax_value; | |
f1174f77 | 3353 | } |
b03c9f9f EC |
3354 | /* We may learn something more from the var_off */ |
3355 | __update_reg_bounds(dst_reg); | |
48461135 JB |
3356 | break; |
3357 | case BPF_LSH: | |
468f6eaf JH |
3358 | if (umax_val >= insn_bitness) { |
3359 | /* Shifts greater than 31 or 63 are undefined. | |
3360 | * This includes shifts by a negative number. | |
b03c9f9f | 3361 | */ |
61bd5218 | 3362 | mark_reg_unknown(env, regs, insn->dst_reg); |
f1174f77 EC |
3363 | break; |
3364 | } | |
b03c9f9f EC |
3365 | /* We lose all sign bit information (except what we can pick |
3366 | * up from var_off) | |
48461135 | 3367 | */ |
b03c9f9f EC |
3368 | dst_reg->smin_value = S64_MIN; |
3369 | dst_reg->smax_value = S64_MAX; | |
3370 | /* If we might shift our top bit out, then we know nothing */ | |
3371 | if (dst_reg->umax_value > 1ULL << (63 - umax_val)) { | |
3372 | dst_reg->umin_value = 0; | |
3373 | dst_reg->umax_value = U64_MAX; | |
d1174416 | 3374 | } else { |
b03c9f9f EC |
3375 | dst_reg->umin_value <<= umin_val; |
3376 | dst_reg->umax_value <<= umax_val; | |
d1174416 | 3377 | } |
afbe1a5b | 3378 | dst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val); |
b03c9f9f EC |
3379 | /* We may learn something more from the var_off */ |
3380 | __update_reg_bounds(dst_reg); | |
48461135 JB |
3381 | break; |
3382 | case BPF_RSH: | |
468f6eaf JH |
3383 | if (umax_val >= insn_bitness) { |
3384 | /* Shifts greater than 31 or 63 are undefined. | |
3385 | * This includes shifts by a negative number. | |
b03c9f9f | 3386 | */ |
61bd5218 | 3387 | mark_reg_unknown(env, regs, insn->dst_reg); |
f1174f77 EC |
3388 | break; |
3389 | } | |
4374f256 EC |
3390 | /* BPF_RSH is an unsigned shift. If the value in dst_reg might |
3391 | * be negative, then either: | |
3392 | * 1) src_reg might be zero, so the sign bit of the result is | |
3393 | * unknown, so we lose our signed bounds | |
3394 | * 2) it's known negative, thus the unsigned bounds capture the | |
3395 | * signed bounds | |
3396 | * 3) the signed bounds cross zero, so they tell us nothing | |
3397 | * about the result | |
3398 | * If the value in dst_reg is known nonnegative, then again the | |
3399 | * unsigned bounts capture the signed bounds. | |
3400 | * Thus, in all cases it suffices to blow away our signed bounds | |
3401 | * and rely on inferring new ones from the unsigned bounds and | |
3402 | * var_off of the result. | |
3403 | */ | |
3404 | dst_reg->smin_value = S64_MIN; | |
3405 | dst_reg->smax_value = S64_MAX; | |
afbe1a5b | 3406 | dst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val); |
b03c9f9f EC |
3407 | dst_reg->umin_value >>= umax_val; |
3408 | dst_reg->umax_value >>= umin_val; | |
3409 | /* We may learn something more from the var_off */ | |
3410 | __update_reg_bounds(dst_reg); | |
48461135 | 3411 | break; |
9cbe1f5a YS |
3412 | case BPF_ARSH: |
3413 | if (umax_val >= insn_bitness) { | |
3414 | /* Shifts greater than 31 or 63 are undefined. | |
3415 | * This includes shifts by a negative number. | |
3416 | */ | |
3417 | mark_reg_unknown(env, regs, insn->dst_reg); | |
3418 | break; | |
3419 | } | |
3420 | ||
3421 | /* Upon reaching here, src_known is true and | |
3422 | * umax_val is equal to umin_val. | |
3423 | */ | |
3424 | dst_reg->smin_value >>= umin_val; | |
3425 | dst_reg->smax_value >>= umin_val; | |
3426 | dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val); | |
3427 | ||
3428 | /* blow away the dst_reg umin_value/umax_value and rely on | |
3429 | * dst_reg var_off to refine the result. | |
3430 | */ | |
3431 | dst_reg->umin_value = 0; | |
3432 | dst_reg->umax_value = U64_MAX; | |
3433 | __update_reg_bounds(dst_reg); | |
3434 | break; | |
48461135 | 3435 | default: |
61bd5218 | 3436 | mark_reg_unknown(env, regs, insn->dst_reg); |
48461135 JB |
3437 | break; |
3438 | } | |
3439 | ||
468f6eaf JH |
3440 | if (BPF_CLASS(insn->code) != BPF_ALU64) { |
3441 | /* 32-bit ALU ops are (32,32)->32 */ | |
3442 | coerce_reg_to_size(dst_reg, 4); | |
468f6eaf JH |
3443 | } |
3444 | ||
b03c9f9f EC |
3445 | __reg_deduce_bounds(dst_reg); |
3446 | __reg_bound_offset(dst_reg); | |
f1174f77 EC |
3447 | return 0; |
3448 | } | |
3449 | ||
3450 | /* Handles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max | |
3451 | * and var_off. | |
3452 | */ | |
3453 | static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, | |
3454 | struct bpf_insn *insn) | |
3455 | { | |
f4d7e40a AS |
3456 | struct bpf_verifier_state *vstate = env->cur_state; |
3457 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
3458 | struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg; | |
f1174f77 EC |
3459 | struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; |
3460 | u8 opcode = BPF_OP(insn->code); | |
f1174f77 EC |
3461 | |
3462 | dst_reg = ®s[insn->dst_reg]; | |
f1174f77 EC |
3463 | src_reg = NULL; |
3464 | if (dst_reg->type != SCALAR_VALUE) | |
3465 | ptr_reg = dst_reg; | |
3466 | if (BPF_SRC(insn->code) == BPF_X) { | |
3467 | src_reg = ®s[insn->src_reg]; | |
f1174f77 EC |
3468 | if (src_reg->type != SCALAR_VALUE) { |
3469 | if (dst_reg->type != SCALAR_VALUE) { | |
3470 | /* Combining two pointers by any ALU op yields | |
82abbf8d AS |
3471 | * an arbitrary scalar. Disallow all math except |
3472 | * pointer subtraction | |
f1174f77 | 3473 | */ |
dd066823 | 3474 | if (opcode == BPF_SUB && env->allow_ptr_leaks) { |
82abbf8d AS |
3475 | mark_reg_unknown(env, regs, insn->dst_reg); |
3476 | return 0; | |
f1174f77 | 3477 | } |
82abbf8d AS |
3478 | verbose(env, "R%d pointer %s pointer prohibited\n", |
3479 | insn->dst_reg, | |
3480 | bpf_alu_string[opcode >> 4]); | |
3481 | return -EACCES; | |
f1174f77 EC |
3482 | } else { |
3483 | /* scalar += pointer | |
3484 | * This is legal, but we have to reverse our | |
3485 | * src/dest handling in computing the range | |
3486 | */ | |
82abbf8d AS |
3487 | return adjust_ptr_min_max_vals(env, insn, |
3488 | src_reg, dst_reg); | |
f1174f77 EC |
3489 | } |
3490 | } else if (ptr_reg) { | |
3491 | /* pointer += scalar */ | |
82abbf8d AS |
3492 | return adjust_ptr_min_max_vals(env, insn, |
3493 | dst_reg, src_reg); | |
f1174f77 EC |
3494 | } |
3495 | } else { | |
3496 | /* Pretend the src is a reg with a known value, since we only | |
3497 | * need to be able to read from this state. | |
3498 | */ | |
3499 | off_reg.type = SCALAR_VALUE; | |
b03c9f9f | 3500 | __mark_reg_known(&off_reg, insn->imm); |
f1174f77 | 3501 | src_reg = &off_reg; |
82abbf8d AS |
3502 | if (ptr_reg) /* pointer += K */ |
3503 | return adjust_ptr_min_max_vals(env, insn, | |
3504 | ptr_reg, src_reg); | |
f1174f77 EC |
3505 | } |
3506 | ||
3507 | /* Got here implies adding two SCALAR_VALUEs */ | |
3508 | if (WARN_ON_ONCE(ptr_reg)) { | |
f4d7e40a | 3509 | print_verifier_state(env, state); |
61bd5218 | 3510 | verbose(env, "verifier internal error: unexpected ptr_reg\n"); |
f1174f77 EC |
3511 | return -EINVAL; |
3512 | } | |
3513 | if (WARN_ON(!src_reg)) { | |
f4d7e40a | 3514 | print_verifier_state(env, state); |
61bd5218 | 3515 | verbose(env, "verifier internal error: no src_reg\n"); |
f1174f77 EC |
3516 | return -EINVAL; |
3517 | } | |
3518 | return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); | |
48461135 JB |
3519 | } |
3520 | ||
17a52670 | 3521 | /* check validity of 32-bit and 64-bit arithmetic operations */ |
58e2af8b | 3522 | static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a52670 | 3523 | { |
638f5b90 | 3524 | struct bpf_reg_state *regs = cur_regs(env); |
17a52670 AS |
3525 | u8 opcode = BPF_OP(insn->code); |
3526 | int err; | |
3527 | ||
3528 | if (opcode == BPF_END || opcode == BPF_NEG) { | |
3529 | if (opcode == BPF_NEG) { | |
3530 | if (BPF_SRC(insn->code) != 0 || | |
3531 | insn->src_reg != BPF_REG_0 || | |
3532 | insn->off != 0 || insn->imm != 0) { | |
61bd5218 | 3533 | verbose(env, "BPF_NEG uses reserved fields\n"); |
17a52670 AS |
3534 | return -EINVAL; |
3535 | } | |
3536 | } else { | |
3537 | if (insn->src_reg != BPF_REG_0 || insn->off != 0 || | |
e67b8a68 EC |
3538 | (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || |
3539 | BPF_CLASS(insn->code) == BPF_ALU64) { | |
61bd5218 | 3540 | verbose(env, "BPF_END uses reserved fields\n"); |
17a52670 AS |
3541 | return -EINVAL; |
3542 | } | |
3543 | } | |
3544 | ||
3545 | /* check src operand */ | |
dc503a8a | 3546 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
3547 | if (err) |
3548 | return err; | |
3549 | ||
1be7f75d | 3550 | if (is_pointer_value(env, insn->dst_reg)) { |
61bd5218 | 3551 | verbose(env, "R%d pointer arithmetic prohibited\n", |
1be7f75d AS |
3552 | insn->dst_reg); |
3553 | return -EACCES; | |
3554 | } | |
3555 | ||
17a52670 | 3556 | /* check dest operand */ |
dc503a8a | 3557 | err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a52670 AS |
3558 | if (err) |
3559 | return err; | |
3560 | ||
3561 | } else if (opcode == BPF_MOV) { | |
3562 | ||
3563 | if (BPF_SRC(insn->code) == BPF_X) { | |
3564 | if (insn->imm != 0 || insn->off != 0) { | |
61bd5218 | 3565 | verbose(env, "BPF_MOV uses reserved fields\n"); |
17a52670 AS |
3566 | return -EINVAL; |
3567 | } | |
3568 | ||
3569 | /* check src operand */ | |
dc503a8a | 3570 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
3571 | if (err) |
3572 | return err; | |
3573 | } else { | |
3574 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | |
61bd5218 | 3575 | verbose(env, "BPF_MOV uses reserved fields\n"); |
17a52670 AS |
3576 | return -EINVAL; |
3577 | } | |
3578 | } | |
3579 | ||
fbeb1603 AF |
3580 | /* check dest operand, mark as required later */ |
3581 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); | |
17a52670 AS |
3582 | if (err) |
3583 | return err; | |
3584 | ||
3585 | if (BPF_SRC(insn->code) == BPF_X) { | |
3586 | if (BPF_CLASS(insn->code) == BPF_ALU64) { | |
3587 | /* case: R1 = R2 | |
3588 | * copy register state to dest reg | |
3589 | */ | |
3590 | regs[insn->dst_reg] = regs[insn->src_reg]; | |
8fe2d6cc | 3591 | regs[insn->dst_reg].live |= REG_LIVE_WRITTEN; |
17a52670 | 3592 | } else { |
f1174f77 | 3593 | /* R1 = (u32) R2 */ |
1be7f75d | 3594 | if (is_pointer_value(env, insn->src_reg)) { |
61bd5218 JK |
3595 | verbose(env, |
3596 | "R%d partial copy of pointer\n", | |
1be7f75d AS |
3597 | insn->src_reg); |
3598 | return -EACCES; | |
3599 | } | |
61bd5218 | 3600 | mark_reg_unknown(env, regs, insn->dst_reg); |
0c17d1d2 | 3601 | coerce_reg_to_size(®s[insn->dst_reg], 4); |
17a52670 AS |
3602 | } |
3603 | } else { | |
3604 | /* case: R = imm | |
3605 | * remember the value we stored into this reg | |
3606 | */ | |
fbeb1603 AF |
3607 | /* clear any state __mark_reg_known doesn't set */ |
3608 | mark_reg_unknown(env, regs, insn->dst_reg); | |
f1174f77 | 3609 | regs[insn->dst_reg].type = SCALAR_VALUE; |
95a762e2 JH |
3610 | if (BPF_CLASS(insn->code) == BPF_ALU64) { |
3611 | __mark_reg_known(regs + insn->dst_reg, | |
3612 | insn->imm); | |
3613 | } else { | |
3614 | __mark_reg_known(regs + insn->dst_reg, | |
3615 | (u32)insn->imm); | |
3616 | } | |
17a52670 AS |
3617 | } |
3618 | ||
3619 | } else if (opcode > BPF_END) { | |
61bd5218 | 3620 | verbose(env, "invalid BPF_ALU opcode %x\n", opcode); |
17a52670 AS |
3621 | return -EINVAL; |
3622 | ||
3623 | } else { /* all other ALU ops: and, sub, xor, add, ... */ | |
3624 | ||
17a52670 AS |
3625 | if (BPF_SRC(insn->code) == BPF_X) { |
3626 | if (insn->imm != 0 || insn->off != 0) { | |
61bd5218 | 3627 | verbose(env, "BPF_ALU uses reserved fields\n"); |
17a52670 AS |
3628 | return -EINVAL; |
3629 | } | |
3630 | /* check src1 operand */ | |
dc503a8a | 3631 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
3632 | if (err) |
3633 | return err; | |
3634 | } else { | |
3635 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | |
61bd5218 | 3636 | verbose(env, "BPF_ALU uses reserved fields\n"); |
17a52670 AS |
3637 | return -EINVAL; |
3638 | } | |
3639 | } | |
3640 | ||
3641 | /* check src2 operand */ | |
dc503a8a | 3642 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
3643 | if (err) |
3644 | return err; | |
3645 | ||
3646 | if ((opcode == BPF_MOD || opcode == BPF_DIV) && | |
3647 | BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { | |
61bd5218 | 3648 | verbose(env, "div by zero\n"); |
17a52670 AS |
3649 | return -EINVAL; |
3650 | } | |
3651 | ||
229394e8 RV |
3652 | if ((opcode == BPF_LSH || opcode == BPF_RSH || |
3653 | opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { | |
3654 | int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; | |
3655 | ||
3656 | if (insn->imm < 0 || insn->imm >= size) { | |
61bd5218 | 3657 | verbose(env, "invalid shift %d\n", insn->imm); |
229394e8 RV |
3658 | return -EINVAL; |
3659 | } | |
3660 | } | |
3661 | ||
1a0dc1ac | 3662 | /* check dest operand */ |
dc503a8a | 3663 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
1a0dc1ac AS |
3664 | if (err) |
3665 | return err; | |
3666 | ||
f1174f77 | 3667 | return adjust_reg_min_max_vals(env, insn); |
17a52670 AS |
3668 | } |
3669 | ||
3670 | return 0; | |
3671 | } | |
3672 | ||
f4d7e40a | 3673 | static void find_good_pkt_pointers(struct bpf_verifier_state *vstate, |
de8f3a83 | 3674 | struct bpf_reg_state *dst_reg, |
f8ddadc4 | 3675 | enum bpf_reg_type type, |
fb2a311a | 3676 | bool range_right_open) |
969bf05e | 3677 | { |
f4d7e40a | 3678 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
58e2af8b | 3679 | struct bpf_reg_state *regs = state->regs, *reg; |
fb2a311a | 3680 | u16 new_range; |
f4d7e40a | 3681 | int i, j; |
2d2be8ca | 3682 | |
fb2a311a DB |
3683 | if (dst_reg->off < 0 || |
3684 | (dst_reg->off == 0 && range_right_open)) | |
f1174f77 EC |
3685 | /* This doesn't give us any range */ |
3686 | return; | |
3687 | ||
b03c9f9f EC |
3688 | if (dst_reg->umax_value > MAX_PACKET_OFF || |
3689 | dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF) | |
f1174f77 EC |
3690 | /* Risk of overflow. For instance, ptr + (1<<63) may be less |
3691 | * than pkt_end, but that's because it's also less than pkt. | |
3692 | */ | |
3693 | return; | |
3694 | ||
fb2a311a DB |
3695 | new_range = dst_reg->off; |
3696 | if (range_right_open) | |
3697 | new_range--; | |
3698 | ||
3699 | /* Examples for register markings: | |
2d2be8ca | 3700 | * |
fb2a311a | 3701 | * pkt_data in dst register: |
2d2be8ca DB |
3702 | * |
3703 | * r2 = r3; | |
3704 | * r2 += 8; | |
3705 | * if (r2 > pkt_end) goto <handle exception> | |
3706 | * <access okay> | |
3707 | * | |
b4e432f1 DB |
3708 | * r2 = r3; |
3709 | * r2 += 8; | |
3710 | * if (r2 < pkt_end) goto <access okay> | |
3711 | * <handle exception> | |
3712 | * | |
2d2be8ca DB |
3713 | * Where: |
3714 | * r2 == dst_reg, pkt_end == src_reg | |
3715 | * r2=pkt(id=n,off=8,r=0) | |
3716 | * r3=pkt(id=n,off=0,r=0) | |
3717 | * | |
fb2a311a | 3718 | * pkt_data in src register: |
2d2be8ca DB |
3719 | * |
3720 | * r2 = r3; | |
3721 | * r2 += 8; | |
3722 | * if (pkt_end >= r2) goto <access okay> | |
3723 | * <handle exception> | |
3724 | * | |
b4e432f1 DB |
3725 | * r2 = r3; |
3726 | * r2 += 8; | |
3727 | * if (pkt_end <= r2) goto <handle exception> | |
3728 | * <access okay> | |
3729 | * | |
2d2be8ca DB |
3730 | * Where: |
3731 | * pkt_end == dst_reg, r2 == src_reg | |
3732 | * r2=pkt(id=n,off=8,r=0) | |
3733 | * r3=pkt(id=n,off=0,r=0) | |
3734 | * | |
3735 | * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8) | |
fb2a311a DB |
3736 | * or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8) |
3737 | * and [r3, r3 + 8-1) respectively is safe to access depending on | |
3738 | * the check. | |
969bf05e | 3739 | */ |
2d2be8ca | 3740 | |
f1174f77 EC |
3741 | /* If our ids match, then we must have the same max_value. And we |
3742 | * don't care about the other reg's fixed offset, since if it's too big | |
3743 | * the range won't allow anything. | |
3744 | * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16. | |
3745 | */ | |
969bf05e | 3746 | for (i = 0; i < MAX_BPF_REG; i++) |
de8f3a83 | 3747 | if (regs[i].type == type && regs[i].id == dst_reg->id) |
b1977682 | 3748 | /* keep the maximum range already checked */ |
fb2a311a | 3749 | regs[i].range = max(regs[i].range, new_range); |
969bf05e | 3750 | |
f4d7e40a AS |
3751 | for (j = 0; j <= vstate->curframe; j++) { |
3752 | state = vstate->frame[j]; | |
f3709f69 JS |
3753 | bpf_for_each_spilled_reg(i, state, reg) { |
3754 | if (!reg) | |
f4d7e40a | 3755 | continue; |
f4d7e40a AS |
3756 | if (reg->type == type && reg->id == dst_reg->id) |
3757 | reg->range = max(reg->range, new_range); | |
3758 | } | |
969bf05e AS |
3759 | } |
3760 | } | |
3761 | ||
48461135 JB |
3762 | /* Adjusts the register min/max values in the case that the dst_reg is the |
3763 | * variable register that we are working on, and src_reg is a constant or we're | |
3764 | * simply doing a BPF_K check. | |
f1174f77 | 3765 | * In JEQ/JNE cases we also adjust the var_off values. |
48461135 JB |
3766 | */ |
3767 | static void reg_set_min_max(struct bpf_reg_state *true_reg, | |
3768 | struct bpf_reg_state *false_reg, u64 val, | |
3769 | u8 opcode) | |
3770 | { | |
f1174f77 EC |
3771 | /* If the dst_reg is a pointer, we can't learn anything about its |
3772 | * variable offset from the compare (unless src_reg were a pointer into | |
3773 | * the same object, but we don't bother with that. | |
3774 | * Since false_reg and true_reg have the same type by construction, we | |
3775 | * only need to check one of them for pointerness. | |
3776 | */ | |
3777 | if (__is_pointer_value(false, false_reg)) | |
3778 | return; | |
4cabc5b1 | 3779 | |
48461135 JB |
3780 | switch (opcode) { |
3781 | case BPF_JEQ: | |
3782 | /* If this is false then we know nothing Jon Snow, but if it is | |
3783 | * true then we know for sure. | |
3784 | */ | |
b03c9f9f | 3785 | __mark_reg_known(true_reg, val); |
48461135 JB |
3786 | break; |
3787 | case BPF_JNE: | |
3788 | /* If this is true we know nothing Jon Snow, but if it is false | |
3789 | * we know the value for sure; | |
3790 | */ | |
b03c9f9f | 3791 | __mark_reg_known(false_reg, val); |
48461135 JB |
3792 | break; |
3793 | case BPF_JGT: | |
b03c9f9f EC |
3794 | false_reg->umax_value = min(false_reg->umax_value, val); |
3795 | true_reg->umin_value = max(true_reg->umin_value, val + 1); | |
3796 | break; | |
48461135 | 3797 | case BPF_JSGT: |
b03c9f9f EC |
3798 | false_reg->smax_value = min_t(s64, false_reg->smax_value, val); |
3799 | true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1); | |
48461135 | 3800 | break; |
b4e432f1 DB |
3801 | case BPF_JLT: |
3802 | false_reg->umin_value = max(false_reg->umin_value, val); | |
3803 | true_reg->umax_value = min(true_reg->umax_value, val - 1); | |
3804 | break; | |
3805 | case BPF_JSLT: | |
3806 | false_reg->smin_value = max_t(s64, false_reg->smin_value, val); | |
3807 | true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1); | |
3808 | break; | |
48461135 | 3809 | case BPF_JGE: |
b03c9f9f EC |
3810 | false_reg->umax_value = min(false_reg->umax_value, val - 1); |
3811 | true_reg->umin_value = max(true_reg->umin_value, val); | |
3812 | break; | |
48461135 | 3813 | case BPF_JSGE: |
b03c9f9f EC |
3814 | false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1); |
3815 | true_reg->smin_value = max_t(s64, true_reg->smin_value, val); | |
48461135 | 3816 | break; |
b4e432f1 DB |
3817 | case BPF_JLE: |
3818 | false_reg->umin_value = max(false_reg->umin_value, val + 1); | |
3819 | true_reg->umax_value = min(true_reg->umax_value, val); | |
3820 | break; | |
3821 | case BPF_JSLE: | |
3822 | false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1); | |
3823 | true_reg->smax_value = min_t(s64, true_reg->smax_value, val); | |
3824 | break; | |
48461135 JB |
3825 | default: |
3826 | break; | |
3827 | } | |
3828 | ||
b03c9f9f EC |
3829 | __reg_deduce_bounds(false_reg); |
3830 | __reg_deduce_bounds(true_reg); | |
3831 | /* We might have learned some bits from the bounds. */ | |
3832 | __reg_bound_offset(false_reg); | |
3833 | __reg_bound_offset(true_reg); | |
3834 | /* Intersecting with the old var_off might have improved our bounds | |
3835 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
3836 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
3837 | */ | |
3838 | __update_reg_bounds(false_reg); | |
3839 | __update_reg_bounds(true_reg); | |
48461135 JB |
3840 | } |
3841 | ||
f1174f77 EC |
3842 | /* Same as above, but for the case that dst_reg holds a constant and src_reg is |
3843 | * the variable reg. | |
48461135 JB |
3844 | */ |
3845 | static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, | |
3846 | struct bpf_reg_state *false_reg, u64 val, | |
3847 | u8 opcode) | |
3848 | { | |
f1174f77 EC |
3849 | if (__is_pointer_value(false, false_reg)) |
3850 | return; | |
4cabc5b1 | 3851 | |
48461135 JB |
3852 | switch (opcode) { |
3853 | case BPF_JEQ: | |
3854 | /* If this is false then we know nothing Jon Snow, but if it is | |
3855 | * true then we know for sure. | |
3856 | */ | |
b03c9f9f | 3857 | __mark_reg_known(true_reg, val); |
48461135 JB |
3858 | break; |
3859 | case BPF_JNE: | |
3860 | /* If this is true we know nothing Jon Snow, but if it is false | |
3861 | * we know the value for sure; | |
3862 | */ | |
b03c9f9f | 3863 | __mark_reg_known(false_reg, val); |
48461135 JB |
3864 | break; |
3865 | case BPF_JGT: | |
b03c9f9f EC |
3866 | true_reg->umax_value = min(true_reg->umax_value, val - 1); |
3867 | false_reg->umin_value = max(false_reg->umin_value, val); | |
3868 | break; | |
48461135 | 3869 | case BPF_JSGT: |
b03c9f9f EC |
3870 | true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1); |
3871 | false_reg->smin_value = max_t(s64, false_reg->smin_value, val); | |
48461135 | 3872 | break; |
b4e432f1 DB |
3873 | case BPF_JLT: |
3874 | true_reg->umin_value = max(true_reg->umin_value, val + 1); | |
3875 | false_reg->umax_value = min(false_reg->umax_value, val); | |
3876 | break; | |
3877 | case BPF_JSLT: | |
3878 | true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1); | |
3879 | false_reg->smax_value = min_t(s64, false_reg->smax_value, val); | |
3880 | break; | |
48461135 | 3881 | case BPF_JGE: |
b03c9f9f EC |
3882 | true_reg->umax_value = min(true_reg->umax_value, val); |
3883 | false_reg->umin_value = max(false_reg->umin_value, val + 1); | |
3884 | break; | |
48461135 | 3885 | case BPF_JSGE: |
b03c9f9f EC |
3886 | true_reg->smax_value = min_t(s64, true_reg->smax_value, val); |
3887 | false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1); | |
48461135 | 3888 | break; |
b4e432f1 DB |
3889 | case BPF_JLE: |
3890 | true_reg->umin_value = max(true_reg->umin_value, val); | |
3891 | false_reg->umax_value = min(false_reg->umax_value, val - 1); | |
3892 | break; | |
3893 | case BPF_JSLE: | |
3894 | true_reg->smin_value = max_t(s64, true_reg->smin_value, val); | |
3895 | false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1); | |
3896 | break; | |
48461135 JB |
3897 | default: |
3898 | break; | |
3899 | } | |
3900 | ||
b03c9f9f EC |
3901 | __reg_deduce_bounds(false_reg); |
3902 | __reg_deduce_bounds(true_reg); | |
3903 | /* We might have learned some bits from the bounds. */ | |
3904 | __reg_bound_offset(false_reg); | |
3905 | __reg_bound_offset(true_reg); | |
3906 | /* Intersecting with the old var_off might have improved our bounds | |
3907 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
3908 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
3909 | */ | |
3910 | __update_reg_bounds(false_reg); | |
3911 | __update_reg_bounds(true_reg); | |
f1174f77 EC |
3912 | } |
3913 | ||
3914 | /* Regs are known to be equal, so intersect their min/max/var_off */ | |
3915 | static void __reg_combine_min_max(struct bpf_reg_state *src_reg, | |
3916 | struct bpf_reg_state *dst_reg) | |
3917 | { | |
b03c9f9f EC |
3918 | src_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value, |
3919 | dst_reg->umin_value); | |
3920 | src_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value, | |
3921 | dst_reg->umax_value); | |
3922 | src_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value, | |
3923 | dst_reg->smin_value); | |
3924 | src_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value, | |
3925 | dst_reg->smax_value); | |
f1174f77 EC |
3926 | src_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off, |
3927 | dst_reg->var_off); | |
b03c9f9f EC |
3928 | /* We might have learned new bounds from the var_off. */ |
3929 | __update_reg_bounds(src_reg); | |
3930 | __update_reg_bounds(dst_reg); | |
3931 | /* We might have learned something about the sign bit. */ | |
3932 | __reg_deduce_bounds(src_reg); | |
3933 | __reg_deduce_bounds(dst_reg); | |
3934 | /* We might have learned some bits from the bounds. */ | |
3935 | __reg_bound_offset(src_reg); | |
3936 | __reg_bound_offset(dst_reg); | |
3937 | /* Intersecting with the old var_off might have improved our bounds | |
3938 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
3939 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
3940 | */ | |
3941 | __update_reg_bounds(src_reg); | |
3942 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
3943 | } |
3944 | ||
3945 | static void reg_combine_min_max(struct bpf_reg_state *true_src, | |
3946 | struct bpf_reg_state *true_dst, | |
3947 | struct bpf_reg_state *false_src, | |
3948 | struct bpf_reg_state *false_dst, | |
3949 | u8 opcode) | |
3950 | { | |
3951 | switch (opcode) { | |
3952 | case BPF_JEQ: | |
3953 | __reg_combine_min_max(true_src, true_dst); | |
3954 | break; | |
3955 | case BPF_JNE: | |
3956 | __reg_combine_min_max(false_src, false_dst); | |
b03c9f9f | 3957 | break; |
4cabc5b1 | 3958 | } |
48461135 JB |
3959 | } |
3960 | ||
fd978bf7 JS |
3961 | static void mark_ptr_or_null_reg(struct bpf_func_state *state, |
3962 | struct bpf_reg_state *reg, u32 id, | |
840b9615 | 3963 | bool is_null) |
57a09bf0 | 3964 | { |
840b9615 | 3965 | if (reg_type_may_be_null(reg->type) && reg->id == id) { |
f1174f77 EC |
3966 | /* Old offset (both fixed and variable parts) should |
3967 | * have been known-zero, because we don't allow pointer | |
3968 | * arithmetic on pointers that might be NULL. | |
3969 | */ | |
b03c9f9f EC |
3970 | if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || |
3971 | !tnum_equals_const(reg->var_off, 0) || | |
f1174f77 | 3972 | reg->off)) { |
b03c9f9f EC |
3973 | __mark_reg_known_zero(reg); |
3974 | reg->off = 0; | |
f1174f77 EC |
3975 | } |
3976 | if (is_null) { | |
3977 | reg->type = SCALAR_VALUE; | |
840b9615 JS |
3978 | } else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
3979 | if (reg->map_ptr->inner_map_meta) { | |
3980 | reg->type = CONST_PTR_TO_MAP; | |
3981 | reg->map_ptr = reg->map_ptr->inner_map_meta; | |
3982 | } else { | |
3983 | reg->type = PTR_TO_MAP_VALUE; | |
3984 | } | |
c64b7983 JS |
3985 | } else if (reg->type == PTR_TO_SOCKET_OR_NULL) { |
3986 | reg->type = PTR_TO_SOCKET; | |
56f668df | 3987 | } |
fd978bf7 JS |
3988 | if (is_null || !reg_is_refcounted(reg)) { |
3989 | /* We don't need id from this point onwards anymore, | |
3990 | * thus we should better reset it, so that state | |
3991 | * pruning has chances to take effect. | |
3992 | */ | |
3993 | reg->id = 0; | |
56f668df | 3994 | } |
57a09bf0 TG |
3995 | } |
3996 | } | |
3997 | ||
3998 | /* The logic is similar to find_good_pkt_pointers(), both could eventually | |
3999 | * be folded together at some point. | |
4000 | */ | |
840b9615 JS |
4001 | static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, |
4002 | bool is_null) | |
57a09bf0 | 4003 | { |
f4d7e40a | 4004 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
f3709f69 | 4005 | struct bpf_reg_state *reg, *regs = state->regs; |
a08dd0da | 4006 | u32 id = regs[regno].id; |
f4d7e40a | 4007 | int i, j; |
57a09bf0 | 4008 | |
fd978bf7 JS |
4009 | if (reg_is_refcounted_or_null(®s[regno]) && is_null) |
4010 | __release_reference_state(state, id); | |
4011 | ||
57a09bf0 | 4012 | for (i = 0; i < MAX_BPF_REG; i++) |
fd978bf7 | 4013 | mark_ptr_or_null_reg(state, ®s[i], id, is_null); |
57a09bf0 | 4014 | |
f4d7e40a AS |
4015 | for (j = 0; j <= vstate->curframe; j++) { |
4016 | state = vstate->frame[j]; | |
f3709f69 JS |
4017 | bpf_for_each_spilled_reg(i, state, reg) { |
4018 | if (!reg) | |
f4d7e40a | 4019 | continue; |
fd978bf7 | 4020 | mark_ptr_or_null_reg(state, reg, id, is_null); |
f4d7e40a | 4021 | } |
57a09bf0 TG |
4022 | } |
4023 | } | |
4024 | ||
5beca081 DB |
4025 | static bool try_match_pkt_pointers(const struct bpf_insn *insn, |
4026 | struct bpf_reg_state *dst_reg, | |
4027 | struct bpf_reg_state *src_reg, | |
4028 | struct bpf_verifier_state *this_branch, | |
4029 | struct bpf_verifier_state *other_branch) | |
4030 | { | |
4031 | if (BPF_SRC(insn->code) != BPF_X) | |
4032 | return false; | |
4033 | ||
4034 | switch (BPF_OP(insn->code)) { | |
4035 | case BPF_JGT: | |
4036 | if ((dst_reg->type == PTR_TO_PACKET && | |
4037 | src_reg->type == PTR_TO_PACKET_END) || | |
4038 | (dst_reg->type == PTR_TO_PACKET_META && | |
4039 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4040 | /* pkt_data' > pkt_end, pkt_meta' > pkt_data */ | |
4041 | find_good_pkt_pointers(this_branch, dst_reg, | |
4042 | dst_reg->type, false); | |
4043 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4044 | src_reg->type == PTR_TO_PACKET) || | |
4045 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4046 | src_reg->type == PTR_TO_PACKET_META)) { | |
4047 | /* pkt_end > pkt_data', pkt_data > pkt_meta' */ | |
4048 | find_good_pkt_pointers(other_branch, src_reg, | |
4049 | src_reg->type, true); | |
4050 | } else { | |
4051 | return false; | |
4052 | } | |
4053 | break; | |
4054 | case BPF_JLT: | |
4055 | if ((dst_reg->type == PTR_TO_PACKET && | |
4056 | src_reg->type == PTR_TO_PACKET_END) || | |
4057 | (dst_reg->type == PTR_TO_PACKET_META && | |
4058 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4059 | /* pkt_data' < pkt_end, pkt_meta' < pkt_data */ | |
4060 | find_good_pkt_pointers(other_branch, dst_reg, | |
4061 | dst_reg->type, true); | |
4062 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4063 | src_reg->type == PTR_TO_PACKET) || | |
4064 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4065 | src_reg->type == PTR_TO_PACKET_META)) { | |
4066 | /* pkt_end < pkt_data', pkt_data > pkt_meta' */ | |
4067 | find_good_pkt_pointers(this_branch, src_reg, | |
4068 | src_reg->type, false); | |
4069 | } else { | |
4070 | return false; | |
4071 | } | |
4072 | break; | |
4073 | case BPF_JGE: | |
4074 | if ((dst_reg->type == PTR_TO_PACKET && | |
4075 | src_reg->type == PTR_TO_PACKET_END) || | |
4076 | (dst_reg->type == PTR_TO_PACKET_META && | |
4077 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4078 | /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */ | |
4079 | find_good_pkt_pointers(this_branch, dst_reg, | |
4080 | dst_reg->type, true); | |
4081 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4082 | src_reg->type == PTR_TO_PACKET) || | |
4083 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4084 | src_reg->type == PTR_TO_PACKET_META)) { | |
4085 | /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */ | |
4086 | find_good_pkt_pointers(other_branch, src_reg, | |
4087 | src_reg->type, false); | |
4088 | } else { | |
4089 | return false; | |
4090 | } | |
4091 | break; | |
4092 | case BPF_JLE: | |
4093 | if ((dst_reg->type == PTR_TO_PACKET && | |
4094 | src_reg->type == PTR_TO_PACKET_END) || | |
4095 | (dst_reg->type == PTR_TO_PACKET_META && | |
4096 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4097 | /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */ | |
4098 | find_good_pkt_pointers(other_branch, dst_reg, | |
4099 | dst_reg->type, false); | |
4100 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4101 | src_reg->type == PTR_TO_PACKET) || | |
4102 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4103 | src_reg->type == PTR_TO_PACKET_META)) { | |
4104 | /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */ | |
4105 | find_good_pkt_pointers(this_branch, src_reg, | |
4106 | src_reg->type, true); | |
4107 | } else { | |
4108 | return false; | |
4109 | } | |
4110 | break; | |
4111 | default: | |
4112 | return false; | |
4113 | } | |
4114 | ||
4115 | return true; | |
4116 | } | |
4117 | ||
58e2af8b | 4118 | static int check_cond_jmp_op(struct bpf_verifier_env *env, |
17a52670 AS |
4119 | struct bpf_insn *insn, int *insn_idx) |
4120 | { | |
f4d7e40a AS |
4121 | struct bpf_verifier_state *this_branch = env->cur_state; |
4122 | struct bpf_verifier_state *other_branch; | |
4123 | struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs; | |
4124 | struct bpf_reg_state *dst_reg, *other_branch_regs; | |
17a52670 AS |
4125 | u8 opcode = BPF_OP(insn->code); |
4126 | int err; | |
4127 | ||
b4e432f1 | 4128 | if (opcode > BPF_JSLE) { |
61bd5218 | 4129 | verbose(env, "invalid BPF_JMP opcode %x\n", opcode); |
17a52670 AS |
4130 | return -EINVAL; |
4131 | } | |
4132 | ||
4133 | if (BPF_SRC(insn->code) == BPF_X) { | |
4134 | if (insn->imm != 0) { | |
61bd5218 | 4135 | verbose(env, "BPF_JMP uses reserved fields\n"); |
17a52670 AS |
4136 | return -EINVAL; |
4137 | } | |
4138 | ||
4139 | /* check src1 operand */ | |
dc503a8a | 4140 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
4141 | if (err) |
4142 | return err; | |
1be7f75d AS |
4143 | |
4144 | if (is_pointer_value(env, insn->src_reg)) { | |
61bd5218 | 4145 | verbose(env, "R%d pointer comparison prohibited\n", |
1be7f75d AS |
4146 | insn->src_reg); |
4147 | return -EACCES; | |
4148 | } | |
17a52670 AS |
4149 | } else { |
4150 | if (insn->src_reg != BPF_REG_0) { | |
61bd5218 | 4151 | verbose(env, "BPF_JMP uses reserved fields\n"); |
17a52670 AS |
4152 | return -EINVAL; |
4153 | } | |
4154 | } | |
4155 | ||
4156 | /* check src2 operand */ | |
dc503a8a | 4157 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
4158 | if (err) |
4159 | return err; | |
4160 | ||
1a0dc1ac AS |
4161 | dst_reg = ®s[insn->dst_reg]; |
4162 | ||
17a52670 AS |
4163 | /* detect if R == 0 where R was initialized to zero earlier */ |
4164 | if (BPF_SRC(insn->code) == BPF_K && | |
4165 | (opcode == BPF_JEQ || opcode == BPF_JNE) && | |
f1174f77 | 4166 | dst_reg->type == SCALAR_VALUE && |
3bf15921 AS |
4167 | tnum_is_const(dst_reg->var_off)) { |
4168 | if ((opcode == BPF_JEQ && dst_reg->var_off.value == insn->imm) || | |
4169 | (opcode == BPF_JNE && dst_reg->var_off.value != insn->imm)) { | |
17a52670 AS |
4170 | /* if (imm == imm) goto pc+off; |
4171 | * only follow the goto, ignore fall-through | |
4172 | */ | |
4173 | *insn_idx += insn->off; | |
4174 | return 0; | |
4175 | } else { | |
4176 | /* if (imm != imm) goto pc+off; | |
4177 | * only follow fall-through branch, since | |
4178 | * that's where the program will go | |
4179 | */ | |
4180 | return 0; | |
4181 | } | |
4182 | } | |
4183 | ||
4184 | other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx); | |
4185 | if (!other_branch) | |
4186 | return -EFAULT; | |
f4d7e40a | 4187 | other_branch_regs = other_branch->frame[other_branch->curframe]->regs; |
17a52670 | 4188 | |
48461135 JB |
4189 | /* detect if we are comparing against a constant value so we can adjust |
4190 | * our min/max values for our dst register. | |
f1174f77 EC |
4191 | * this is only legit if both are scalars (or pointers to the same |
4192 | * object, I suppose, but we don't support that right now), because | |
4193 | * otherwise the different base pointers mean the offsets aren't | |
4194 | * comparable. | |
48461135 JB |
4195 | */ |
4196 | if (BPF_SRC(insn->code) == BPF_X) { | |
f1174f77 EC |
4197 | if (dst_reg->type == SCALAR_VALUE && |
4198 | regs[insn->src_reg].type == SCALAR_VALUE) { | |
4199 | if (tnum_is_const(regs[insn->src_reg].var_off)) | |
f4d7e40a | 4200 | reg_set_min_max(&other_branch_regs[insn->dst_reg], |
f1174f77 EC |
4201 | dst_reg, regs[insn->src_reg].var_off.value, |
4202 | opcode); | |
4203 | else if (tnum_is_const(dst_reg->var_off)) | |
f4d7e40a | 4204 | reg_set_min_max_inv(&other_branch_regs[insn->src_reg], |
f1174f77 EC |
4205 | ®s[insn->src_reg], |
4206 | dst_reg->var_off.value, opcode); | |
4207 | else if (opcode == BPF_JEQ || opcode == BPF_JNE) | |
4208 | /* Comparing for equality, we can combine knowledge */ | |
f4d7e40a AS |
4209 | reg_combine_min_max(&other_branch_regs[insn->src_reg], |
4210 | &other_branch_regs[insn->dst_reg], | |
f1174f77 EC |
4211 | ®s[insn->src_reg], |
4212 | ®s[insn->dst_reg], opcode); | |
4213 | } | |
4214 | } else if (dst_reg->type == SCALAR_VALUE) { | |
f4d7e40a | 4215 | reg_set_min_max(&other_branch_regs[insn->dst_reg], |
48461135 JB |
4216 | dst_reg, insn->imm, opcode); |
4217 | } | |
4218 | ||
58e2af8b | 4219 | /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */ |
17a52670 | 4220 | if (BPF_SRC(insn->code) == BPF_K && |
1a0dc1ac | 4221 | insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && |
840b9615 JS |
4222 | reg_type_may_be_null(dst_reg->type)) { |
4223 | /* Mark all identical registers in each branch as either | |
57a09bf0 TG |
4224 | * safe or unknown depending R == 0 or R != 0 conditional. |
4225 | */ | |
840b9615 JS |
4226 | mark_ptr_or_null_regs(this_branch, insn->dst_reg, |
4227 | opcode == BPF_JNE); | |
4228 | mark_ptr_or_null_regs(other_branch, insn->dst_reg, | |
4229 | opcode == BPF_JEQ); | |
5beca081 DB |
4230 | } else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg], |
4231 | this_branch, other_branch) && | |
4232 | is_pointer_value(env, insn->dst_reg)) { | |
61bd5218 JK |
4233 | verbose(env, "R%d pointer comparison prohibited\n", |
4234 | insn->dst_reg); | |
1be7f75d | 4235 | return -EACCES; |
17a52670 | 4236 | } |
61bd5218 | 4237 | if (env->log.level) |
f4d7e40a | 4238 | print_verifier_state(env, this_branch->frame[this_branch->curframe]); |
17a52670 AS |
4239 | return 0; |
4240 | } | |
4241 | ||
0246e64d AS |
4242 | /* return the map pointer stored inside BPF_LD_IMM64 instruction */ |
4243 | static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn) | |
4244 | { | |
4245 | u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32; | |
4246 | ||
4247 | return (struct bpf_map *) (unsigned long) imm64; | |
4248 | } | |
4249 | ||
17a52670 | 4250 | /* verify BPF_LD_IMM64 instruction */ |
58e2af8b | 4251 | static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a52670 | 4252 | { |
638f5b90 | 4253 | struct bpf_reg_state *regs = cur_regs(env); |
17a52670 AS |
4254 | int err; |
4255 | ||
4256 | if (BPF_SIZE(insn->code) != BPF_DW) { | |
61bd5218 | 4257 | verbose(env, "invalid BPF_LD_IMM insn\n"); |
17a52670 AS |
4258 | return -EINVAL; |
4259 | } | |
4260 | if (insn->off != 0) { | |
61bd5218 | 4261 | verbose(env, "BPF_LD_IMM64 uses reserved fields\n"); |
17a52670 AS |
4262 | return -EINVAL; |
4263 | } | |
4264 | ||
dc503a8a | 4265 | err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a52670 AS |
4266 | if (err) |
4267 | return err; | |
4268 | ||
6b173873 | 4269 | if (insn->src_reg == 0) { |
6b173873 JK |
4270 | u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; |
4271 | ||
f1174f77 | 4272 | regs[insn->dst_reg].type = SCALAR_VALUE; |
b03c9f9f | 4273 | __mark_reg_known(®s[insn->dst_reg], imm); |
17a52670 | 4274 | return 0; |
6b173873 | 4275 | } |
17a52670 AS |
4276 | |
4277 | /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */ | |
4278 | BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD); | |
4279 | ||
4280 | regs[insn->dst_reg].type = CONST_PTR_TO_MAP; | |
4281 | regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn); | |
4282 | return 0; | |
4283 | } | |
4284 | ||
96be4325 DB |
4285 | static bool may_access_skb(enum bpf_prog_type type) |
4286 | { | |
4287 | switch (type) { | |
4288 | case BPF_PROG_TYPE_SOCKET_FILTER: | |
4289 | case BPF_PROG_TYPE_SCHED_CLS: | |
94caee8c | 4290 | case BPF_PROG_TYPE_SCHED_ACT: |
96be4325 DB |
4291 | return true; |
4292 | default: | |
4293 | return false; | |
4294 | } | |
4295 | } | |
4296 | ||
ddd872bc AS |
4297 | /* verify safety of LD_ABS|LD_IND instructions: |
4298 | * - they can only appear in the programs where ctx == skb | |
4299 | * - since they are wrappers of function calls, they scratch R1-R5 registers, | |
4300 | * preserve R6-R9, and store return value into R0 | |
4301 | * | |
4302 | * Implicit input: | |
4303 | * ctx == skb == R6 == CTX | |
4304 | * | |
4305 | * Explicit input: | |
4306 | * SRC == any register | |
4307 | * IMM == 32-bit immediate | |
4308 | * | |
4309 | * Output: | |
4310 | * R0 - 8/16/32-bit skb data converted to cpu endianness | |
4311 | */ | |
58e2af8b | 4312 | static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) |
ddd872bc | 4313 | { |
638f5b90 | 4314 | struct bpf_reg_state *regs = cur_regs(env); |
ddd872bc | 4315 | u8 mode = BPF_MODE(insn->code); |
ddd872bc AS |
4316 | int i, err; |
4317 | ||
24701ece | 4318 | if (!may_access_skb(env->prog->type)) { |
61bd5218 | 4319 | verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); |
ddd872bc AS |
4320 | return -EINVAL; |
4321 | } | |
4322 | ||
e0cea7ce DB |
4323 | if (!env->ops->gen_ld_abs) { |
4324 | verbose(env, "bpf verifier is misconfigured\n"); | |
4325 | return -EINVAL; | |
4326 | } | |
4327 | ||
f910cefa | 4328 | if (env->subprog_cnt > 1) { |
f4d7e40a AS |
4329 | /* when program has LD_ABS insn JITs and interpreter assume |
4330 | * that r1 == ctx == skb which is not the case for callees | |
4331 | * that can have arbitrary arguments. It's problematic | |
4332 | * for main prog as well since JITs would need to analyze | |
4333 | * all functions in order to make proper register save/restore | |
4334 | * decisions in the main prog. Hence disallow LD_ABS with calls | |
4335 | */ | |
4336 | verbose(env, "BPF_LD_[ABS|IND] instructions cannot be mixed with bpf-to-bpf calls\n"); | |
4337 | return -EINVAL; | |
4338 | } | |
4339 | ||
ddd872bc | 4340 | if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || |
d82bccc6 | 4341 | BPF_SIZE(insn->code) == BPF_DW || |
ddd872bc | 4342 | (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { |
61bd5218 | 4343 | verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n"); |
ddd872bc AS |
4344 | return -EINVAL; |
4345 | } | |
4346 | ||
4347 | /* check whether implicit source operand (register R6) is readable */ | |
dc503a8a | 4348 | err = check_reg_arg(env, BPF_REG_6, SRC_OP); |
ddd872bc AS |
4349 | if (err) |
4350 | return err; | |
4351 | ||
fd978bf7 JS |
4352 | /* Disallow usage of BPF_LD_[ABS|IND] with reference tracking, as |
4353 | * gen_ld_abs() may terminate the program at runtime, leading to | |
4354 | * reference leak. | |
4355 | */ | |
4356 | err = check_reference_leak(env); | |
4357 | if (err) { | |
4358 | verbose(env, "BPF_LD_[ABS|IND] cannot be mixed with socket references\n"); | |
4359 | return err; | |
4360 | } | |
4361 | ||
ddd872bc | 4362 | if (regs[BPF_REG_6].type != PTR_TO_CTX) { |
61bd5218 JK |
4363 | verbose(env, |
4364 | "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); | |
ddd872bc AS |
4365 | return -EINVAL; |
4366 | } | |
4367 | ||
4368 | if (mode == BPF_IND) { | |
4369 | /* check explicit source operand */ | |
dc503a8a | 4370 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
ddd872bc AS |
4371 | if (err) |
4372 | return err; | |
4373 | } | |
4374 | ||
4375 | /* reset caller saved regs to unreadable */ | |
dc503a8a | 4376 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
61bd5218 | 4377 | mark_reg_not_init(env, regs, caller_saved[i]); |
dc503a8a EC |
4378 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
4379 | } | |
ddd872bc AS |
4380 | |
4381 | /* mark destination R0 register as readable, since it contains | |
dc503a8a EC |
4382 | * the value fetched from the packet. |
4383 | * Already marked as written above. | |
ddd872bc | 4384 | */ |
61bd5218 | 4385 | mark_reg_unknown(env, regs, BPF_REG_0); |
ddd872bc AS |
4386 | return 0; |
4387 | } | |
4388 | ||
390ee7e2 AS |
4389 | static int check_return_code(struct bpf_verifier_env *env) |
4390 | { | |
4391 | struct bpf_reg_state *reg; | |
4392 | struct tnum range = tnum_range(0, 1); | |
4393 | ||
4394 | switch (env->prog->type) { | |
4395 | case BPF_PROG_TYPE_CGROUP_SKB: | |
4396 | case BPF_PROG_TYPE_CGROUP_SOCK: | |
4fbac77d | 4397 | case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: |
390ee7e2 | 4398 | case BPF_PROG_TYPE_SOCK_OPS: |
ebc614f6 | 4399 | case BPF_PROG_TYPE_CGROUP_DEVICE: |
390ee7e2 AS |
4400 | break; |
4401 | default: | |
4402 | return 0; | |
4403 | } | |
4404 | ||
638f5b90 | 4405 | reg = cur_regs(env) + BPF_REG_0; |
390ee7e2 | 4406 | if (reg->type != SCALAR_VALUE) { |
61bd5218 | 4407 | verbose(env, "At program exit the register R0 is not a known value (%s)\n", |
390ee7e2 AS |
4408 | reg_type_str[reg->type]); |
4409 | return -EINVAL; | |
4410 | } | |
4411 | ||
4412 | if (!tnum_in(range, reg->var_off)) { | |
61bd5218 | 4413 | verbose(env, "At program exit the register R0 "); |
390ee7e2 AS |
4414 | if (!tnum_is_unknown(reg->var_off)) { |
4415 | char tn_buf[48]; | |
4416 | ||
4417 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 | 4418 | verbose(env, "has value %s", tn_buf); |
390ee7e2 | 4419 | } else { |
61bd5218 | 4420 | verbose(env, "has unknown scalar value"); |
390ee7e2 | 4421 | } |
61bd5218 | 4422 | verbose(env, " should have been 0 or 1\n"); |
390ee7e2 AS |
4423 | return -EINVAL; |
4424 | } | |
4425 | return 0; | |
4426 | } | |
4427 | ||
475fb78f AS |
4428 | /* non-recursive DFS pseudo code |
4429 | * 1 procedure DFS-iterative(G,v): | |
4430 | * 2 label v as discovered | |
4431 | * 3 let S be a stack | |
4432 | * 4 S.push(v) | |
4433 | * 5 while S is not empty | |
4434 | * 6 t <- S.pop() | |
4435 | * 7 if t is what we're looking for: | |
4436 | * 8 return t | |
4437 | * 9 for all edges e in G.adjacentEdges(t) do | |
4438 | * 10 if edge e is already labelled | |
4439 | * 11 continue with the next edge | |
4440 | * 12 w <- G.adjacentVertex(t,e) | |
4441 | * 13 if vertex w is not discovered and not explored | |
4442 | * 14 label e as tree-edge | |
4443 | * 15 label w as discovered | |
4444 | * 16 S.push(w) | |
4445 | * 17 continue at 5 | |
4446 | * 18 else if vertex w is discovered | |
4447 | * 19 label e as back-edge | |
4448 | * 20 else | |
4449 | * 21 // vertex w is explored | |
4450 | * 22 label e as forward- or cross-edge | |
4451 | * 23 label t as explored | |
4452 | * 24 S.pop() | |
4453 | * | |
4454 | * convention: | |
4455 | * 0x10 - discovered | |
4456 | * 0x11 - discovered and fall-through edge labelled | |
4457 | * 0x12 - discovered and fall-through and branch edges labelled | |
4458 | * 0x20 - explored | |
4459 | */ | |
4460 | ||
4461 | enum { | |
4462 | DISCOVERED = 0x10, | |
4463 | EXPLORED = 0x20, | |
4464 | FALLTHROUGH = 1, | |
4465 | BRANCH = 2, | |
4466 | }; | |
4467 | ||
58e2af8b | 4468 | #define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L) |
f1bca824 | 4469 | |
475fb78f AS |
4470 | static int *insn_stack; /* stack of insns to process */ |
4471 | static int cur_stack; /* current stack index */ | |
4472 | static int *insn_state; | |
4473 | ||
4474 | /* t, w, e - match pseudo-code above: | |
4475 | * t - index of current instruction | |
4476 | * w - next instruction | |
4477 | * e - edge | |
4478 | */ | |
58e2af8b | 4479 | static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) |
475fb78f AS |
4480 | { |
4481 | if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH)) | |
4482 | return 0; | |
4483 | ||
4484 | if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH)) | |
4485 | return 0; | |
4486 | ||
4487 | if (w < 0 || w >= env->prog->len) { | |
61bd5218 | 4488 | verbose(env, "jump out of range from insn %d to %d\n", t, w); |
475fb78f AS |
4489 | return -EINVAL; |
4490 | } | |
4491 | ||
f1bca824 AS |
4492 | if (e == BRANCH) |
4493 | /* mark branch target for state pruning */ | |
4494 | env->explored_states[w] = STATE_LIST_MARK; | |
4495 | ||
475fb78f AS |
4496 | if (insn_state[w] == 0) { |
4497 | /* tree-edge */ | |
4498 | insn_state[t] = DISCOVERED | e; | |
4499 | insn_state[w] = DISCOVERED; | |
4500 | if (cur_stack >= env->prog->len) | |
4501 | return -E2BIG; | |
4502 | insn_stack[cur_stack++] = w; | |
4503 | return 1; | |
4504 | } else if ((insn_state[w] & 0xF0) == DISCOVERED) { | |
61bd5218 | 4505 | verbose(env, "back-edge from insn %d to %d\n", t, w); |
475fb78f AS |
4506 | return -EINVAL; |
4507 | } else if (insn_state[w] == EXPLORED) { | |
4508 | /* forward- or cross-edge */ | |
4509 | insn_state[t] = DISCOVERED | e; | |
4510 | } else { | |
61bd5218 | 4511 | verbose(env, "insn state internal bug\n"); |
475fb78f AS |
4512 | return -EFAULT; |
4513 | } | |
4514 | return 0; | |
4515 | } | |
4516 | ||
4517 | /* non-recursive depth-first-search to detect loops in BPF program | |
4518 | * loop == back-edge in directed graph | |
4519 | */ | |
58e2af8b | 4520 | static int check_cfg(struct bpf_verifier_env *env) |
475fb78f AS |
4521 | { |
4522 | struct bpf_insn *insns = env->prog->insnsi; | |
4523 | int insn_cnt = env->prog->len; | |
4524 | int ret = 0; | |
4525 | int i, t; | |
4526 | ||
cc8b0b92 AS |
4527 | ret = check_subprogs(env); |
4528 | if (ret < 0) | |
4529 | return ret; | |
4530 | ||
475fb78f AS |
4531 | insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); |
4532 | if (!insn_state) | |
4533 | return -ENOMEM; | |
4534 | ||
4535 | insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); | |
4536 | if (!insn_stack) { | |
4537 | kfree(insn_state); | |
4538 | return -ENOMEM; | |
4539 | } | |
4540 | ||
4541 | insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */ | |
4542 | insn_stack[0] = 0; /* 0 is the first instruction */ | |
4543 | cur_stack = 1; | |
4544 | ||
4545 | peek_stack: | |
4546 | if (cur_stack == 0) | |
4547 | goto check_state; | |
4548 | t = insn_stack[cur_stack - 1]; | |
4549 | ||
4550 | if (BPF_CLASS(insns[t].code) == BPF_JMP) { | |
4551 | u8 opcode = BPF_OP(insns[t].code); | |
4552 | ||
4553 | if (opcode == BPF_EXIT) { | |
4554 | goto mark_explored; | |
4555 | } else if (opcode == BPF_CALL) { | |
4556 | ret = push_insn(t, t + 1, FALLTHROUGH, env); | |
4557 | if (ret == 1) | |
4558 | goto peek_stack; | |
4559 | else if (ret < 0) | |
4560 | goto err_free; | |
07016151 DB |
4561 | if (t + 1 < insn_cnt) |
4562 | env->explored_states[t + 1] = STATE_LIST_MARK; | |
cc8b0b92 AS |
4563 | if (insns[t].src_reg == BPF_PSEUDO_CALL) { |
4564 | env->explored_states[t] = STATE_LIST_MARK; | |
4565 | ret = push_insn(t, t + insns[t].imm + 1, BRANCH, env); | |
4566 | if (ret == 1) | |
4567 | goto peek_stack; | |
4568 | else if (ret < 0) | |
4569 | goto err_free; | |
4570 | } | |
475fb78f AS |
4571 | } else if (opcode == BPF_JA) { |
4572 | if (BPF_SRC(insns[t].code) != BPF_K) { | |
4573 | ret = -EINVAL; | |
4574 | goto err_free; | |
4575 | } | |
4576 | /* unconditional jump with single edge */ | |
4577 | ret = push_insn(t, t + insns[t].off + 1, | |
4578 | FALLTHROUGH, env); | |
4579 | if (ret == 1) | |
4580 | goto peek_stack; | |
4581 | else if (ret < 0) | |
4582 | goto err_free; | |
f1bca824 AS |
4583 | /* tell verifier to check for equivalent states |
4584 | * after every call and jump | |
4585 | */ | |
c3de6317 AS |
4586 | if (t + 1 < insn_cnt) |
4587 | env->explored_states[t + 1] = STATE_LIST_MARK; | |
475fb78f AS |
4588 | } else { |
4589 | /* conditional jump with two edges */ | |
3c2ce60b | 4590 | env->explored_states[t] = STATE_LIST_MARK; |
475fb78f AS |
4591 | ret = push_insn(t, t + 1, FALLTHROUGH, env); |
4592 | if (ret == 1) | |
4593 | goto peek_stack; | |
4594 | else if (ret < 0) | |
4595 | goto err_free; | |
4596 | ||
4597 | ret = push_insn(t, t + insns[t].off + 1, BRANCH, env); | |
4598 | if (ret == 1) | |
4599 | goto peek_stack; | |
4600 | else if (ret < 0) | |
4601 | goto err_free; | |
4602 | } | |
4603 | } else { | |
4604 | /* all other non-branch instructions with single | |
4605 | * fall-through edge | |
4606 | */ | |
4607 | ret = push_insn(t, t + 1, FALLTHROUGH, env); | |
4608 | if (ret == 1) | |
4609 | goto peek_stack; | |
4610 | else if (ret < 0) | |
4611 | goto err_free; | |
4612 | } | |
4613 | ||
4614 | mark_explored: | |
4615 | insn_state[t] = EXPLORED; | |
4616 | if (cur_stack-- <= 0) { | |
61bd5218 | 4617 | verbose(env, "pop stack internal bug\n"); |
475fb78f AS |
4618 | ret = -EFAULT; |
4619 | goto err_free; | |
4620 | } | |
4621 | goto peek_stack; | |
4622 | ||
4623 | check_state: | |
4624 | for (i = 0; i < insn_cnt; i++) { | |
4625 | if (insn_state[i] != EXPLORED) { | |
61bd5218 | 4626 | verbose(env, "unreachable insn %d\n", i); |
475fb78f AS |
4627 | ret = -EINVAL; |
4628 | goto err_free; | |
4629 | } | |
4630 | } | |
4631 | ret = 0; /* cfg looks good */ | |
4632 | ||
4633 | err_free: | |
4634 | kfree(insn_state); | |
4635 | kfree(insn_stack); | |
4636 | return ret; | |
4637 | } | |
4638 | ||
838e9690 YS |
4639 | /* The minimum supported BTF func info size */ |
4640 | #define MIN_BPF_FUNCINFO_SIZE 8 | |
4641 | #define MAX_FUNCINFO_REC_SIZE 252 | |
4642 | ||
4643 | static int check_btf_func(struct bpf_prog *prog, struct bpf_verifier_env *env, | |
4644 | union bpf_attr *attr, union bpf_attr __user *uattr) | |
4645 | { | |
4646 | u32 i, nfuncs, urec_size, min_size, prev_offset; | |
4647 | u32 krec_size = sizeof(struct bpf_func_info); | |
ba64e7d8 | 4648 | struct bpf_func_info *krecord = NULL; |
838e9690 YS |
4649 | const struct btf_type *type; |
4650 | void __user *urecord; | |
4651 | struct btf *btf; | |
4652 | int ret = 0; | |
4653 | ||
4654 | nfuncs = attr->func_info_cnt; | |
4655 | if (!nfuncs) | |
4656 | return 0; | |
4657 | ||
4658 | if (nfuncs != env->subprog_cnt) { | |
4659 | verbose(env, "number of funcs in func_info doesn't match number of subprogs\n"); | |
4660 | return -EINVAL; | |
4661 | } | |
4662 | ||
4663 | urec_size = attr->func_info_rec_size; | |
4664 | if (urec_size < MIN_BPF_FUNCINFO_SIZE || | |
4665 | urec_size > MAX_FUNCINFO_REC_SIZE || | |
4666 | urec_size % sizeof(u32)) { | |
4667 | verbose(env, "invalid func info rec size %u\n", urec_size); | |
4668 | return -EINVAL; | |
4669 | } | |
4670 | ||
4671 | btf = btf_get_by_fd(attr->prog_btf_fd); | |
4672 | if (IS_ERR(btf)) { | |
4673 | verbose(env, "unable to get btf from fd\n"); | |
4674 | return PTR_ERR(btf); | |
4675 | } | |
4676 | ||
4677 | urecord = u64_to_user_ptr(attr->func_info); | |
4678 | min_size = min_t(u32, krec_size, urec_size); | |
4679 | ||
ba64e7d8 YS |
4680 | krecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN); |
4681 | if (!krecord) { | |
4682 | ret = -ENOMEM; | |
4683 | goto free_btf; | |
4684 | } | |
4685 | ||
838e9690 YS |
4686 | for (i = 0; i < nfuncs; i++) { |
4687 | ret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size); | |
4688 | if (ret) { | |
4689 | if (ret == -E2BIG) { | |
4690 | verbose(env, "nonzero tailing record in func info"); | |
4691 | /* set the size kernel expects so loader can zero | |
4692 | * out the rest of the record. | |
4693 | */ | |
4694 | if (put_user(min_size, &uattr->func_info_rec_size)) | |
4695 | ret = -EFAULT; | |
4696 | } | |
4697 | goto free_btf; | |
4698 | } | |
4699 | ||
ba64e7d8 | 4700 | if (copy_from_user(&krecord[i], urecord, min_size)) { |
838e9690 YS |
4701 | ret = -EFAULT; |
4702 | goto free_btf; | |
4703 | } | |
4704 | ||
d30d42e0 | 4705 | /* check insn_off */ |
838e9690 | 4706 | if (i == 0) { |
d30d42e0 | 4707 | if (krecord[i].insn_off) { |
838e9690 | 4708 | verbose(env, |
d30d42e0 MKL |
4709 | "nonzero insn_off %u for the first func info record", |
4710 | krecord[i].insn_off); | |
838e9690 YS |
4711 | ret = -EINVAL; |
4712 | goto free_btf; | |
4713 | } | |
d30d42e0 | 4714 | } else if (krecord[i].insn_off <= prev_offset) { |
838e9690 YS |
4715 | verbose(env, |
4716 | "same or smaller insn offset (%u) than previous func info record (%u)", | |
d30d42e0 | 4717 | krecord[i].insn_off, prev_offset); |
838e9690 YS |
4718 | ret = -EINVAL; |
4719 | goto free_btf; | |
4720 | } | |
4721 | ||
d30d42e0 | 4722 | if (env->subprog_info[i].start != krecord[i].insn_off) { |
838e9690 YS |
4723 | verbose(env, "func_info BTF section doesn't match subprog layout in BPF program\n"); |
4724 | ret = -EINVAL; | |
4725 | goto free_btf; | |
4726 | } | |
4727 | ||
4728 | /* check type_id */ | |
ba64e7d8 | 4729 | type = btf_type_by_id(btf, krecord[i].type_id); |
838e9690 YS |
4730 | if (!type || BTF_INFO_KIND(type->info) != BTF_KIND_FUNC) { |
4731 | verbose(env, "invalid type id %d in func info", | |
ba64e7d8 | 4732 | krecord[i].type_id); |
838e9690 YS |
4733 | ret = -EINVAL; |
4734 | goto free_btf; | |
4735 | } | |
4736 | ||
d30d42e0 | 4737 | prev_offset = krecord[i].insn_off; |
838e9690 YS |
4738 | urecord += urec_size; |
4739 | } | |
4740 | ||
4741 | prog->aux->btf = btf; | |
ba64e7d8 YS |
4742 | prog->aux->func_info = krecord; |
4743 | prog->aux->func_info_cnt = nfuncs; | |
838e9690 YS |
4744 | return 0; |
4745 | ||
4746 | free_btf: | |
4747 | btf_put(btf); | |
ba64e7d8 | 4748 | kvfree(krecord); |
838e9690 YS |
4749 | return ret; |
4750 | } | |
4751 | ||
ba64e7d8 YS |
4752 | static void adjust_btf_func(struct bpf_verifier_env *env) |
4753 | { | |
4754 | int i; | |
4755 | ||
4756 | if (!env->prog->aux->func_info) | |
4757 | return; | |
4758 | ||
4759 | for (i = 0; i < env->subprog_cnt; i++) | |
d30d42e0 | 4760 | env->prog->aux->func_info[i].insn_off = env->subprog_info[i].start; |
ba64e7d8 YS |
4761 | } |
4762 | ||
f1174f77 EC |
4763 | /* check %cur's range satisfies %old's */ |
4764 | static bool range_within(struct bpf_reg_state *old, | |
4765 | struct bpf_reg_state *cur) | |
4766 | { | |
b03c9f9f EC |
4767 | return old->umin_value <= cur->umin_value && |
4768 | old->umax_value >= cur->umax_value && | |
4769 | old->smin_value <= cur->smin_value && | |
4770 | old->smax_value >= cur->smax_value; | |
f1174f77 EC |
4771 | } |
4772 | ||
4773 | /* Maximum number of register states that can exist at once */ | |
4774 | #define ID_MAP_SIZE (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) | |
4775 | struct idpair { | |
4776 | u32 old; | |
4777 | u32 cur; | |
4778 | }; | |
4779 | ||
4780 | /* If in the old state two registers had the same id, then they need to have | |
4781 | * the same id in the new state as well. But that id could be different from | |
4782 | * the old state, so we need to track the mapping from old to new ids. | |
4783 | * Once we have seen that, say, a reg with old id 5 had new id 9, any subsequent | |
4784 | * regs with old id 5 must also have new id 9 for the new state to be safe. But | |
4785 | * regs with a different old id could still have new id 9, we don't care about | |
4786 | * that. | |
4787 | * So we look through our idmap to see if this old id has been seen before. If | |
4788 | * so, we require the new id to match; otherwise, we add the id pair to the map. | |
969bf05e | 4789 | */ |
f1174f77 | 4790 | static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap) |
969bf05e | 4791 | { |
f1174f77 | 4792 | unsigned int i; |
969bf05e | 4793 | |
f1174f77 EC |
4794 | for (i = 0; i < ID_MAP_SIZE; i++) { |
4795 | if (!idmap[i].old) { | |
4796 | /* Reached an empty slot; haven't seen this id before */ | |
4797 | idmap[i].old = old_id; | |
4798 | idmap[i].cur = cur_id; | |
4799 | return true; | |
4800 | } | |
4801 | if (idmap[i].old == old_id) | |
4802 | return idmap[i].cur == cur_id; | |
4803 | } | |
4804 | /* We ran out of idmap slots, which should be impossible */ | |
4805 | WARN_ON_ONCE(1); | |
4806 | return false; | |
4807 | } | |
4808 | ||
4809 | /* Returns true if (rold safe implies rcur safe) */ | |
1b688a19 EC |
4810 | static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, |
4811 | struct idpair *idmap) | |
f1174f77 | 4812 | { |
f4d7e40a AS |
4813 | bool equal; |
4814 | ||
dc503a8a EC |
4815 | if (!(rold->live & REG_LIVE_READ)) |
4816 | /* explored state didn't use this */ | |
4817 | return true; | |
4818 | ||
679c782d | 4819 | equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0; |
f4d7e40a AS |
4820 | |
4821 | if (rold->type == PTR_TO_STACK) | |
4822 | /* two stack pointers are equal only if they're pointing to | |
4823 | * the same stack frame, since fp-8 in foo != fp-8 in bar | |
4824 | */ | |
4825 | return equal && rold->frameno == rcur->frameno; | |
4826 | ||
4827 | if (equal) | |
969bf05e AS |
4828 | return true; |
4829 | ||
f1174f77 EC |
4830 | if (rold->type == NOT_INIT) |
4831 | /* explored state can't have used this */ | |
969bf05e | 4832 | return true; |
f1174f77 EC |
4833 | if (rcur->type == NOT_INIT) |
4834 | return false; | |
4835 | switch (rold->type) { | |
4836 | case SCALAR_VALUE: | |
4837 | if (rcur->type == SCALAR_VALUE) { | |
4838 | /* new val must satisfy old val knowledge */ | |
4839 | return range_within(rold, rcur) && | |
4840 | tnum_in(rold->var_off, rcur->var_off); | |
4841 | } else { | |
179d1c56 JH |
4842 | /* We're trying to use a pointer in place of a scalar. |
4843 | * Even if the scalar was unbounded, this could lead to | |
4844 | * pointer leaks because scalars are allowed to leak | |
4845 | * while pointers are not. We could make this safe in | |
4846 | * special cases if root is calling us, but it's | |
4847 | * probably not worth the hassle. | |
f1174f77 | 4848 | */ |
179d1c56 | 4849 | return false; |
f1174f77 EC |
4850 | } |
4851 | case PTR_TO_MAP_VALUE: | |
1b688a19 EC |
4852 | /* If the new min/max/var_off satisfy the old ones and |
4853 | * everything else matches, we are OK. | |
4854 | * We don't care about the 'id' value, because nothing | |
4855 | * uses it for PTR_TO_MAP_VALUE (only for ..._OR_NULL) | |
4856 | */ | |
4857 | return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 && | |
4858 | range_within(rold, rcur) && | |
4859 | tnum_in(rold->var_off, rcur->var_off); | |
f1174f77 EC |
4860 | case PTR_TO_MAP_VALUE_OR_NULL: |
4861 | /* a PTR_TO_MAP_VALUE could be safe to use as a | |
4862 | * PTR_TO_MAP_VALUE_OR_NULL into the same map. | |
4863 | * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL- | |
4864 | * checked, doing so could have affected others with the same | |
4865 | * id, and we can't check for that because we lost the id when | |
4866 | * we converted to a PTR_TO_MAP_VALUE. | |
4867 | */ | |
4868 | if (rcur->type != PTR_TO_MAP_VALUE_OR_NULL) | |
4869 | return false; | |
4870 | if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id))) | |
4871 | return false; | |
4872 | /* Check our ids match any regs they're supposed to */ | |
4873 | return check_ids(rold->id, rcur->id, idmap); | |
de8f3a83 | 4874 | case PTR_TO_PACKET_META: |
f1174f77 | 4875 | case PTR_TO_PACKET: |
de8f3a83 | 4876 | if (rcur->type != rold->type) |
f1174f77 EC |
4877 | return false; |
4878 | /* We must have at least as much range as the old ptr | |
4879 | * did, so that any accesses which were safe before are | |
4880 | * still safe. This is true even if old range < old off, | |
4881 | * since someone could have accessed through (ptr - k), or | |
4882 | * even done ptr -= k in a register, to get a safe access. | |
4883 | */ | |
4884 | if (rold->range > rcur->range) | |
4885 | return false; | |
4886 | /* If the offsets don't match, we can't trust our alignment; | |
4887 | * nor can we be sure that we won't fall out of range. | |
4888 | */ | |
4889 | if (rold->off != rcur->off) | |
4890 | return false; | |
4891 | /* id relations must be preserved */ | |
4892 | if (rold->id && !check_ids(rold->id, rcur->id, idmap)) | |
4893 | return false; | |
4894 | /* new val must satisfy old val knowledge */ | |
4895 | return range_within(rold, rcur) && | |
4896 | tnum_in(rold->var_off, rcur->var_off); | |
4897 | case PTR_TO_CTX: | |
4898 | case CONST_PTR_TO_MAP: | |
f1174f77 | 4899 | case PTR_TO_PACKET_END: |
d58e468b | 4900 | case PTR_TO_FLOW_KEYS: |
c64b7983 JS |
4901 | case PTR_TO_SOCKET: |
4902 | case PTR_TO_SOCKET_OR_NULL: | |
f1174f77 EC |
4903 | /* Only valid matches are exact, which memcmp() above |
4904 | * would have accepted | |
4905 | */ | |
4906 | default: | |
4907 | /* Don't know what's going on, just say it's not safe */ | |
4908 | return false; | |
4909 | } | |
969bf05e | 4910 | |
f1174f77 EC |
4911 | /* Shouldn't get here; if we do, say it's not safe */ |
4912 | WARN_ON_ONCE(1); | |
969bf05e AS |
4913 | return false; |
4914 | } | |
4915 | ||
f4d7e40a AS |
4916 | static bool stacksafe(struct bpf_func_state *old, |
4917 | struct bpf_func_state *cur, | |
638f5b90 AS |
4918 | struct idpair *idmap) |
4919 | { | |
4920 | int i, spi; | |
4921 | ||
4922 | /* if explored stack has more populated slots than current stack | |
4923 | * such stacks are not equivalent | |
4924 | */ | |
4925 | if (old->allocated_stack > cur->allocated_stack) | |
4926 | return false; | |
4927 | ||
4928 | /* walk slots of the explored stack and ignore any additional | |
4929 | * slots in the current stack, since explored(safe) state | |
4930 | * didn't use them | |
4931 | */ | |
4932 | for (i = 0; i < old->allocated_stack; i++) { | |
4933 | spi = i / BPF_REG_SIZE; | |
4934 | ||
cc2b14d5 AS |
4935 | if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) |
4936 | /* explored state didn't use this */ | |
fd05e57b | 4937 | continue; |
cc2b14d5 | 4938 | |
638f5b90 AS |
4939 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) |
4940 | continue; | |
cc2b14d5 AS |
4941 | /* if old state was safe with misc data in the stack |
4942 | * it will be safe with zero-initialized stack. | |
4943 | * The opposite is not true | |
4944 | */ | |
4945 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC && | |
4946 | cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO) | |
4947 | continue; | |
638f5b90 AS |
4948 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] != |
4949 | cur->stack[spi].slot_type[i % BPF_REG_SIZE]) | |
4950 | /* Ex: old explored (safe) state has STACK_SPILL in | |
4951 | * this stack slot, but current has has STACK_MISC -> | |
4952 | * this verifier states are not equivalent, | |
4953 | * return false to continue verification of this path | |
4954 | */ | |
4955 | return false; | |
4956 | if (i % BPF_REG_SIZE) | |
4957 | continue; | |
4958 | if (old->stack[spi].slot_type[0] != STACK_SPILL) | |
4959 | continue; | |
4960 | if (!regsafe(&old->stack[spi].spilled_ptr, | |
4961 | &cur->stack[spi].spilled_ptr, | |
4962 | idmap)) | |
4963 | /* when explored and current stack slot are both storing | |
4964 | * spilled registers, check that stored pointers types | |
4965 | * are the same as well. | |
4966 | * Ex: explored safe path could have stored | |
4967 | * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8} | |
4968 | * but current path has stored: | |
4969 | * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16} | |
4970 | * such verifier states are not equivalent. | |
4971 | * return false to continue verification of this path | |
4972 | */ | |
4973 | return false; | |
4974 | } | |
4975 | return true; | |
4976 | } | |
4977 | ||
fd978bf7 JS |
4978 | static bool refsafe(struct bpf_func_state *old, struct bpf_func_state *cur) |
4979 | { | |
4980 | if (old->acquired_refs != cur->acquired_refs) | |
4981 | return false; | |
4982 | return !memcmp(old->refs, cur->refs, | |
4983 | sizeof(*old->refs) * old->acquired_refs); | |
4984 | } | |
4985 | ||
f1bca824 AS |
4986 | /* compare two verifier states |
4987 | * | |
4988 | * all states stored in state_list are known to be valid, since | |
4989 | * verifier reached 'bpf_exit' instruction through them | |
4990 | * | |
4991 | * this function is called when verifier exploring different branches of | |
4992 | * execution popped from the state stack. If it sees an old state that has | |
4993 | * more strict register state and more strict stack state then this execution | |
4994 | * branch doesn't need to be explored further, since verifier already | |
4995 | * concluded that more strict state leads to valid finish. | |
4996 | * | |
4997 | * Therefore two states are equivalent if register state is more conservative | |
4998 | * and explored stack state is more conservative than the current one. | |
4999 | * Example: | |
5000 | * explored current | |
5001 | * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC) | |
5002 | * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC) | |
5003 | * | |
5004 | * In other words if current stack state (one being explored) has more | |
5005 | * valid slots than old one that already passed validation, it means | |
5006 | * the verifier can stop exploring and conclude that current state is valid too | |
5007 | * | |
5008 | * Similarly with registers. If explored state has register type as invalid | |
5009 | * whereas register type in current state is meaningful, it means that | |
5010 | * the current state will reach 'bpf_exit' instruction safely | |
5011 | */ | |
f4d7e40a AS |
5012 | static bool func_states_equal(struct bpf_func_state *old, |
5013 | struct bpf_func_state *cur) | |
f1bca824 | 5014 | { |
f1174f77 EC |
5015 | struct idpair *idmap; |
5016 | bool ret = false; | |
f1bca824 AS |
5017 | int i; |
5018 | ||
f1174f77 EC |
5019 | idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL); |
5020 | /* If we failed to allocate the idmap, just say it's not safe */ | |
5021 | if (!idmap) | |
1a0dc1ac | 5022 | return false; |
f1174f77 EC |
5023 | |
5024 | for (i = 0; i < MAX_BPF_REG; i++) { | |
1b688a19 | 5025 | if (!regsafe(&old->regs[i], &cur->regs[i], idmap)) |
f1174f77 | 5026 | goto out_free; |
f1bca824 AS |
5027 | } |
5028 | ||
638f5b90 AS |
5029 | if (!stacksafe(old, cur, idmap)) |
5030 | goto out_free; | |
fd978bf7 JS |
5031 | |
5032 | if (!refsafe(old, cur)) | |
5033 | goto out_free; | |
f1174f77 EC |
5034 | ret = true; |
5035 | out_free: | |
5036 | kfree(idmap); | |
5037 | return ret; | |
f1bca824 AS |
5038 | } |
5039 | ||
f4d7e40a AS |
5040 | static bool states_equal(struct bpf_verifier_env *env, |
5041 | struct bpf_verifier_state *old, | |
5042 | struct bpf_verifier_state *cur) | |
5043 | { | |
5044 | int i; | |
5045 | ||
5046 | if (old->curframe != cur->curframe) | |
5047 | return false; | |
5048 | ||
5049 | /* for states to be equal callsites have to be the same | |
5050 | * and all frame states need to be equivalent | |
5051 | */ | |
5052 | for (i = 0; i <= old->curframe; i++) { | |
5053 | if (old->frame[i]->callsite != cur->frame[i]->callsite) | |
5054 | return false; | |
5055 | if (!func_states_equal(old->frame[i], cur->frame[i])) | |
5056 | return false; | |
5057 | } | |
5058 | return true; | |
5059 | } | |
5060 | ||
8e9cd9ce | 5061 | /* A write screens off any subsequent reads; but write marks come from the |
f4d7e40a AS |
5062 | * straight-line code between a state and its parent. When we arrive at an |
5063 | * equivalent state (jump target or such) we didn't arrive by the straight-line | |
5064 | * code, so read marks in the state must propagate to the parent regardless | |
5065 | * of the state's write marks. That's what 'parent == state->parent' comparison | |
679c782d | 5066 | * in mark_reg_read() is for. |
8e9cd9ce | 5067 | */ |
f4d7e40a AS |
5068 | static int propagate_liveness(struct bpf_verifier_env *env, |
5069 | const struct bpf_verifier_state *vstate, | |
5070 | struct bpf_verifier_state *vparent) | |
dc503a8a | 5071 | { |
f4d7e40a AS |
5072 | int i, frame, err = 0; |
5073 | struct bpf_func_state *state, *parent; | |
dc503a8a | 5074 | |
f4d7e40a AS |
5075 | if (vparent->curframe != vstate->curframe) { |
5076 | WARN(1, "propagate_live: parent frame %d current frame %d\n", | |
5077 | vparent->curframe, vstate->curframe); | |
5078 | return -EFAULT; | |
5079 | } | |
dc503a8a EC |
5080 | /* Propagate read liveness of registers... */ |
5081 | BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG); | |
5082 | /* We don't need to worry about FP liveness because it's read-only */ | |
5083 | for (i = 0; i < BPF_REG_FP; i++) { | |
f4d7e40a | 5084 | if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ) |
63f45f84 | 5085 | continue; |
f4d7e40a | 5086 | if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) { |
679c782d EC |
5087 | err = mark_reg_read(env, &vstate->frame[vstate->curframe]->regs[i], |
5088 | &vparent->frame[vstate->curframe]->regs[i]); | |
f4d7e40a AS |
5089 | if (err) |
5090 | return err; | |
dc503a8a EC |
5091 | } |
5092 | } | |
f4d7e40a | 5093 | |
dc503a8a | 5094 | /* ... and stack slots */ |
f4d7e40a AS |
5095 | for (frame = 0; frame <= vstate->curframe; frame++) { |
5096 | state = vstate->frame[frame]; | |
5097 | parent = vparent->frame[frame]; | |
5098 | for (i = 0; i < state->allocated_stack / BPF_REG_SIZE && | |
5099 | i < parent->allocated_stack / BPF_REG_SIZE; i++) { | |
f4d7e40a AS |
5100 | if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ) |
5101 | continue; | |
5102 | if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) | |
679c782d EC |
5103 | mark_reg_read(env, &state->stack[i].spilled_ptr, |
5104 | &parent->stack[i].spilled_ptr); | |
dc503a8a EC |
5105 | } |
5106 | } | |
f4d7e40a | 5107 | return err; |
dc503a8a EC |
5108 | } |
5109 | ||
58e2af8b | 5110 | static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) |
f1bca824 | 5111 | { |
58e2af8b JK |
5112 | struct bpf_verifier_state_list *new_sl; |
5113 | struct bpf_verifier_state_list *sl; | |
679c782d | 5114 | struct bpf_verifier_state *cur = env->cur_state, *new; |
f4d7e40a | 5115 | int i, j, err; |
f1bca824 AS |
5116 | |
5117 | sl = env->explored_states[insn_idx]; | |
5118 | if (!sl) | |
5119 | /* this 'insn_idx' instruction wasn't marked, so we will not | |
5120 | * be doing state search here | |
5121 | */ | |
5122 | return 0; | |
5123 | ||
5124 | while (sl != STATE_LIST_MARK) { | |
638f5b90 | 5125 | if (states_equal(env, &sl->state, cur)) { |
f1bca824 | 5126 | /* reached equivalent register/stack state, |
dc503a8a EC |
5127 | * prune the search. |
5128 | * Registers read by the continuation are read by us. | |
8e9cd9ce EC |
5129 | * If we have any write marks in env->cur_state, they |
5130 | * will prevent corresponding reads in the continuation | |
5131 | * from reaching our parent (an explored_state). Our | |
5132 | * own state will get the read marks recorded, but | |
5133 | * they'll be immediately forgotten as we're pruning | |
5134 | * this state and will pop a new one. | |
f1bca824 | 5135 | */ |
f4d7e40a AS |
5136 | err = propagate_liveness(env, &sl->state, cur); |
5137 | if (err) | |
5138 | return err; | |
f1bca824 | 5139 | return 1; |
dc503a8a | 5140 | } |
f1bca824 AS |
5141 | sl = sl->next; |
5142 | } | |
5143 | ||
5144 | /* there were no equivalent states, remember current one. | |
5145 | * technically the current state is not proven to be safe yet, | |
f4d7e40a AS |
5146 | * but it will either reach outer most bpf_exit (which means it's safe) |
5147 | * or it will be rejected. Since there are no loops, we won't be | |
5148 | * seeing this tuple (frame[0].callsite, frame[1].callsite, .. insn_idx) | |
5149 | * again on the way to bpf_exit | |
f1bca824 | 5150 | */ |
638f5b90 | 5151 | new_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL); |
f1bca824 AS |
5152 | if (!new_sl) |
5153 | return -ENOMEM; | |
5154 | ||
5155 | /* add new state to the head of linked list */ | |
679c782d EC |
5156 | new = &new_sl->state; |
5157 | err = copy_verifier_state(new, cur); | |
1969db47 | 5158 | if (err) { |
679c782d | 5159 | free_verifier_state(new, false); |
1969db47 AS |
5160 | kfree(new_sl); |
5161 | return err; | |
5162 | } | |
f1bca824 AS |
5163 | new_sl->next = env->explored_states[insn_idx]; |
5164 | env->explored_states[insn_idx] = new_sl; | |
dc503a8a | 5165 | /* connect new state to parentage chain */ |
679c782d EC |
5166 | for (i = 0; i < BPF_REG_FP; i++) |
5167 | cur_regs(env)[i].parent = &new->frame[new->curframe]->regs[i]; | |
8e9cd9ce EC |
5168 | /* clear write marks in current state: the writes we did are not writes |
5169 | * our child did, so they don't screen off its reads from us. | |
5170 | * (There are no read marks in current state, because reads always mark | |
5171 | * their parent and current state never has children yet. Only | |
5172 | * explored_states can get read marks.) | |
5173 | */ | |
dc503a8a | 5174 | for (i = 0; i < BPF_REG_FP; i++) |
f4d7e40a AS |
5175 | cur->frame[cur->curframe]->regs[i].live = REG_LIVE_NONE; |
5176 | ||
5177 | /* all stack frames are accessible from callee, clear them all */ | |
5178 | for (j = 0; j <= cur->curframe; j++) { | |
5179 | struct bpf_func_state *frame = cur->frame[j]; | |
679c782d | 5180 | struct bpf_func_state *newframe = new->frame[j]; |
f4d7e40a | 5181 | |
679c782d | 5182 | for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) { |
cc2b14d5 | 5183 | frame->stack[i].spilled_ptr.live = REG_LIVE_NONE; |
679c782d EC |
5184 | frame->stack[i].spilled_ptr.parent = |
5185 | &newframe->stack[i].spilled_ptr; | |
5186 | } | |
f4d7e40a | 5187 | } |
f1bca824 AS |
5188 | return 0; |
5189 | } | |
5190 | ||
c64b7983 JS |
5191 | /* Return true if it's OK to have the same insn return a different type. */ |
5192 | static bool reg_type_mismatch_ok(enum bpf_reg_type type) | |
5193 | { | |
5194 | switch (type) { | |
5195 | case PTR_TO_CTX: | |
5196 | case PTR_TO_SOCKET: | |
5197 | case PTR_TO_SOCKET_OR_NULL: | |
5198 | return false; | |
5199 | default: | |
5200 | return true; | |
5201 | } | |
5202 | } | |
5203 | ||
5204 | /* If an instruction was previously used with particular pointer types, then we | |
5205 | * need to be careful to avoid cases such as the below, where it may be ok | |
5206 | * for one branch accessing the pointer, but not ok for the other branch: | |
5207 | * | |
5208 | * R1 = sock_ptr | |
5209 | * goto X; | |
5210 | * ... | |
5211 | * R1 = some_other_valid_ptr; | |
5212 | * goto X; | |
5213 | * ... | |
5214 | * R2 = *(u32 *)(R1 + 0); | |
5215 | */ | |
5216 | static bool reg_type_mismatch(enum bpf_reg_type src, enum bpf_reg_type prev) | |
5217 | { | |
5218 | return src != prev && (!reg_type_mismatch_ok(src) || | |
5219 | !reg_type_mismatch_ok(prev)); | |
5220 | } | |
5221 | ||
58e2af8b | 5222 | static int do_check(struct bpf_verifier_env *env) |
17a52670 | 5223 | { |
638f5b90 | 5224 | struct bpf_verifier_state *state; |
17a52670 | 5225 | struct bpf_insn *insns = env->prog->insnsi; |
638f5b90 | 5226 | struct bpf_reg_state *regs; |
f4d7e40a | 5227 | int insn_cnt = env->prog->len, i; |
17a52670 AS |
5228 | int insn_idx, prev_insn_idx = 0; |
5229 | int insn_processed = 0; | |
5230 | bool do_print_state = false; | |
5231 | ||
638f5b90 AS |
5232 | state = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL); |
5233 | if (!state) | |
5234 | return -ENOMEM; | |
f4d7e40a | 5235 | state->curframe = 0; |
f4d7e40a AS |
5236 | state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL); |
5237 | if (!state->frame[0]) { | |
5238 | kfree(state); | |
5239 | return -ENOMEM; | |
5240 | } | |
5241 | env->cur_state = state; | |
5242 | init_func_state(env, state->frame[0], | |
5243 | BPF_MAIN_FUNC /* callsite */, | |
5244 | 0 /* frameno */, | |
5245 | 0 /* subprogno, zero == main subprog */); | |
17a52670 AS |
5246 | insn_idx = 0; |
5247 | for (;;) { | |
5248 | struct bpf_insn *insn; | |
5249 | u8 class; | |
5250 | int err; | |
5251 | ||
5252 | if (insn_idx >= insn_cnt) { | |
61bd5218 | 5253 | verbose(env, "invalid insn idx %d insn_cnt %d\n", |
17a52670 AS |
5254 | insn_idx, insn_cnt); |
5255 | return -EFAULT; | |
5256 | } | |
5257 | ||
5258 | insn = &insns[insn_idx]; | |
5259 | class = BPF_CLASS(insn->code); | |
5260 | ||
07016151 | 5261 | if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { |
61bd5218 JK |
5262 | verbose(env, |
5263 | "BPF program is too large. Processed %d insn\n", | |
17a52670 AS |
5264 | insn_processed); |
5265 | return -E2BIG; | |
5266 | } | |
5267 | ||
f1bca824 AS |
5268 | err = is_state_visited(env, insn_idx); |
5269 | if (err < 0) | |
5270 | return err; | |
5271 | if (err == 1) { | |
5272 | /* found equivalent state, can prune the search */ | |
61bd5218 | 5273 | if (env->log.level) { |
f1bca824 | 5274 | if (do_print_state) |
61bd5218 | 5275 | verbose(env, "\nfrom %d to %d: safe\n", |
f1bca824 AS |
5276 | prev_insn_idx, insn_idx); |
5277 | else | |
61bd5218 | 5278 | verbose(env, "%d: safe\n", insn_idx); |
f1bca824 AS |
5279 | } |
5280 | goto process_bpf_exit; | |
5281 | } | |
5282 | ||
3c2ce60b DB |
5283 | if (need_resched()) |
5284 | cond_resched(); | |
5285 | ||
61bd5218 JK |
5286 | if (env->log.level > 1 || (env->log.level && do_print_state)) { |
5287 | if (env->log.level > 1) | |
5288 | verbose(env, "%d:", insn_idx); | |
c5fc9692 | 5289 | else |
61bd5218 | 5290 | verbose(env, "\nfrom %d to %d:", |
c5fc9692 | 5291 | prev_insn_idx, insn_idx); |
f4d7e40a | 5292 | print_verifier_state(env, state->frame[state->curframe]); |
17a52670 AS |
5293 | do_print_state = false; |
5294 | } | |
5295 | ||
61bd5218 | 5296 | if (env->log.level) { |
7105e828 DB |
5297 | const struct bpf_insn_cbs cbs = { |
5298 | .cb_print = verbose, | |
abe08840 | 5299 | .private_data = env, |
7105e828 DB |
5300 | }; |
5301 | ||
61bd5218 | 5302 | verbose(env, "%d: ", insn_idx); |
abe08840 | 5303 | print_bpf_insn(&cbs, insn, env->allow_ptr_leaks); |
17a52670 AS |
5304 | } |
5305 | ||
cae1927c JK |
5306 | if (bpf_prog_is_dev_bound(env->prog->aux)) { |
5307 | err = bpf_prog_offload_verify_insn(env, insn_idx, | |
5308 | prev_insn_idx); | |
5309 | if (err) | |
5310 | return err; | |
5311 | } | |
13a27dfc | 5312 | |
638f5b90 | 5313 | regs = cur_regs(env); |
c131187d | 5314 | env->insn_aux_data[insn_idx].seen = true; |
fd978bf7 | 5315 | |
17a52670 | 5316 | if (class == BPF_ALU || class == BPF_ALU64) { |
1be7f75d | 5317 | err = check_alu_op(env, insn); |
17a52670 AS |
5318 | if (err) |
5319 | return err; | |
5320 | ||
5321 | } else if (class == BPF_LDX) { | |
3df126f3 | 5322 | enum bpf_reg_type *prev_src_type, src_reg_type; |
9bac3d6d AS |
5323 | |
5324 | /* check for reserved fields is already done */ | |
5325 | ||
17a52670 | 5326 | /* check src operand */ |
dc503a8a | 5327 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
5328 | if (err) |
5329 | return err; | |
5330 | ||
dc503a8a | 5331 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
17a52670 AS |
5332 | if (err) |
5333 | return err; | |
5334 | ||
725f9dcd AS |
5335 | src_reg_type = regs[insn->src_reg].type; |
5336 | ||
17a52670 AS |
5337 | /* check that memory (src_reg + off) is readable, |
5338 | * the state of dst_reg will be updated by this func | |
5339 | */ | |
31fd8581 | 5340 | err = check_mem_access(env, insn_idx, insn->src_reg, insn->off, |
17a52670 | 5341 | BPF_SIZE(insn->code), BPF_READ, |
ca369602 | 5342 | insn->dst_reg, false); |
17a52670 AS |
5343 | if (err) |
5344 | return err; | |
5345 | ||
3df126f3 JK |
5346 | prev_src_type = &env->insn_aux_data[insn_idx].ptr_type; |
5347 | ||
5348 | if (*prev_src_type == NOT_INIT) { | |
9bac3d6d AS |
5349 | /* saw a valid insn |
5350 | * dst_reg = *(u32 *)(src_reg + off) | |
3df126f3 | 5351 | * save type to validate intersecting paths |
9bac3d6d | 5352 | */ |
3df126f3 | 5353 | *prev_src_type = src_reg_type; |
9bac3d6d | 5354 | |
c64b7983 | 5355 | } else if (reg_type_mismatch(src_reg_type, *prev_src_type)) { |
9bac3d6d AS |
5356 | /* ABuser program is trying to use the same insn |
5357 | * dst_reg = *(u32*) (src_reg + off) | |
5358 | * with different pointer types: | |
5359 | * src_reg == ctx in one branch and | |
5360 | * src_reg == stack|map in some other branch. | |
5361 | * Reject it. | |
5362 | */ | |
61bd5218 | 5363 | verbose(env, "same insn cannot be used with different pointers\n"); |
9bac3d6d AS |
5364 | return -EINVAL; |
5365 | } | |
5366 | ||
17a52670 | 5367 | } else if (class == BPF_STX) { |
3df126f3 | 5368 | enum bpf_reg_type *prev_dst_type, dst_reg_type; |
d691f9e8 | 5369 | |
17a52670 | 5370 | if (BPF_MODE(insn->code) == BPF_XADD) { |
31fd8581 | 5371 | err = check_xadd(env, insn_idx, insn); |
17a52670 AS |
5372 | if (err) |
5373 | return err; | |
5374 | insn_idx++; | |
5375 | continue; | |
5376 | } | |
5377 | ||
17a52670 | 5378 | /* check src1 operand */ |
dc503a8a | 5379 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
5380 | if (err) |
5381 | return err; | |
5382 | /* check src2 operand */ | |
dc503a8a | 5383 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
5384 | if (err) |
5385 | return err; | |
5386 | ||
d691f9e8 AS |
5387 | dst_reg_type = regs[insn->dst_reg].type; |
5388 | ||
17a52670 | 5389 | /* check that memory (dst_reg + off) is writeable */ |
31fd8581 | 5390 | err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
17a52670 | 5391 | BPF_SIZE(insn->code), BPF_WRITE, |
ca369602 | 5392 | insn->src_reg, false); |
17a52670 AS |
5393 | if (err) |
5394 | return err; | |
5395 | ||
3df126f3 JK |
5396 | prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type; |
5397 | ||
5398 | if (*prev_dst_type == NOT_INIT) { | |
5399 | *prev_dst_type = dst_reg_type; | |
c64b7983 | 5400 | } else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) { |
61bd5218 | 5401 | verbose(env, "same insn cannot be used with different pointers\n"); |
d691f9e8 AS |
5402 | return -EINVAL; |
5403 | } | |
5404 | ||
17a52670 AS |
5405 | } else if (class == BPF_ST) { |
5406 | if (BPF_MODE(insn->code) != BPF_MEM || | |
5407 | insn->src_reg != BPF_REG_0) { | |
61bd5218 | 5408 | verbose(env, "BPF_ST uses reserved fields\n"); |
17a52670 AS |
5409 | return -EINVAL; |
5410 | } | |
5411 | /* check src operand */ | |
dc503a8a | 5412 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
5413 | if (err) |
5414 | return err; | |
5415 | ||
f37a8cb8 | 5416 | if (is_ctx_reg(env, insn->dst_reg)) { |
9d2be44a | 5417 | verbose(env, "BPF_ST stores into R%d %s is not allowed\n", |
2a159c6f DB |
5418 | insn->dst_reg, |
5419 | reg_type_str[reg_state(env, insn->dst_reg)->type]); | |
f37a8cb8 DB |
5420 | return -EACCES; |
5421 | } | |
5422 | ||
17a52670 | 5423 | /* check that memory (dst_reg + off) is writeable */ |
31fd8581 | 5424 | err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
17a52670 | 5425 | BPF_SIZE(insn->code), BPF_WRITE, |
ca369602 | 5426 | -1, false); |
17a52670 AS |
5427 | if (err) |
5428 | return err; | |
5429 | ||
5430 | } else if (class == BPF_JMP) { | |
5431 | u8 opcode = BPF_OP(insn->code); | |
5432 | ||
5433 | if (opcode == BPF_CALL) { | |
5434 | if (BPF_SRC(insn->code) != BPF_K || | |
5435 | insn->off != 0 || | |
f4d7e40a AS |
5436 | (insn->src_reg != BPF_REG_0 && |
5437 | insn->src_reg != BPF_PSEUDO_CALL) || | |
17a52670 | 5438 | insn->dst_reg != BPF_REG_0) { |
61bd5218 | 5439 | verbose(env, "BPF_CALL uses reserved fields\n"); |
17a52670 AS |
5440 | return -EINVAL; |
5441 | } | |
5442 | ||
f4d7e40a AS |
5443 | if (insn->src_reg == BPF_PSEUDO_CALL) |
5444 | err = check_func_call(env, insn, &insn_idx); | |
5445 | else | |
5446 | err = check_helper_call(env, insn->imm, insn_idx); | |
17a52670 AS |
5447 | if (err) |
5448 | return err; | |
5449 | ||
5450 | } else if (opcode == BPF_JA) { | |
5451 | if (BPF_SRC(insn->code) != BPF_K || | |
5452 | insn->imm != 0 || | |
5453 | insn->src_reg != BPF_REG_0 || | |
5454 | insn->dst_reg != BPF_REG_0) { | |
61bd5218 | 5455 | verbose(env, "BPF_JA uses reserved fields\n"); |
17a52670 AS |
5456 | return -EINVAL; |
5457 | } | |
5458 | ||
5459 | insn_idx += insn->off + 1; | |
5460 | continue; | |
5461 | ||
5462 | } else if (opcode == BPF_EXIT) { | |
5463 | if (BPF_SRC(insn->code) != BPF_K || | |
5464 | insn->imm != 0 || | |
5465 | insn->src_reg != BPF_REG_0 || | |
5466 | insn->dst_reg != BPF_REG_0) { | |
61bd5218 | 5467 | verbose(env, "BPF_EXIT uses reserved fields\n"); |
17a52670 AS |
5468 | return -EINVAL; |
5469 | } | |
5470 | ||
f4d7e40a AS |
5471 | if (state->curframe) { |
5472 | /* exit from nested function */ | |
5473 | prev_insn_idx = insn_idx; | |
5474 | err = prepare_func_exit(env, &insn_idx); | |
5475 | if (err) | |
5476 | return err; | |
5477 | do_print_state = true; | |
5478 | continue; | |
5479 | } | |
5480 | ||
fd978bf7 JS |
5481 | err = check_reference_leak(env); |
5482 | if (err) | |
5483 | return err; | |
5484 | ||
17a52670 AS |
5485 | /* eBPF calling convetion is such that R0 is used |
5486 | * to return the value from eBPF program. | |
5487 | * Make sure that it's readable at this time | |
5488 | * of bpf_exit, which means that program wrote | |
5489 | * something into it earlier | |
5490 | */ | |
dc503a8a | 5491 | err = check_reg_arg(env, BPF_REG_0, SRC_OP); |
17a52670 AS |
5492 | if (err) |
5493 | return err; | |
5494 | ||
1be7f75d | 5495 | if (is_pointer_value(env, BPF_REG_0)) { |
61bd5218 | 5496 | verbose(env, "R0 leaks addr as return value\n"); |
1be7f75d AS |
5497 | return -EACCES; |
5498 | } | |
5499 | ||
390ee7e2 AS |
5500 | err = check_return_code(env); |
5501 | if (err) | |
5502 | return err; | |
f1bca824 | 5503 | process_bpf_exit: |
638f5b90 AS |
5504 | err = pop_stack(env, &prev_insn_idx, &insn_idx); |
5505 | if (err < 0) { | |
5506 | if (err != -ENOENT) | |
5507 | return err; | |
17a52670 AS |
5508 | break; |
5509 | } else { | |
5510 | do_print_state = true; | |
5511 | continue; | |
5512 | } | |
5513 | } else { | |
5514 | err = check_cond_jmp_op(env, insn, &insn_idx); | |
5515 | if (err) | |
5516 | return err; | |
5517 | } | |
5518 | } else if (class == BPF_LD) { | |
5519 | u8 mode = BPF_MODE(insn->code); | |
5520 | ||
5521 | if (mode == BPF_ABS || mode == BPF_IND) { | |
ddd872bc AS |
5522 | err = check_ld_abs(env, insn); |
5523 | if (err) | |
5524 | return err; | |
5525 | ||
17a52670 AS |
5526 | } else if (mode == BPF_IMM) { |
5527 | err = check_ld_imm(env, insn); | |
5528 | if (err) | |
5529 | return err; | |
5530 | ||
5531 | insn_idx++; | |
c131187d | 5532 | env->insn_aux_data[insn_idx].seen = true; |
17a52670 | 5533 | } else { |
61bd5218 | 5534 | verbose(env, "invalid BPF_LD mode\n"); |
17a52670 AS |
5535 | return -EINVAL; |
5536 | } | |
5537 | } else { | |
61bd5218 | 5538 | verbose(env, "unknown insn class %d\n", class); |
17a52670 AS |
5539 | return -EINVAL; |
5540 | } | |
5541 | ||
5542 | insn_idx++; | |
5543 | } | |
5544 | ||
4bd95f4b DB |
5545 | verbose(env, "processed %d insns (limit %d), stack depth ", |
5546 | insn_processed, BPF_COMPLEXITY_LIMIT_INSNS); | |
f910cefa | 5547 | for (i = 0; i < env->subprog_cnt; i++) { |
9c8105bd | 5548 | u32 depth = env->subprog_info[i].stack_depth; |
f4d7e40a AS |
5549 | |
5550 | verbose(env, "%d", depth); | |
f910cefa | 5551 | if (i + 1 < env->subprog_cnt) |
f4d7e40a AS |
5552 | verbose(env, "+"); |
5553 | } | |
5554 | verbose(env, "\n"); | |
9c8105bd | 5555 | env->prog->aux->stack_depth = env->subprog_info[0].stack_depth; |
17a52670 AS |
5556 | return 0; |
5557 | } | |
5558 | ||
56f668df MKL |
5559 | static int check_map_prealloc(struct bpf_map *map) |
5560 | { | |
5561 | return (map->map_type != BPF_MAP_TYPE_HASH && | |
bcc6b1b7 MKL |
5562 | map->map_type != BPF_MAP_TYPE_PERCPU_HASH && |
5563 | map->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) || | |
56f668df MKL |
5564 | !(map->map_flags & BPF_F_NO_PREALLOC); |
5565 | } | |
5566 | ||
61bd5218 JK |
5567 | static int check_map_prog_compatibility(struct bpf_verifier_env *env, |
5568 | struct bpf_map *map, | |
fdc15d38 AS |
5569 | struct bpf_prog *prog) |
5570 | ||
5571 | { | |
56f668df MKL |
5572 | /* Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use |
5573 | * preallocated hash maps, since doing memory allocation | |
5574 | * in overflow_handler can crash depending on where nmi got | |
5575 | * triggered. | |
5576 | */ | |
5577 | if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { | |
5578 | if (!check_map_prealloc(map)) { | |
61bd5218 | 5579 | verbose(env, "perf_event programs can only use preallocated hash map\n"); |
56f668df MKL |
5580 | return -EINVAL; |
5581 | } | |
5582 | if (map->inner_map_meta && | |
5583 | !check_map_prealloc(map->inner_map_meta)) { | |
61bd5218 | 5584 | verbose(env, "perf_event programs can only use preallocated inner hash map\n"); |
56f668df MKL |
5585 | return -EINVAL; |
5586 | } | |
fdc15d38 | 5587 | } |
a3884572 JK |
5588 | |
5589 | if ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) && | |
09728266 | 5590 | !bpf_offload_prog_map_match(prog, map)) { |
a3884572 JK |
5591 | verbose(env, "offload device mismatch between prog and map\n"); |
5592 | return -EINVAL; | |
5593 | } | |
5594 | ||
fdc15d38 AS |
5595 | return 0; |
5596 | } | |
5597 | ||
b741f163 RG |
5598 | static bool bpf_map_is_cgroup_storage(struct bpf_map *map) |
5599 | { | |
5600 | return (map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE || | |
5601 | map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE); | |
5602 | } | |
5603 | ||
0246e64d AS |
5604 | /* look for pseudo eBPF instructions that access map FDs and |
5605 | * replace them with actual map pointers | |
5606 | */ | |
58e2af8b | 5607 | static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) |
0246e64d AS |
5608 | { |
5609 | struct bpf_insn *insn = env->prog->insnsi; | |
5610 | int insn_cnt = env->prog->len; | |
fdc15d38 | 5611 | int i, j, err; |
0246e64d | 5612 | |
f1f7714e | 5613 | err = bpf_prog_calc_tag(env->prog); |
aafe6ae9 DB |
5614 | if (err) |
5615 | return err; | |
5616 | ||
0246e64d | 5617 | for (i = 0; i < insn_cnt; i++, insn++) { |
9bac3d6d | 5618 | if (BPF_CLASS(insn->code) == BPF_LDX && |
d691f9e8 | 5619 | (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { |
61bd5218 | 5620 | verbose(env, "BPF_LDX uses reserved fields\n"); |
9bac3d6d AS |
5621 | return -EINVAL; |
5622 | } | |
5623 | ||
d691f9e8 AS |
5624 | if (BPF_CLASS(insn->code) == BPF_STX && |
5625 | ((BPF_MODE(insn->code) != BPF_MEM && | |
5626 | BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { | |
61bd5218 | 5627 | verbose(env, "BPF_STX uses reserved fields\n"); |
d691f9e8 AS |
5628 | return -EINVAL; |
5629 | } | |
5630 | ||
0246e64d AS |
5631 | if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { |
5632 | struct bpf_map *map; | |
5633 | struct fd f; | |
5634 | ||
5635 | if (i == insn_cnt - 1 || insn[1].code != 0 || | |
5636 | insn[1].dst_reg != 0 || insn[1].src_reg != 0 || | |
5637 | insn[1].off != 0) { | |
61bd5218 | 5638 | verbose(env, "invalid bpf_ld_imm64 insn\n"); |
0246e64d AS |
5639 | return -EINVAL; |
5640 | } | |
5641 | ||
5642 | if (insn->src_reg == 0) | |
5643 | /* valid generic load 64-bit imm */ | |
5644 | goto next_insn; | |
5645 | ||
5646 | if (insn->src_reg != BPF_PSEUDO_MAP_FD) { | |
61bd5218 JK |
5647 | verbose(env, |
5648 | "unrecognized bpf_ld_imm64 insn\n"); | |
0246e64d AS |
5649 | return -EINVAL; |
5650 | } | |
5651 | ||
5652 | f = fdget(insn->imm); | |
c2101297 | 5653 | map = __bpf_map_get(f); |
0246e64d | 5654 | if (IS_ERR(map)) { |
61bd5218 | 5655 | verbose(env, "fd %d is not pointing to valid bpf_map\n", |
0246e64d | 5656 | insn->imm); |
0246e64d AS |
5657 | return PTR_ERR(map); |
5658 | } | |
5659 | ||
61bd5218 | 5660 | err = check_map_prog_compatibility(env, map, env->prog); |
fdc15d38 AS |
5661 | if (err) { |
5662 | fdput(f); | |
5663 | return err; | |
5664 | } | |
5665 | ||
0246e64d AS |
5666 | /* store map pointer inside BPF_LD_IMM64 instruction */ |
5667 | insn[0].imm = (u32) (unsigned long) map; | |
5668 | insn[1].imm = ((u64) (unsigned long) map) >> 32; | |
5669 | ||
5670 | /* check whether we recorded this map already */ | |
5671 | for (j = 0; j < env->used_map_cnt; j++) | |
5672 | if (env->used_maps[j] == map) { | |
5673 | fdput(f); | |
5674 | goto next_insn; | |
5675 | } | |
5676 | ||
5677 | if (env->used_map_cnt >= MAX_USED_MAPS) { | |
5678 | fdput(f); | |
5679 | return -E2BIG; | |
5680 | } | |
5681 | ||
0246e64d AS |
5682 | /* hold the map. If the program is rejected by verifier, |
5683 | * the map will be released by release_maps() or it | |
5684 | * will be used by the valid program until it's unloaded | |
ab7f5bf0 | 5685 | * and all maps are released in free_used_maps() |
0246e64d | 5686 | */ |
92117d84 AS |
5687 | map = bpf_map_inc(map, false); |
5688 | if (IS_ERR(map)) { | |
5689 | fdput(f); | |
5690 | return PTR_ERR(map); | |
5691 | } | |
5692 | env->used_maps[env->used_map_cnt++] = map; | |
5693 | ||
b741f163 | 5694 | if (bpf_map_is_cgroup_storage(map) && |
de9cbbaa | 5695 | bpf_cgroup_storage_assign(env->prog, map)) { |
b741f163 | 5696 | verbose(env, "only one cgroup storage of each type is allowed\n"); |
de9cbbaa RG |
5697 | fdput(f); |
5698 | return -EBUSY; | |
5699 | } | |
5700 | ||
0246e64d AS |
5701 | fdput(f); |
5702 | next_insn: | |
5703 | insn++; | |
5704 | i++; | |
5e581dad DB |
5705 | continue; |
5706 | } | |
5707 | ||
5708 | /* Basic sanity check before we invest more work here. */ | |
5709 | if (!bpf_opcode_in_insntable(insn->code)) { | |
5710 | verbose(env, "unknown opcode %02x\n", insn->code); | |
5711 | return -EINVAL; | |
0246e64d AS |
5712 | } |
5713 | } | |
5714 | ||
5715 | /* now all pseudo BPF_LD_IMM64 instructions load valid | |
5716 | * 'struct bpf_map *' into a register instead of user map_fd. | |
5717 | * These pointers will be used later by verifier to validate map access. | |
5718 | */ | |
5719 | return 0; | |
5720 | } | |
5721 | ||
5722 | /* drop refcnt of maps used by the rejected program */ | |
58e2af8b | 5723 | static void release_maps(struct bpf_verifier_env *env) |
0246e64d | 5724 | { |
8bad74f9 | 5725 | enum bpf_cgroup_storage_type stype; |
0246e64d AS |
5726 | int i; |
5727 | ||
8bad74f9 RG |
5728 | for_each_cgroup_storage_type(stype) { |
5729 | if (!env->prog->aux->cgroup_storage[stype]) | |
5730 | continue; | |
de9cbbaa | 5731 | bpf_cgroup_storage_release(env->prog, |
8bad74f9 RG |
5732 | env->prog->aux->cgroup_storage[stype]); |
5733 | } | |
de9cbbaa | 5734 | |
0246e64d AS |
5735 | for (i = 0; i < env->used_map_cnt; i++) |
5736 | bpf_map_put(env->used_maps[i]); | |
5737 | } | |
5738 | ||
5739 | /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */ | |
58e2af8b | 5740 | static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env) |
0246e64d AS |
5741 | { |
5742 | struct bpf_insn *insn = env->prog->insnsi; | |
5743 | int insn_cnt = env->prog->len; | |
5744 | int i; | |
5745 | ||
5746 | for (i = 0; i < insn_cnt; i++, insn++) | |
5747 | if (insn->code == (BPF_LD | BPF_IMM | BPF_DW)) | |
5748 | insn->src_reg = 0; | |
5749 | } | |
5750 | ||
8041902d AS |
5751 | /* single env->prog->insni[off] instruction was replaced with the range |
5752 | * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying | |
5753 | * [0, off) and [off, end) to new locations, so the patched range stays zero | |
5754 | */ | |
5755 | static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, | |
5756 | u32 off, u32 cnt) | |
5757 | { | |
5758 | struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; | |
c131187d | 5759 | int i; |
8041902d AS |
5760 | |
5761 | if (cnt == 1) | |
5762 | return 0; | |
fad953ce KC |
5763 | new_data = vzalloc(array_size(prog_len, |
5764 | sizeof(struct bpf_insn_aux_data))); | |
8041902d AS |
5765 | if (!new_data) |
5766 | return -ENOMEM; | |
5767 | memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); | |
5768 | memcpy(new_data + off + cnt - 1, old_data + off, | |
5769 | sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); | |
c131187d AS |
5770 | for (i = off; i < off + cnt - 1; i++) |
5771 | new_data[i].seen = true; | |
8041902d AS |
5772 | env->insn_aux_data = new_data; |
5773 | vfree(old_data); | |
5774 | return 0; | |
5775 | } | |
5776 | ||
cc8b0b92 AS |
5777 | static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len) |
5778 | { | |
5779 | int i; | |
5780 | ||
5781 | if (len == 1) | |
5782 | return; | |
4cb3d99c JW |
5783 | /* NOTE: fake 'exit' subprog should be updated as well. */ |
5784 | for (i = 0; i <= env->subprog_cnt; i++) { | |
afd59424 | 5785 | if (env->subprog_info[i].start <= off) |
cc8b0b92 | 5786 | continue; |
9c8105bd | 5787 | env->subprog_info[i].start += len - 1; |
cc8b0b92 AS |
5788 | } |
5789 | } | |
5790 | ||
8041902d AS |
5791 | static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off, |
5792 | const struct bpf_insn *patch, u32 len) | |
5793 | { | |
5794 | struct bpf_prog *new_prog; | |
5795 | ||
5796 | new_prog = bpf_patch_insn_single(env->prog, off, patch, len); | |
5797 | if (!new_prog) | |
5798 | return NULL; | |
5799 | if (adjust_insn_aux_data(env, new_prog->len, off, len)) | |
5800 | return NULL; | |
cc8b0b92 | 5801 | adjust_subprog_starts(env, off, len); |
8041902d AS |
5802 | return new_prog; |
5803 | } | |
5804 | ||
2a5418a1 DB |
5805 | /* The verifier does more data flow analysis than llvm and will not |
5806 | * explore branches that are dead at run time. Malicious programs can | |
5807 | * have dead code too. Therefore replace all dead at-run-time code | |
5808 | * with 'ja -1'. | |
5809 | * | |
5810 | * Just nops are not optimal, e.g. if they would sit at the end of the | |
5811 | * program and through another bug we would manage to jump there, then | |
5812 | * we'd execute beyond program memory otherwise. Returning exception | |
5813 | * code also wouldn't work since we can have subprogs where the dead | |
5814 | * code could be located. | |
c131187d AS |
5815 | */ |
5816 | static void sanitize_dead_code(struct bpf_verifier_env *env) | |
5817 | { | |
5818 | struct bpf_insn_aux_data *aux_data = env->insn_aux_data; | |
2a5418a1 | 5819 | struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1); |
c131187d AS |
5820 | struct bpf_insn *insn = env->prog->insnsi; |
5821 | const int insn_cnt = env->prog->len; | |
5822 | int i; | |
5823 | ||
5824 | for (i = 0; i < insn_cnt; i++) { | |
5825 | if (aux_data[i].seen) | |
5826 | continue; | |
2a5418a1 | 5827 | memcpy(insn + i, &trap, sizeof(trap)); |
c131187d AS |
5828 | } |
5829 | } | |
5830 | ||
c64b7983 JS |
5831 | /* convert load instructions that access fields of a context type into a |
5832 | * sequence of instructions that access fields of the underlying structure: | |
5833 | * struct __sk_buff -> struct sk_buff | |
5834 | * struct bpf_sock_ops -> struct sock | |
9bac3d6d | 5835 | */ |
58e2af8b | 5836 | static int convert_ctx_accesses(struct bpf_verifier_env *env) |
9bac3d6d | 5837 | { |
00176a34 | 5838 | const struct bpf_verifier_ops *ops = env->ops; |
f96da094 | 5839 | int i, cnt, size, ctx_field_size, delta = 0; |
3df126f3 | 5840 | const int insn_cnt = env->prog->len; |
36bbef52 | 5841 | struct bpf_insn insn_buf[16], *insn; |
46f53a65 | 5842 | u32 target_size, size_default, off; |
9bac3d6d | 5843 | struct bpf_prog *new_prog; |
d691f9e8 | 5844 | enum bpf_access_type type; |
f96da094 | 5845 | bool is_narrower_load; |
9bac3d6d | 5846 | |
b09928b9 DB |
5847 | if (ops->gen_prologue || env->seen_direct_write) { |
5848 | if (!ops->gen_prologue) { | |
5849 | verbose(env, "bpf verifier is misconfigured\n"); | |
5850 | return -EINVAL; | |
5851 | } | |
36bbef52 DB |
5852 | cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, |
5853 | env->prog); | |
5854 | if (cnt >= ARRAY_SIZE(insn_buf)) { | |
61bd5218 | 5855 | verbose(env, "bpf verifier is misconfigured\n"); |
36bbef52 DB |
5856 | return -EINVAL; |
5857 | } else if (cnt) { | |
8041902d | 5858 | new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); |
36bbef52 DB |
5859 | if (!new_prog) |
5860 | return -ENOMEM; | |
8041902d | 5861 | |
36bbef52 | 5862 | env->prog = new_prog; |
3df126f3 | 5863 | delta += cnt - 1; |
36bbef52 DB |
5864 | } |
5865 | } | |
5866 | ||
c64b7983 | 5867 | if (bpf_prog_is_dev_bound(env->prog->aux)) |
9bac3d6d AS |
5868 | return 0; |
5869 | ||
3df126f3 | 5870 | insn = env->prog->insnsi + delta; |
36bbef52 | 5871 | |
9bac3d6d | 5872 | for (i = 0; i < insn_cnt; i++, insn++) { |
c64b7983 JS |
5873 | bpf_convert_ctx_access_t convert_ctx_access; |
5874 | ||
62c7989b DB |
5875 | if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) || |
5876 | insn->code == (BPF_LDX | BPF_MEM | BPF_H) || | |
5877 | insn->code == (BPF_LDX | BPF_MEM | BPF_W) || | |
ea2e7ce5 | 5878 | insn->code == (BPF_LDX | BPF_MEM | BPF_DW)) |
d691f9e8 | 5879 | type = BPF_READ; |
62c7989b DB |
5880 | else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) || |
5881 | insn->code == (BPF_STX | BPF_MEM | BPF_H) || | |
5882 | insn->code == (BPF_STX | BPF_MEM | BPF_W) || | |
ea2e7ce5 | 5883 | insn->code == (BPF_STX | BPF_MEM | BPF_DW)) |
d691f9e8 AS |
5884 | type = BPF_WRITE; |
5885 | else | |
9bac3d6d AS |
5886 | continue; |
5887 | ||
af86ca4e AS |
5888 | if (type == BPF_WRITE && |
5889 | env->insn_aux_data[i + delta].sanitize_stack_off) { | |
5890 | struct bpf_insn patch[] = { | |
5891 | /* Sanitize suspicious stack slot with zero. | |
5892 | * There are no memory dependencies for this store, | |
5893 | * since it's only using frame pointer and immediate | |
5894 | * constant of zero | |
5895 | */ | |
5896 | BPF_ST_MEM(BPF_DW, BPF_REG_FP, | |
5897 | env->insn_aux_data[i + delta].sanitize_stack_off, | |
5898 | 0), | |
5899 | /* the original STX instruction will immediately | |
5900 | * overwrite the same stack slot with appropriate value | |
5901 | */ | |
5902 | *insn, | |
5903 | }; | |
5904 | ||
5905 | cnt = ARRAY_SIZE(patch); | |
5906 | new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); | |
5907 | if (!new_prog) | |
5908 | return -ENOMEM; | |
5909 | ||
5910 | delta += cnt - 1; | |
5911 | env->prog = new_prog; | |
5912 | insn = new_prog->insnsi + i + delta; | |
5913 | continue; | |
5914 | } | |
5915 | ||
c64b7983 JS |
5916 | switch (env->insn_aux_data[i + delta].ptr_type) { |
5917 | case PTR_TO_CTX: | |
5918 | if (!ops->convert_ctx_access) | |
5919 | continue; | |
5920 | convert_ctx_access = ops->convert_ctx_access; | |
5921 | break; | |
5922 | case PTR_TO_SOCKET: | |
5923 | convert_ctx_access = bpf_sock_convert_ctx_access; | |
5924 | break; | |
5925 | default: | |
9bac3d6d | 5926 | continue; |
c64b7983 | 5927 | } |
9bac3d6d | 5928 | |
31fd8581 | 5929 | ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size; |
f96da094 | 5930 | size = BPF_LDST_BYTES(insn); |
31fd8581 YS |
5931 | |
5932 | /* If the read access is a narrower load of the field, | |
5933 | * convert to a 4/8-byte load, to minimum program type specific | |
5934 | * convert_ctx_access changes. If conversion is successful, | |
5935 | * we will apply proper mask to the result. | |
5936 | */ | |
f96da094 | 5937 | is_narrower_load = size < ctx_field_size; |
46f53a65 AI |
5938 | size_default = bpf_ctx_off_adjust_machine(ctx_field_size); |
5939 | off = insn->off; | |
31fd8581 | 5940 | if (is_narrower_load) { |
f96da094 DB |
5941 | u8 size_code; |
5942 | ||
5943 | if (type == BPF_WRITE) { | |
61bd5218 | 5944 | verbose(env, "bpf verifier narrow ctx access misconfigured\n"); |
f96da094 DB |
5945 | return -EINVAL; |
5946 | } | |
31fd8581 | 5947 | |
f96da094 | 5948 | size_code = BPF_H; |
31fd8581 YS |
5949 | if (ctx_field_size == 4) |
5950 | size_code = BPF_W; | |
5951 | else if (ctx_field_size == 8) | |
5952 | size_code = BPF_DW; | |
f96da094 | 5953 | |
bc23105c | 5954 | insn->off = off & ~(size_default - 1); |
31fd8581 YS |
5955 | insn->code = BPF_LDX | BPF_MEM | size_code; |
5956 | } | |
f96da094 DB |
5957 | |
5958 | target_size = 0; | |
c64b7983 JS |
5959 | cnt = convert_ctx_access(type, insn, insn_buf, env->prog, |
5960 | &target_size); | |
f96da094 DB |
5961 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || |
5962 | (ctx_field_size && !target_size)) { | |
61bd5218 | 5963 | verbose(env, "bpf verifier is misconfigured\n"); |
9bac3d6d AS |
5964 | return -EINVAL; |
5965 | } | |
f96da094 DB |
5966 | |
5967 | if (is_narrower_load && size < target_size) { | |
46f53a65 AI |
5968 | u8 shift = (off & (size_default - 1)) * 8; |
5969 | ||
5970 | if (ctx_field_size <= 4) { | |
5971 | if (shift) | |
5972 | insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH, | |
5973 | insn->dst_reg, | |
5974 | shift); | |
31fd8581 | 5975 | insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, |
f96da094 | 5976 | (1 << size * 8) - 1); |
46f53a65 AI |
5977 | } else { |
5978 | if (shift) | |
5979 | insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, | |
5980 | insn->dst_reg, | |
5981 | shift); | |
31fd8581 | 5982 | insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, |
f96da094 | 5983 | (1 << size * 8) - 1); |
46f53a65 | 5984 | } |
31fd8581 | 5985 | } |
9bac3d6d | 5986 | |
8041902d | 5987 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
9bac3d6d AS |
5988 | if (!new_prog) |
5989 | return -ENOMEM; | |
5990 | ||
3df126f3 | 5991 | delta += cnt - 1; |
9bac3d6d AS |
5992 | |
5993 | /* keep walking new program and skip insns we just inserted */ | |
5994 | env->prog = new_prog; | |
3df126f3 | 5995 | insn = new_prog->insnsi + i + delta; |
9bac3d6d AS |
5996 | } |
5997 | ||
5998 | return 0; | |
5999 | } | |
6000 | ||
1c2a088a AS |
6001 | static int jit_subprogs(struct bpf_verifier_env *env) |
6002 | { | |
6003 | struct bpf_prog *prog = env->prog, **func, *tmp; | |
6004 | int i, j, subprog_start, subprog_end = 0, len, subprog; | |
7105e828 | 6005 | struct bpf_insn *insn; |
1c2a088a AS |
6006 | void *old_bpf_func; |
6007 | int err = -ENOMEM; | |
6008 | ||
f910cefa | 6009 | if (env->subprog_cnt <= 1) |
1c2a088a AS |
6010 | return 0; |
6011 | ||
7105e828 | 6012 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { |
1c2a088a AS |
6013 | if (insn->code != (BPF_JMP | BPF_CALL) || |
6014 | insn->src_reg != BPF_PSEUDO_CALL) | |
6015 | continue; | |
c7a89784 DB |
6016 | /* Upon error here we cannot fall back to interpreter but |
6017 | * need a hard reject of the program. Thus -EFAULT is | |
6018 | * propagated in any case. | |
6019 | */ | |
1c2a088a AS |
6020 | subprog = find_subprog(env, i + insn->imm + 1); |
6021 | if (subprog < 0) { | |
6022 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", | |
6023 | i + insn->imm + 1); | |
6024 | return -EFAULT; | |
6025 | } | |
6026 | /* temporarily remember subprog id inside insn instead of | |
6027 | * aux_data, since next loop will split up all insns into funcs | |
6028 | */ | |
f910cefa | 6029 | insn->off = subprog; |
1c2a088a AS |
6030 | /* remember original imm in case JIT fails and fallback |
6031 | * to interpreter will be needed | |
6032 | */ | |
6033 | env->insn_aux_data[i].call_imm = insn->imm; | |
6034 | /* point imm to __bpf_call_base+1 from JITs point of view */ | |
6035 | insn->imm = 1; | |
6036 | } | |
6037 | ||
6396bb22 | 6038 | func = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL); |
1c2a088a | 6039 | if (!func) |
c7a89784 | 6040 | goto out_undo_insn; |
1c2a088a | 6041 | |
f910cefa | 6042 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a | 6043 | subprog_start = subprog_end; |
4cb3d99c | 6044 | subprog_end = env->subprog_info[i + 1].start; |
1c2a088a AS |
6045 | |
6046 | len = subprog_end - subprog_start; | |
6047 | func[i] = bpf_prog_alloc(bpf_prog_size(len), GFP_USER); | |
6048 | if (!func[i]) | |
6049 | goto out_free; | |
6050 | memcpy(func[i]->insnsi, &prog->insnsi[subprog_start], | |
6051 | len * sizeof(struct bpf_insn)); | |
4f74d809 | 6052 | func[i]->type = prog->type; |
1c2a088a | 6053 | func[i]->len = len; |
4f74d809 DB |
6054 | if (bpf_prog_calc_tag(func[i])) |
6055 | goto out_free; | |
1c2a088a | 6056 | func[i]->is_func = 1; |
ba64e7d8 YS |
6057 | func[i]->aux->func_idx = i; |
6058 | /* the btf and func_info will be freed only at prog->aux */ | |
6059 | func[i]->aux->btf = prog->aux->btf; | |
6060 | func[i]->aux->func_info = prog->aux->func_info; | |
6061 | ||
1c2a088a AS |
6062 | /* Use bpf_prog_F_tag to indicate functions in stack traces. |
6063 | * Long term would need debug info to populate names | |
6064 | */ | |
6065 | func[i]->aux->name[0] = 'F'; | |
9c8105bd | 6066 | func[i]->aux->stack_depth = env->subprog_info[i].stack_depth; |
1c2a088a AS |
6067 | func[i]->jit_requested = 1; |
6068 | func[i] = bpf_int_jit_compile(func[i]); | |
6069 | if (!func[i]->jited) { | |
6070 | err = -ENOTSUPP; | |
6071 | goto out_free; | |
6072 | } | |
6073 | cond_resched(); | |
6074 | } | |
6075 | /* at this point all bpf functions were successfully JITed | |
6076 | * now populate all bpf_calls with correct addresses and | |
6077 | * run last pass of JIT | |
6078 | */ | |
f910cefa | 6079 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
6080 | insn = func[i]->insnsi; |
6081 | for (j = 0; j < func[i]->len; j++, insn++) { | |
6082 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
6083 | insn->src_reg != BPF_PSEUDO_CALL) | |
6084 | continue; | |
6085 | subprog = insn->off; | |
1c2a088a AS |
6086 | insn->imm = (u64 (*)(u64, u64, u64, u64, u64)) |
6087 | func[subprog]->bpf_func - | |
6088 | __bpf_call_base; | |
6089 | } | |
2162fed4 SD |
6090 | |
6091 | /* we use the aux data to keep a list of the start addresses | |
6092 | * of the JITed images for each function in the program | |
6093 | * | |
6094 | * for some architectures, such as powerpc64, the imm field | |
6095 | * might not be large enough to hold the offset of the start | |
6096 | * address of the callee's JITed image from __bpf_call_base | |
6097 | * | |
6098 | * in such cases, we can lookup the start address of a callee | |
6099 | * by using its subprog id, available from the off field of | |
6100 | * the call instruction, as an index for this list | |
6101 | */ | |
6102 | func[i]->aux->func = func; | |
6103 | func[i]->aux->func_cnt = env->subprog_cnt; | |
1c2a088a | 6104 | } |
f910cefa | 6105 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
6106 | old_bpf_func = func[i]->bpf_func; |
6107 | tmp = bpf_int_jit_compile(func[i]); | |
6108 | if (tmp != func[i] || func[i]->bpf_func != old_bpf_func) { | |
6109 | verbose(env, "JIT doesn't support bpf-to-bpf calls\n"); | |
c7a89784 | 6110 | err = -ENOTSUPP; |
1c2a088a AS |
6111 | goto out_free; |
6112 | } | |
6113 | cond_resched(); | |
6114 | } | |
6115 | ||
6116 | /* finally lock prog and jit images for all functions and | |
6117 | * populate kallsysm | |
6118 | */ | |
f910cefa | 6119 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
6120 | bpf_prog_lock_ro(func[i]); |
6121 | bpf_prog_kallsyms_add(func[i]); | |
6122 | } | |
7105e828 DB |
6123 | |
6124 | /* Last step: make now unused interpreter insns from main | |
6125 | * prog consistent for later dump requests, so they can | |
6126 | * later look the same as if they were interpreted only. | |
6127 | */ | |
6128 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { | |
7105e828 DB |
6129 | if (insn->code != (BPF_JMP | BPF_CALL) || |
6130 | insn->src_reg != BPF_PSEUDO_CALL) | |
6131 | continue; | |
6132 | insn->off = env->insn_aux_data[i].call_imm; | |
6133 | subprog = find_subprog(env, i + insn->off + 1); | |
dbecd738 | 6134 | insn->imm = subprog; |
7105e828 DB |
6135 | } |
6136 | ||
1c2a088a AS |
6137 | prog->jited = 1; |
6138 | prog->bpf_func = func[0]->bpf_func; | |
6139 | prog->aux->func = func; | |
f910cefa | 6140 | prog->aux->func_cnt = env->subprog_cnt; |
1c2a088a AS |
6141 | return 0; |
6142 | out_free: | |
f910cefa | 6143 | for (i = 0; i < env->subprog_cnt; i++) |
1c2a088a AS |
6144 | if (func[i]) |
6145 | bpf_jit_free(func[i]); | |
6146 | kfree(func); | |
c7a89784 | 6147 | out_undo_insn: |
1c2a088a AS |
6148 | /* cleanup main prog to be interpreted */ |
6149 | prog->jit_requested = 0; | |
6150 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { | |
6151 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
6152 | insn->src_reg != BPF_PSEUDO_CALL) | |
6153 | continue; | |
6154 | insn->off = 0; | |
6155 | insn->imm = env->insn_aux_data[i].call_imm; | |
6156 | } | |
6157 | return err; | |
6158 | } | |
6159 | ||
1ea47e01 AS |
6160 | static int fixup_call_args(struct bpf_verifier_env *env) |
6161 | { | |
19d28fbd | 6162 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
1ea47e01 AS |
6163 | struct bpf_prog *prog = env->prog; |
6164 | struct bpf_insn *insn = prog->insnsi; | |
6165 | int i, depth; | |
19d28fbd | 6166 | #endif |
e4052d06 | 6167 | int err = 0; |
1ea47e01 | 6168 | |
e4052d06 QM |
6169 | if (env->prog->jit_requested && |
6170 | !bpf_prog_is_dev_bound(env->prog->aux)) { | |
19d28fbd DM |
6171 | err = jit_subprogs(env); |
6172 | if (err == 0) | |
1c2a088a | 6173 | return 0; |
c7a89784 DB |
6174 | if (err == -EFAULT) |
6175 | return err; | |
19d28fbd DM |
6176 | } |
6177 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON | |
1ea47e01 AS |
6178 | for (i = 0; i < prog->len; i++, insn++) { |
6179 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
6180 | insn->src_reg != BPF_PSEUDO_CALL) | |
6181 | continue; | |
6182 | depth = get_callee_stack_depth(env, insn, i); | |
6183 | if (depth < 0) | |
6184 | return depth; | |
6185 | bpf_patch_call_args(insn, depth); | |
6186 | } | |
19d28fbd DM |
6187 | err = 0; |
6188 | #endif | |
6189 | return err; | |
1ea47e01 AS |
6190 | } |
6191 | ||
79741b3b | 6192 | /* fixup insn->imm field of bpf_call instructions |
81ed18ab | 6193 | * and inline eligible helpers as explicit sequence of BPF instructions |
e245c5c6 AS |
6194 | * |
6195 | * this function is called after eBPF program passed verification | |
6196 | */ | |
79741b3b | 6197 | static int fixup_bpf_calls(struct bpf_verifier_env *env) |
e245c5c6 | 6198 | { |
79741b3b AS |
6199 | struct bpf_prog *prog = env->prog; |
6200 | struct bpf_insn *insn = prog->insnsi; | |
e245c5c6 | 6201 | const struct bpf_func_proto *fn; |
79741b3b | 6202 | const int insn_cnt = prog->len; |
09772d92 | 6203 | const struct bpf_map_ops *ops; |
c93552c4 | 6204 | struct bpf_insn_aux_data *aux; |
81ed18ab AS |
6205 | struct bpf_insn insn_buf[16]; |
6206 | struct bpf_prog *new_prog; | |
6207 | struct bpf_map *map_ptr; | |
6208 | int i, cnt, delta = 0; | |
e245c5c6 | 6209 | |
79741b3b | 6210 | for (i = 0; i < insn_cnt; i++, insn++) { |
f6b1b3bf DB |
6211 | if (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) || |
6212 | insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || | |
6213 | insn->code == (BPF_ALU | BPF_MOD | BPF_X) || | |
68fda450 | 6214 | insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { |
f6b1b3bf DB |
6215 | bool is64 = BPF_CLASS(insn->code) == BPF_ALU64; |
6216 | struct bpf_insn mask_and_div[] = { | |
6217 | BPF_MOV32_REG(insn->src_reg, insn->src_reg), | |
6218 | /* Rx div 0 -> 0 */ | |
6219 | BPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2), | |
6220 | BPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg), | |
6221 | BPF_JMP_IMM(BPF_JA, 0, 0, 1), | |
6222 | *insn, | |
6223 | }; | |
6224 | struct bpf_insn mask_and_mod[] = { | |
6225 | BPF_MOV32_REG(insn->src_reg, insn->src_reg), | |
6226 | /* Rx mod 0 -> Rx */ | |
6227 | BPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1), | |
6228 | *insn, | |
6229 | }; | |
6230 | struct bpf_insn *patchlet; | |
6231 | ||
6232 | if (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || | |
6233 | insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { | |
6234 | patchlet = mask_and_div + (is64 ? 1 : 0); | |
6235 | cnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0); | |
6236 | } else { | |
6237 | patchlet = mask_and_mod + (is64 ? 1 : 0); | |
6238 | cnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0); | |
6239 | } | |
6240 | ||
6241 | new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt); | |
68fda450 AS |
6242 | if (!new_prog) |
6243 | return -ENOMEM; | |
6244 | ||
6245 | delta += cnt - 1; | |
6246 | env->prog = prog = new_prog; | |
6247 | insn = new_prog->insnsi + i + delta; | |
6248 | continue; | |
6249 | } | |
6250 | ||
e0cea7ce DB |
6251 | if (BPF_CLASS(insn->code) == BPF_LD && |
6252 | (BPF_MODE(insn->code) == BPF_ABS || | |
6253 | BPF_MODE(insn->code) == BPF_IND)) { | |
6254 | cnt = env->ops->gen_ld_abs(insn, insn_buf); | |
6255 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { | |
6256 | verbose(env, "bpf verifier is misconfigured\n"); | |
6257 | return -EINVAL; | |
6258 | } | |
6259 | ||
6260 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); | |
6261 | if (!new_prog) | |
6262 | return -ENOMEM; | |
6263 | ||
6264 | delta += cnt - 1; | |
6265 | env->prog = prog = new_prog; | |
6266 | insn = new_prog->insnsi + i + delta; | |
6267 | continue; | |
6268 | } | |
6269 | ||
79741b3b AS |
6270 | if (insn->code != (BPF_JMP | BPF_CALL)) |
6271 | continue; | |
cc8b0b92 AS |
6272 | if (insn->src_reg == BPF_PSEUDO_CALL) |
6273 | continue; | |
e245c5c6 | 6274 | |
79741b3b AS |
6275 | if (insn->imm == BPF_FUNC_get_route_realm) |
6276 | prog->dst_needed = 1; | |
6277 | if (insn->imm == BPF_FUNC_get_prandom_u32) | |
6278 | bpf_user_rnd_init_once(); | |
9802d865 JB |
6279 | if (insn->imm == BPF_FUNC_override_return) |
6280 | prog->kprobe_override = 1; | |
79741b3b | 6281 | if (insn->imm == BPF_FUNC_tail_call) { |
7b9f6da1 DM |
6282 | /* If we tail call into other programs, we |
6283 | * cannot make any assumptions since they can | |
6284 | * be replaced dynamically during runtime in | |
6285 | * the program array. | |
6286 | */ | |
6287 | prog->cb_access = 1; | |
80a58d02 | 6288 | env->prog->aux->stack_depth = MAX_BPF_STACK; |
e647815a | 6289 | env->prog->aux->max_pkt_offset = MAX_PACKET_OFF; |
7b9f6da1 | 6290 | |
79741b3b AS |
6291 | /* mark bpf_tail_call as different opcode to avoid |
6292 | * conditional branch in the interpeter for every normal | |
6293 | * call and to prevent accidental JITing by JIT compiler | |
6294 | * that doesn't support bpf_tail_call yet | |
e245c5c6 | 6295 | */ |
79741b3b | 6296 | insn->imm = 0; |
71189fa9 | 6297 | insn->code = BPF_JMP | BPF_TAIL_CALL; |
b2157399 | 6298 | |
c93552c4 DB |
6299 | aux = &env->insn_aux_data[i + delta]; |
6300 | if (!bpf_map_ptr_unpriv(aux)) | |
6301 | continue; | |
6302 | ||
b2157399 AS |
6303 | /* instead of changing every JIT dealing with tail_call |
6304 | * emit two extra insns: | |
6305 | * if (index >= max_entries) goto out; | |
6306 | * index &= array->index_mask; | |
6307 | * to avoid out-of-bounds cpu speculation | |
6308 | */ | |
c93552c4 | 6309 | if (bpf_map_ptr_poisoned(aux)) { |
40950343 | 6310 | verbose(env, "tail_call abusing map_ptr\n"); |
b2157399 AS |
6311 | return -EINVAL; |
6312 | } | |
c93552c4 DB |
6313 | |
6314 | map_ptr = BPF_MAP_PTR(aux->map_state); | |
b2157399 AS |
6315 | insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3, |
6316 | map_ptr->max_entries, 2); | |
6317 | insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, | |
6318 | container_of(map_ptr, | |
6319 | struct bpf_array, | |
6320 | map)->index_mask); | |
6321 | insn_buf[2] = *insn; | |
6322 | cnt = 3; | |
6323 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); | |
6324 | if (!new_prog) | |
6325 | return -ENOMEM; | |
6326 | ||
6327 | delta += cnt - 1; | |
6328 | env->prog = prog = new_prog; | |
6329 | insn = new_prog->insnsi + i + delta; | |
79741b3b AS |
6330 | continue; |
6331 | } | |
e245c5c6 | 6332 | |
89c63074 | 6333 | /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup |
09772d92 DB |
6334 | * and other inlining handlers are currently limited to 64 bit |
6335 | * only. | |
89c63074 | 6336 | */ |
60b58afc | 6337 | if (prog->jit_requested && BITS_PER_LONG == 64 && |
09772d92 DB |
6338 | (insn->imm == BPF_FUNC_map_lookup_elem || |
6339 | insn->imm == BPF_FUNC_map_update_elem || | |
84430d42 DB |
6340 | insn->imm == BPF_FUNC_map_delete_elem || |
6341 | insn->imm == BPF_FUNC_map_push_elem || | |
6342 | insn->imm == BPF_FUNC_map_pop_elem || | |
6343 | insn->imm == BPF_FUNC_map_peek_elem)) { | |
c93552c4 DB |
6344 | aux = &env->insn_aux_data[i + delta]; |
6345 | if (bpf_map_ptr_poisoned(aux)) | |
6346 | goto patch_call_imm; | |
6347 | ||
6348 | map_ptr = BPF_MAP_PTR(aux->map_state); | |
09772d92 DB |
6349 | ops = map_ptr->ops; |
6350 | if (insn->imm == BPF_FUNC_map_lookup_elem && | |
6351 | ops->map_gen_lookup) { | |
6352 | cnt = ops->map_gen_lookup(map_ptr, insn_buf); | |
6353 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { | |
6354 | verbose(env, "bpf verifier is misconfigured\n"); | |
6355 | return -EINVAL; | |
6356 | } | |
81ed18ab | 6357 | |
09772d92 DB |
6358 | new_prog = bpf_patch_insn_data(env, i + delta, |
6359 | insn_buf, cnt); | |
6360 | if (!new_prog) | |
6361 | return -ENOMEM; | |
81ed18ab | 6362 | |
09772d92 DB |
6363 | delta += cnt - 1; |
6364 | env->prog = prog = new_prog; | |
6365 | insn = new_prog->insnsi + i + delta; | |
6366 | continue; | |
6367 | } | |
81ed18ab | 6368 | |
09772d92 DB |
6369 | BUILD_BUG_ON(!__same_type(ops->map_lookup_elem, |
6370 | (void *(*)(struct bpf_map *map, void *key))NULL)); | |
6371 | BUILD_BUG_ON(!__same_type(ops->map_delete_elem, | |
6372 | (int (*)(struct bpf_map *map, void *key))NULL)); | |
6373 | BUILD_BUG_ON(!__same_type(ops->map_update_elem, | |
6374 | (int (*)(struct bpf_map *map, void *key, void *value, | |
6375 | u64 flags))NULL)); | |
84430d42 DB |
6376 | BUILD_BUG_ON(!__same_type(ops->map_push_elem, |
6377 | (int (*)(struct bpf_map *map, void *value, | |
6378 | u64 flags))NULL)); | |
6379 | BUILD_BUG_ON(!__same_type(ops->map_pop_elem, | |
6380 | (int (*)(struct bpf_map *map, void *value))NULL)); | |
6381 | BUILD_BUG_ON(!__same_type(ops->map_peek_elem, | |
6382 | (int (*)(struct bpf_map *map, void *value))NULL)); | |
6383 | ||
09772d92 DB |
6384 | switch (insn->imm) { |
6385 | case BPF_FUNC_map_lookup_elem: | |
6386 | insn->imm = BPF_CAST_CALL(ops->map_lookup_elem) - | |
6387 | __bpf_call_base; | |
6388 | continue; | |
6389 | case BPF_FUNC_map_update_elem: | |
6390 | insn->imm = BPF_CAST_CALL(ops->map_update_elem) - | |
6391 | __bpf_call_base; | |
6392 | continue; | |
6393 | case BPF_FUNC_map_delete_elem: | |
6394 | insn->imm = BPF_CAST_CALL(ops->map_delete_elem) - | |
6395 | __bpf_call_base; | |
6396 | continue; | |
84430d42 DB |
6397 | case BPF_FUNC_map_push_elem: |
6398 | insn->imm = BPF_CAST_CALL(ops->map_push_elem) - | |
6399 | __bpf_call_base; | |
6400 | continue; | |
6401 | case BPF_FUNC_map_pop_elem: | |
6402 | insn->imm = BPF_CAST_CALL(ops->map_pop_elem) - | |
6403 | __bpf_call_base; | |
6404 | continue; | |
6405 | case BPF_FUNC_map_peek_elem: | |
6406 | insn->imm = BPF_CAST_CALL(ops->map_peek_elem) - | |
6407 | __bpf_call_base; | |
6408 | continue; | |
09772d92 | 6409 | } |
81ed18ab | 6410 | |
09772d92 | 6411 | goto patch_call_imm; |
81ed18ab AS |
6412 | } |
6413 | ||
6414 | patch_call_imm: | |
5e43f899 | 6415 | fn = env->ops->get_func_proto(insn->imm, env->prog); |
79741b3b AS |
6416 | /* all functions that have prototype and verifier allowed |
6417 | * programs to call them, must be real in-kernel functions | |
6418 | */ | |
6419 | if (!fn->func) { | |
61bd5218 JK |
6420 | verbose(env, |
6421 | "kernel subsystem misconfigured func %s#%d\n", | |
79741b3b AS |
6422 | func_id_name(insn->imm), insn->imm); |
6423 | return -EFAULT; | |
e245c5c6 | 6424 | } |
79741b3b | 6425 | insn->imm = fn->func - __bpf_call_base; |
e245c5c6 | 6426 | } |
e245c5c6 | 6427 | |
79741b3b AS |
6428 | return 0; |
6429 | } | |
e245c5c6 | 6430 | |
58e2af8b | 6431 | static void free_states(struct bpf_verifier_env *env) |
f1bca824 | 6432 | { |
58e2af8b | 6433 | struct bpf_verifier_state_list *sl, *sln; |
f1bca824 AS |
6434 | int i; |
6435 | ||
6436 | if (!env->explored_states) | |
6437 | return; | |
6438 | ||
6439 | for (i = 0; i < env->prog->len; i++) { | |
6440 | sl = env->explored_states[i]; | |
6441 | ||
6442 | if (sl) | |
6443 | while (sl != STATE_LIST_MARK) { | |
6444 | sln = sl->next; | |
1969db47 | 6445 | free_verifier_state(&sl->state, false); |
f1bca824 AS |
6446 | kfree(sl); |
6447 | sl = sln; | |
6448 | } | |
6449 | } | |
6450 | ||
6451 | kfree(env->explored_states); | |
6452 | } | |
6453 | ||
838e9690 YS |
6454 | int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, |
6455 | union bpf_attr __user *uattr) | |
51580e79 | 6456 | { |
58e2af8b | 6457 | struct bpf_verifier_env *env; |
b9193c1b | 6458 | struct bpf_verifier_log *log; |
51580e79 AS |
6459 | int ret = -EINVAL; |
6460 | ||
eba0c929 AB |
6461 | /* no program is valid */ |
6462 | if (ARRAY_SIZE(bpf_verifier_ops) == 0) | |
6463 | return -EINVAL; | |
6464 | ||
58e2af8b | 6465 | /* 'struct bpf_verifier_env' can be global, but since it's not small, |
cbd35700 AS |
6466 | * allocate/free it every time bpf_check() is called |
6467 | */ | |
58e2af8b | 6468 | env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
cbd35700 AS |
6469 | if (!env) |
6470 | return -ENOMEM; | |
61bd5218 | 6471 | log = &env->log; |
cbd35700 | 6472 | |
fad953ce KC |
6473 | env->insn_aux_data = |
6474 | vzalloc(array_size(sizeof(struct bpf_insn_aux_data), | |
6475 | (*prog)->len)); | |
3df126f3 JK |
6476 | ret = -ENOMEM; |
6477 | if (!env->insn_aux_data) | |
6478 | goto err_free_env; | |
9bac3d6d | 6479 | env->prog = *prog; |
00176a34 | 6480 | env->ops = bpf_verifier_ops[env->prog->type]; |
0246e64d | 6481 | |
cbd35700 AS |
6482 | /* grab the mutex to protect few globals used by verifier */ |
6483 | mutex_lock(&bpf_verifier_lock); | |
6484 | ||
6485 | if (attr->log_level || attr->log_buf || attr->log_size) { | |
6486 | /* user requested verbose verifier output | |
6487 | * and supplied buffer to store the verification trace | |
6488 | */ | |
e7bf8249 JK |
6489 | log->level = attr->log_level; |
6490 | log->ubuf = (char __user *) (unsigned long) attr->log_buf; | |
6491 | log->len_total = attr->log_size; | |
cbd35700 AS |
6492 | |
6493 | ret = -EINVAL; | |
e7bf8249 JK |
6494 | /* log attributes have to be sane */ |
6495 | if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 || | |
6496 | !log->level || !log->ubuf) | |
3df126f3 | 6497 | goto err_unlock; |
cbd35700 | 6498 | } |
1ad2f583 DB |
6499 | |
6500 | env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); | |
6501 | if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) | |
e07b98d9 | 6502 | env->strict_alignment = true; |
e9ee9efc DM |
6503 | if (attr->prog_flags & BPF_F_ANY_ALIGNMENT) |
6504 | env->strict_alignment = false; | |
cbd35700 | 6505 | |
f4e3ec0d JK |
6506 | ret = replace_map_fd_with_map_ptr(env); |
6507 | if (ret < 0) | |
6508 | goto skip_full_check; | |
6509 | ||
cae1927c | 6510 | if (bpf_prog_is_dev_bound(env->prog->aux)) { |
a40a2632 | 6511 | ret = bpf_prog_offload_verifier_prep(env->prog); |
ab3f0063 | 6512 | if (ret) |
f4e3ec0d | 6513 | goto skip_full_check; |
ab3f0063 JK |
6514 | } |
6515 | ||
9bac3d6d | 6516 | env->explored_states = kcalloc(env->prog->len, |
58e2af8b | 6517 | sizeof(struct bpf_verifier_state_list *), |
f1bca824 AS |
6518 | GFP_USER); |
6519 | ret = -ENOMEM; | |
6520 | if (!env->explored_states) | |
6521 | goto skip_full_check; | |
6522 | ||
cc8b0b92 AS |
6523 | env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); |
6524 | ||
475fb78f AS |
6525 | ret = check_cfg(env); |
6526 | if (ret < 0) | |
6527 | goto skip_full_check; | |
6528 | ||
838e9690 YS |
6529 | ret = check_btf_func(env->prog, env, attr, uattr); |
6530 | if (ret < 0) | |
6531 | goto skip_full_check; | |
6532 | ||
17a52670 | 6533 | ret = do_check(env); |
8c01c4f8 CG |
6534 | if (env->cur_state) { |
6535 | free_verifier_state(env->cur_state, true); | |
6536 | env->cur_state = NULL; | |
6537 | } | |
cbd35700 | 6538 | |
c941ce9c QM |
6539 | if (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux)) |
6540 | ret = bpf_prog_offload_finalize(env); | |
6541 | ||
0246e64d | 6542 | skip_full_check: |
638f5b90 | 6543 | while (!pop_stack(env, NULL, NULL)); |
f1bca824 | 6544 | free_states(env); |
0246e64d | 6545 | |
c131187d AS |
6546 | if (ret == 0) |
6547 | sanitize_dead_code(env); | |
6548 | ||
70a87ffe AS |
6549 | if (ret == 0) |
6550 | ret = check_max_stack_depth(env); | |
6551 | ||
9bac3d6d AS |
6552 | if (ret == 0) |
6553 | /* program is valid, convert *(u32*)(ctx + off) accesses */ | |
6554 | ret = convert_ctx_accesses(env); | |
6555 | ||
e245c5c6 | 6556 | if (ret == 0) |
79741b3b | 6557 | ret = fixup_bpf_calls(env); |
e245c5c6 | 6558 | |
1ea47e01 AS |
6559 | if (ret == 0) |
6560 | ret = fixup_call_args(env); | |
6561 | ||
a2a7d570 | 6562 | if (log->level && bpf_verifier_log_full(log)) |
cbd35700 | 6563 | ret = -ENOSPC; |
a2a7d570 | 6564 | if (log->level && !log->ubuf) { |
cbd35700 | 6565 | ret = -EFAULT; |
a2a7d570 | 6566 | goto err_release_maps; |
cbd35700 AS |
6567 | } |
6568 | ||
0246e64d AS |
6569 | if (ret == 0 && env->used_map_cnt) { |
6570 | /* if program passed verifier, update used_maps in bpf_prog_info */ | |
9bac3d6d AS |
6571 | env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt, |
6572 | sizeof(env->used_maps[0]), | |
6573 | GFP_KERNEL); | |
0246e64d | 6574 | |
9bac3d6d | 6575 | if (!env->prog->aux->used_maps) { |
0246e64d | 6576 | ret = -ENOMEM; |
a2a7d570 | 6577 | goto err_release_maps; |
0246e64d AS |
6578 | } |
6579 | ||
9bac3d6d | 6580 | memcpy(env->prog->aux->used_maps, env->used_maps, |
0246e64d | 6581 | sizeof(env->used_maps[0]) * env->used_map_cnt); |
9bac3d6d | 6582 | env->prog->aux->used_map_cnt = env->used_map_cnt; |
0246e64d AS |
6583 | |
6584 | /* program is valid. Convert pseudo bpf_ld_imm64 into generic | |
6585 | * bpf_ld_imm64 instructions | |
6586 | */ | |
6587 | convert_pseudo_ld_imm64(env); | |
6588 | } | |
cbd35700 | 6589 | |
ba64e7d8 YS |
6590 | if (ret == 0) |
6591 | adjust_btf_func(env); | |
6592 | ||
a2a7d570 | 6593 | err_release_maps: |
9bac3d6d | 6594 | if (!env->prog->aux->used_maps) |
0246e64d | 6595 | /* if we didn't copy map pointers into bpf_prog_info, release |
ab7f5bf0 | 6596 | * them now. Otherwise free_used_maps() will release them. |
0246e64d AS |
6597 | */ |
6598 | release_maps(env); | |
9bac3d6d | 6599 | *prog = env->prog; |
3df126f3 | 6600 | err_unlock: |
cbd35700 | 6601 | mutex_unlock(&bpf_verifier_lock); |
3df126f3 JK |
6602 | vfree(env->insn_aux_data); |
6603 | err_free_env: | |
6604 | kfree(env); | |
51580e79 AS |
6605 | return ret; |
6606 | } |